client-secrets-manager - ERROR: getApplicationSecrets The security token included in the request is invalid. #6355
Comments
geoffcorey
added
bug
|
Hi @geoffcorey - thanks for reaching out. The error "UnrecognizedClientException: The security token included in the request is invalid" suggests that the temporary security credentials used to authenticate the request to AWS Secrets Manager are either invalid or have expired. Since you mentioned that you are using AWS SSO for authentication, it's likely that the temporary credentials obtained through the AWS SSO session have expired. To help diagnose and resolve the issue, it would be helpful if you could provide more details on how you have configured the AWS SSO session and the AWS profile in your application. Specifically, please share the following information:
Providing these details will help us better understand your setup and configuration, which can assist in identifying the root cause of the issue and suggesting appropriate solutions. Please refer to the AWS documentation links provided below for guidance on configuring AWS SSO with the AWS CLI and the AWS SDK for JavaScript (v3). |
aBurmeseDev
added
response-requested
|
I call version of the cli client ❯ aws --version We have not moved to v3 aws-cli due to some issue. I will upgrade tomorrow and upgrade the package and see if it will work. |
github-actions
bot
removed
the
response-requested
|
So I am running the latest awscli client already and it is configured for SSO. Am I suppose to do something different for Because the latest fails with sso login and version 3.441.0 does not |
|
Thanks for sharing additional info.
I’m a bit unclear on the details, especially since you also mentioned being unable to connect with Let’s say you were able to successfully configure and login SSO with CLI, you can leverage these credentials in your JavaScript SDK code. Here's an example using credential providers: can use these credential providers in your JavaScript SDK code. See here. const client = new FooClient({ credentials: fromSSO({ profile: "my-sso-profile" })}); |
aBurmeseDev
added
the
response-requested
|
I successfully login using If I execute the code I posted above using 3.441.0 of @aws-sdk/client-secrets-manager the code will pull the secrets successfully. If I use 3.623.0 and execute the code it throws and error |
github-actions
bot
removed
the
response-requested
|
Any insights? |
|
Updates? |
|
Hi @geoffcorey - apologies for the delay. It is peculiar that the issue manifests itself exclusively in version
I'd also like to look at request logs, you can retrieve those by adding middleware stack to your client calls. Please share the logs from both versions. const client = new DynamoDBClient({ region: "us-west-2" });
client.middlewareStack.add(
(next, context) => async (args) => {
console.log("AWS SDK context", context.clientName, context.commandName);
console.log("AWS SDK request input", args.input);
const result = await next(args);
console.log("AWS SDK request output:", result.output);
return result;
},
{
name: "MyMiddleware",
step: "build",
override: true,
}
);
await client.listTables({});Repro attempt
$ aws configure sso
[profile my-dev-profile]
sso_session = my-sso
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
output = json
$ aws sso login --profile my-dev-profile
SSO authorization page has automatically been opened in your default browser.
Follow the instructions in the browser to complete this authorization request.
Successfully logged into Start URL: https://my-sso-portal.awsapps.com/start
import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";
import { fromSSO } from "@aws-sdk/credential-providers";
const client = new SecretsManagerClient({
credentials: fromSSO({ profile: "my-dev-profile" }) }
region: "us-west-2";
});
const input = {
SecretId: "STRING_VALUE",
};
const command = new GetSecretValueCommand(input);
const response = await client.send(command); |
aBurmeseDev
added
the
response-requested
|
client.listTables isn't a valid call. Cut-n-paste error? Anyway, here is the two runs. Had someone on the infrastructure team search cloudtrail and did not see that request id in the logs. |
|
Also did a new aws configure and did a new profile. SSO login successful --profile with the new profile. Code still reports the same thing as above. |
|
@aBurmeseDev ok, so apparently if I am going to use SSO I have to pass it explicitly in the new version. In the 3.441.0 version it would figure it out. So doesn't seem functionally backwards compatible. Here is the work around. |
|
Any thoughts on why it isn't backward compatible? |
|
Additional notes. Installed a brand new machine with awscli via brew and this still fails without the fromSSO() |
Checkboxes for prior research
Describe the bug
using
aws sso loginand running the application using@aws-sdk/client-secrets-managerversion 3.623.0 we get the error.If we drop back to 3.441.0 we are able to retrieve the AWS secrets
SDK version number
3.623.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
20.11.1
Reproduction Steps
OS/X Sonoma 14.5
Node 20.11.1
Change package to 3.441.0
Observed Behavior
upgrading package to latest from 3.441.0 breaks retrieval of secrets when using
aws sso loginon local machine running OS/XExpected Behavior
Should work just like 3.441.0
Possible Solution
Don't ever upgrade?
Additional Information/Context
No response
The text was updated successfully, but these errors were encountered: