Hello,
Starting in recent hour today we cannot login using SSO from external (standalone) applications, we have done no change in our side.
The AWS management console works, however, 3rd party desktop applications are not working, this is across the board issue.
I try to manually trigger SSO with a test program, I get the exception: botocore.exceptions.ClientError:
An error occurred (InternalServerException) when calling the GetRoleCredentials operation (reached max retries: 4): internal error
The sequence is based on the AWS examples available and provided below, it worked perfectly until recent hours.
Does anyone experience the same? What is the right channel to provide the information to AWS?
Regards,
Alon
#!/usr/bin/env python3
import boto3.session
import time
import typing
def awssso(
sso_start_url: str,
sso_region: str,
sso_account_id: str,
sso_role_name: str,
region: str,
urlopenner: typing.Callable[[str], None] = lambda url: print(
f"Please open URL: {url}"
),
) -> tuple[boto3.session.Session, None]:
session = boto3.session.Session()
sso_oidc = session.client("sso-oidc", sso_region)
client_creds = sso_oidc.register_client(
clientName="myapp",
clientType="public",
)
device_authorization = sso_oidc.start_device_authorization(
clientId=client_creds["clientId"],
clientSecret=client_creds["clientSecret"],
startUrl=sso_start_url,
)
urlopenner(device_authorization["verificationUriComplete"])
for n in range(
device_authorization["expiresIn"] // device_authorization["interval"]
):
time.sleep(device_authorization["interval"])
try:
token = sso_oidc.create_token(
grantType="urn:ietf:params:oauth:grant-type:device_code",
deviceCode=device_authorization["deviceCode"],
clientId=client_creds["clientId"],
clientSecret=client_creds["clientSecret"],
)
break
except sso_oidc.exceptions.AuthorizationPendingException:
pass
else:
raise RuntimeError("Timeout while waiting for authorization")
role_creds = session.client("sso", sso_region).get_role_credentials(
roleName=sso_role_name,
accountId=sso_account_id,
accessToken=token["accessToken"],
)["roleCredentials"]
role_expiration = time.gmtime(role_creds["expiration"] / 1000)
return (
boto3.session.Session(
region_name=region,
aws_access_key_id=role_creds["accessKeyId"],
aws_secret_access_key=role_creds["secretAccessKey"],
aws_session_token=role_creds["sessionToken"],
),
role_expiration,
)
def test() -> None:
session, ttl = awssso(
sso_start_url="https://<snip>.awsapps.com/start",
sso_region="us-east-1",
sso_account_id="<snip>",
sso_role_name="<snip>",
region="us-east-1",
)
print(f"Identity: {session.client('sts').get_caller_identity()}")
print(f"TTL: {ttl}")
for b in session.resource("s3").buckets.all():
print(b)
if __name__ == "__main__":
test()