Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token expired errors with webIdentityToken, when the token is valid #3866

Closed
automagic opened this issue Apr 25, 2024 · 3 comments
Closed

Token expired errors with webIdentityToken, when the token is valid #3866

automagic opened this issue Apr 25, 2024 · 3 comments
Assignees
@mjeffryes
Labels
area/credentials Authenticating the provider kind/bug Some behavior is incorrect or out of spec needs-repro Needs repro steps before it can be triaged or fixed resolution/duplicate This issue is a duplicate of another issue

Comments

@automagic
Copy link

automagic commented Apr 25, 2024
edited
Loading

What happened?

Using a webIdentityToken obtained from Vault, pulumi-aws is unable to assume the roll, getting a '403 ExpiredToken' error from AWS. However, when the same token is used via CLI aws sts assume-role-with-web-identity the credentials are returned.

Example

I tried using the token in the environment as follows:

pulumiConfig:
    aws:assumeRoleWithWebIdentity:
      roleArn: arn:aws:iam::999999999:role/foo
      webIdentityToken: ${vault.secrets.identity.token}

But it is failing to retrieve the token:
Details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 83805f40-faa6-4c05-8ff0-883cbaf478bb, api error ExpiredToken: The security token included in the request is expired

However, I can assume the role using the cli:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::999999999:role/foo --role-session-name test-session --web-identity-token $(pulumi config get --path aws:assumeRoleWithWebIdentity.webIdentityToken)

Output of pulumi about

CLI
Version 3.113.3
Go Version go1.22.2
Go Compiler gc

Host
OS darwin
Version 13.5.1
Arch arm64

Backend
Name pulumi.com
URL https://app.pulumi.com/cdoan
User cdoan
Organizations cdoan, nvidia
Token type personal

Additional context

The token is being obtained from HashiCorp Vault via ESC and passed to the provider in pulumiConfig

Also tried using webIdenityTokenFile with the same result.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@automagic automagic added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Apr 25, 2024
@corymhall
Copy link
Contributor

@automagic do you know what command they are running when this fails? There is this open issue where credentials are cached during refresh & destroy pulumi/esc#199

@corymhall corymhall added area/credentials Authenticating the provider needs-repro Needs repro steps before it can be triaged or fixed awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Apr 25, 2024
@mikhailshilkov
Copy link
Member

@automagic Could you please respond when you have a minute?

@mjeffryes mjeffryes added resolution/duplicate This issue is a duplicate of another issue and removed awaiting-feedback Blocked on input from the author labels Jun 11, 2024
@mjeffryes
Copy link
Member

closing as probable duplicate of pulumi/esc#199

@mjeffryes mjeffryes self-assigned this Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjeffryes mjeffryes

Labels
area/credentials Authenticating the provider kind/bug Some behavior is incorrect or out of spec needs-repro Needs repro steps before it can be triaged or fixed resolution/duplicate This issue is a duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@automagic @mjeffryes @mikhailshilkov @corymhall