SSO authentication fails when the client region differs from the SSO region

[RyanShendler]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

My ~/.aws/config file is configured as seen below:

[sso-session abc]
sso_start_url = testURL
sso_region = us-west-2
sso_registration_scopes = sso:account:access

[profile testProfile]
sso_session = abc
sso_account_id = test
sso_role_name = test
region = us-east-1

My team deploys our AWS resources to the us-east-1 region. However, my team's organization requires us to use their AWS SSO for authentication, which is configured in the us-west-2 region. This was not an issue until recently, but now we have been consistently getting this error message whenever we try to deploy resources:

CredentialsProviderError: UnauthorizedException: Session token not found or invalid
    at resolveSSOCredentials (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/index.js:122:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async resolveProfileData (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js:244:12)

I tracked down the issue to this line of code in the credential-provider-sso package. It seems like the issue is that the SSO client is initialized with the client region (which is us-east-1 in my scenario) instead of the SSO region (us-west-2), which causes the request for the temporary SSO credentials to fail because the request was sent to the incorrect region

aws-sdk-js-v3/packages/credential-provider-sso/src/resolveSSOCredentials.ts

Line 70 in 2b3d1df

region: clientConfig?.region ?? ssoRegion,

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/credential-provider-ini@3.699.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node v20.14.0

Reproduction Steps

I encountered this issue when attempting to deploy resources with SST v2 while having my ~/.aws/config file configured to use us-east-1 as the profile region and us-west-2 as the SSO region.

I think an easier way to reproduce the issue would be to configure your local AWS profile to have one region set as the profile region and have a second region set as the SSO region. This is the general structure of my ~/.aws/config file:

[sso-session abc]
sso_start_url = testURL
sso_region = us-west-2
sso_registration_scopes = sso:account:access

[profile testProfile]
sso_session = abc
sso_account_id = test
sso_role_name = test
region = us-east-1

Once the local AWS profile has been configured like this, you should be able to trigger the bug by calling the fromSSO function from the @aws-sdk/credential-provider-sso package:

aws-sdk-js-v3/packages/credential-provider-sso/src/fromSSO.ts

Line 81 in 2b3d1df

export const fromSSO =

In order to trigger the bug, you need to make sure the init parameter passed to the fromSSO function includes the clientConfig key and that key must be set to { region: "us-east-1" } (or whatever region your AWS profile is configured to). While trying to debug this issue, I logged the init parameter and noticed that it followed this general structure:

{
 ...,
 clientConfig: { region: "us-east-1" }
}

If all of this is configured correctly, the fromSSO function will attempt to request the temporary SSO credentials at the profile region instead of the SSO region and the function will throw an error with the following message:

CredentialsProviderError: UnauthorizedException: Session token not found or invalid
    at resolveSSOCredentials

Observed Behavior

When attempting to deploy resources with SST v2, I would consistently get this error message whenever SST attempted to authenticate my requests using AWS SSO:

CredentialsProviderError: UnauthorizedException: Session token not found or invalid
    at resolveSSOCredentials (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/index.js:122:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async resolveProfileData (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js:244:12)
    at async /node_modules/@smithy/property-provider/dist-cjs/index.js:99:27

Expected Behavior

I expected the @aws-sdk/credentials-provider-sso package to send the AWS SSO authentication request to the sso_region configured in my ~/.aws/config file instead of using the region configured for my AWS profile

Possible Solution

The simplest solution would be to change this line from

aws-sdk-js-v3/packages/credential-provider-sso/src/resolveSSOCredentials.ts

Line 70 in 2b3d1df

region: clientConfig?.region ?? ssoRegion,

to

region: ssoRegion,

This would ensure the SSO authentication request is always sent to the sso_region configured in the ~/.aws/config file instead of using the region configured for the AWS profile. I have tried making this change locally and can confirm that it solves the issue

Another solution would be to undo the change which I believe caused this issue to start occurring. In @aws-sdk/credentials-provider-ini@3.699.0, the following line was changed to start passing the clientConfig as an argument to the fromSSO function:

aws-sdk-js-v3/packages/credential-provider-ini/src/resolveSsoCredentials.ts

Line 16 in 2b3d1df

clientConfig: options.clientConfig,

It looks like this change was made in this commit in response to this issue.

Before this change, it seems like the clientConfig argument was not being passed in to the fromSSO, which caused this line to always set the SSO client region to the SSO region.

aws-sdk-js-v3/packages/credential-provider-sso/src/resolveSSOCredentials.ts

Line 70 in 2b3d1df

region: clientConfig?.region ?? ssoRegion,

Passing in the clientConfig as a part of this change seems to have had the unintended side effect of overriding the SSO client region to the region in the clientConfig, which breaks the SSO authentication if the clientConfig region and the SSO region are different

Additional Information/Context

It seems like the AWS CDK team recently encountered a similar issue in December 2024: aws/aws-cdk#32510 (comment). They seem to have determined a workaround for the issue, but the comments in the code fix indicate that they see this as a hacky solution: https://github.com/aws/aws-cdk/pull/32520/files#diff-4fd56f40e997bba9c9cc26cf10596a241dd7110efa473a67de24d28a01a9946eR39.

This workaround implemented by the CDK team is not a viable solution for my particular scenario, as I do not have control over the code that is calling the fromSSO function, so I can't change how the client region is being passed to the function. I figured I would just mention this CDK issue as I believe it relates to this issue

[kuhe]

The clientConfig parameter of various credential providers generally has the highest precedence for configuring inner STS, SSO, and SSO-OIDC clients.

To use different regions for SSO and the data client, you can do this:

[profile sso-new]
region = ...
sso_region = ...
...

import { STS } from "@aws-sdk/client-sts";

const sts = new STS({
  logger: console,
  profile: "sso-new",
});

await sts.config.credentials()

console.log({
  "client region": await sts.config.region(),
});

The logger will show that sso credentials were retrieved from a different region than the client region.

How are you initializing the client in question?

[RyanShendler]

In my particular use case, I am not initializing the client in my own code but I am instead using SST v2, which is in turn using the @aws-sdk/credential-provider-sso package to authenticate via SSO. My ~/.aws/config is configured like this, with us-east-1 as the profile region and us-west-2 as the SSO region:

[profile testProfile]
sso_session = abc
sso_account_id = test
sso_role_name = test
region = us-east-1
sso_region = us-west-2

The issue I am having is that the SSO authentication logic is attempting to fetch SSO credentials at the profile region (us-east-1) instead of the sso_region (us-west-2) set in my config file. While attempting to debug this issue, I logged the clientConfig and ssoRegion parameters and it looks like the clientConfig region is us-east-1 while the ssoRegion is us-west-2. This causes this line to set the region of the SSO client to us-east-1 instead of using the sso_region configured in my config file:

aws-sdk-js-v3/packages/credential-provider-sso/src/resolveSSOCredentials.ts

Line 70 in c106e8e

region: clientConfig?.region ?? ssoRegion,

In this particular case, it seems like allowing the clientConfig to have the highest precedence is causing the client to ignore the sso_region configured in the config file

[kuhe]

Please ask the library author to reconfigure the credentials setup to work around this. The field in question, clientConfig, is deliberately for overriding all other sources of configuration.

https://github.com/sst/v2/blob/master/packages/sst/src/credentials.ts#L17.

[github-actions]

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.