Attempting to access SQS when using AWS SSO fails

[andyfcdl]

Describe the bug

We are using aws sso to get session credentials. Wehn we use this we can use the Jaka SDK to query S3 etc., but are failing to be able to do anything with SQS utilising the Java SDK v2, although the AWS CLI and Python apps work just fine..

Our basic issue is we received a 403 error when calling the API, for example to list queues and a message of the form 'Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied'

Expected Behavior

AWS SDK v2 interacting with SQS when we are logged on via aws sso should allow interations to just work.

Current Behavior

We receive a 403 error when calling the API, for example to list queues and a message of the form 'Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied'

Reproduction Steps

Log in to AWS using SSO against a profile other than default. This profile uses a different role specifc to what we need to do.

Using code as per

        SqsClient sqs = SqsClient.builder()
                .region(Region.EU_WEST_1)
                .credentialsProvider(DefaultCredentialsProvider.builder().profileName("dev-profile").build())
                .build();
        ListQueuesResponse lq_result = sqs.listQueues(ListQueuesRequest.builder().build()); // fails here
        for (String url : lq_result.queueUrls()) {
            System.out.println(url);
        }

Possible Solution

No response

Additional Information/Context

We have used the AWS CLI to connect and this work.

aws sqs list-queues --profile=dev-profile

We have also used a small python script, below, and this also works

import boto3

# Create SQS client
session = boto3.Session(profile_name='dev-profile')
sqs = session.client('sqs')

# List SQS queues
response = sqs.list_queues()

print(response['QueueUrls'])

AWS Java SDK version used

2.20.34

JDK version used

openjdk version "1.8.0_342" OpenJDK Runtime Environment Corretto-8.342.07.3 (build 1.8.0_342-b07) OpenJDK 64-Bit Server VM Corretto-8.342.07.3 (build 25.342-b07, mixed mode)

Operating System and version

Windows 10

[debora-ito]

Does it work if you use the ProfileCredentialsProvider directly, instead of using the Default credential chain?

SqsClient sqs = SqsClient.builder()
                .region(Region.EU_WEST_1)
                .credentialsProvider(ProfileCredentialsProvider.create("dev-profile"))
                .build();

[andyfcdl]

Does it work if you use the ProfileCredentialsProvider directly, instead of using the Default credential chain?

SqsClient sqs = SqsClient.builder()
                .region(Region.EU_WEST_1)
                .credentialsProvider(ProfileCredentialsProvider.create("dev-profile"))
                .build();

No. Tried this, and a number of other variations of the way to create an sqsClient instance and none work. all result in an access denied when used via the Java SDK.

[andyfcdl]

@debora-ito Is there any update on this?

[debora-ito]

@andyfcdl sorry, no updates yet. I'll work in setting up a SSO profile to repro this.

[debora-ito]

Might be related to #3679, still working to confirm is the same case.

[andyfcdl]

Not sure that the token expiry is the case for us. I do an SSO login a couple of minutes before executing the code, to get a token with 8 hours left on it, and the python script works but the Java application fails when connecting to SQS, but adding some code in to talk to S3 works and it can, for example, list buckets using the SSO token. I have attached an anonymised debug log of what I see when attempting to call out to SQS.
The sample S3 code that is placed in the same file, just before the SQS calls is of the form

S3Client s3 = S3Client.builder()
.region(Region.EU_WEST_1)
.credentialsProvider(DefaultCredentialsProvider.builder().profileName("").build())
.build();
ListBucketsResponse result = s3.listBuckets();
System.out.println(" >>> Buckets");
for (Bucket bucket : result.buckets()) {
System.out.println(bucket.name());
}
and this works and log in and lists buckets.

I'm wondering if there is anything to do with the fact we need to use role_arn in the profile such that we get access via said role?

samplelog.log

[andyfcdl]

This can be closed. We went through AWS support and found that we had some issues in our aws config file, and updates to the underlying SDK also helped.

Basically we had duplicated some lines in our profiles in the config file around SSO configuration and the Java SDK did not like this.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[jbowlerpopid]

This can be closed. We went through AWS support and found that we had some issues in our aws config file, and updates to the underlying SDK also helped.

Basically we had duplicated some lines in our profiles in the config file around SSO configuration and the Java SDK did not like this.

Hi, could you possibly be more specific? I'm struggling with the same thing. For some reason, the sdk is making a "get role credentials" request, and that fails with a 403.

[andyfcdl]

Our core issue was in the ~/.aws/config and how we set up sso - we duplicated some of the sso lines from [default] into our individual profile config, and this caused the Java SDK to not recognise it correctly - once we tidied that up it all worked, i.e. sso details in the [default] section and just relevant info in the profile as per

[default]
sso_start_url = https://our-sso.awsapps.com/start
sso_region = region
sso_account_id = account id number
sso_role_name = role_name
region = region
output = json

[profile dev-profile]
role_arn = arn:aws:iam::xyzzy:role/company/stuff/role
source_profile=default
region = region

Turn on full wire level debug logging to see what it is trying as well -

[jbowlerpopid]

Our core issue was in the ~/.aws/config and how we set up sso - we duplicated some of the sso lines from [default] into our individual profile config, and this caused the Java SDK to not recognise it correctly - once we tidied that up it all worked, i.e. sso details in the [default] section and just relevant info in the profile as per

[default] sso_start_url = https://our-sso.awsapps.com/start sso_region = region sso_account_id = account id number sso_role_name = role_name region = region output = json

[profile dev-profile] role_arn = arn:aws:iam::xyzzy:role/company/stuff/role source_profile=default region = region

Turn on full wire level debug logging to see what it is trying as well -

Thanks for getting back to me. I still can't get it to work .. My "normal" profile works, it's when attempting to access our sandbox env on aws that it breaks. This is my config file (redacted)

[profile dev]
sso_session = default
sso_account_id = 
sso_role_name = 

[sso-session default]
sso_start_url = 
sso_region = us-east-1
sso_registration_scopes = sso:account:access

[profile sandboxtest]
sso_session = default
role_arn = 
source_profile = dev
region = us-east-1
sso_account_id = 
sso_role_name = OrganizationAccountAccessRole

I'm able to use the sandboxtest profile on cmd line just fine, the problem is with the java sdk.

[andyfcdl]

Remove the duplicated sso_* sections and only have them in a [default] section, and give that a try.

[jbowlerpopid]

Remove the duplicated sso_* sections and only have them in a [default] section, and give that a try.

wow, this worked. thank you! also, i need to include sts on classpath.