AWS CLI works but boto3 reports Token has expired and refresh failed

[shadycuz]

Describe the bug

I have a python script that will work for some time, but eventually, it starts saying "Error when retrieving token from sso: Token has expired and refresh failed". The thing is, the token should still be valid. For example, I can go to the AWS CLI and run aws s3 ls and it will list the buckets for my default profile.

Expected Behavior

Well this code used to work, I'm not sure what changed external to break it. I might have updated boto3 or maybe the AWS CLI. But since the AWS CLI seems to work with my default profile, I would expect my script to work also.

Current Behavior

Here is my test code

session = boto3.Session()

log.debug(session)

log.debug(session.available_profiles)

# Checks that the credentials are set correctly
session.client("sts").get_caller_identity()

and the output:

debug: Session(region_name='us-west-2')
debug: ['default', 'developer-dev', 'development', 'network', 'backup', 'shared-services', 'test', 'qa', 'sandbox']
Error when retrieving token from sso: Token has expired and refresh failed

but if I run aws s3 ls from the CLI, it spits out the s3 buckets using my default profile. So the creds are still valid? or should be?

Reproduction Steps

I'm really not sure how to get it into this bad state. But it happened to me on linux and it happened to my other co-worker on windows.

Possible Solution

Well, if I go to the aws cli and I run aws sso login. Then the script starts working again? Strange. It seems like something is wrong in how it looks up default credential "chain". But I'm not sure.

Additional Information/Context

What my default profile looks like:

[default]
sso_session = aws
sso_account_id = xxxxxxx
sso_role_name = AdministratorAccess
region = us-west-2
output = json

[sso-session aws]
sso_region = us-west-2
sso_start_url = https://xxxxxxxx.awsapps.com/start
sso_registration_scopes = sso:account:access

SDK version used

1.28.85

Environment details (OS name and version, etc.)

WSL Ubuntu 22.04

[RyanFitzSimmonsAK]

Hi @shadycuz, thanks for reaching out. Could you tell me a bit about how you are initially getting your Boto3 credentials? Do you know how long your script works before it fails to get credentials? I'd also recommend taking a look at documentation around configuring session duration.

For configuring access portal session duration, please refer to this documentation: https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html.

For configuring permission set session duration, you can refer to this documentation: https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html.

Thanks!

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.