SSO authentication fails when client region differs from SSO region

[RyanShendler]

Description

I have my ~/.aws/config file configured as follows:

[sso-session abc]
sso_start_url = testURL
sso_region = us-west-2
sso_registration_scopes = sso:account:access

[profile testProfile]
sso_session = abc
sso_region = us-west-2
sso_account_id = test
sso_role_name = test
region = us-east-1

My team deploys our resources to the us-east-1 region but our organization requires us to use their AWS SSO for authentication, which is configured at the us-west-2 region. This setup was working correctly until recently, but now I get the following error whenever I try to deploy resources while using AWS SSO authentication:

CredentialsProviderError: UnauthorizedException: Session token not found or invalid
    at resolveSSOCredentials (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/index.js:122:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async resolveProfileData (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js:244:12)

I tracked down the issue to this line in the @aws-sdk/credential-provider-sso package.
https://github.com/aws/aws-sdk-js-v3/blob/2b3d1df4f1343b09d8a7200c0d62cf87de35e8ed/packages/credential-provider-sso/src/resolveSSOCredentials.ts#L70

It looks like the region set in the clientConfig parameter is overriding the sso_region set in the ~/.aws/config file, which is causing the SSO authentication request to be sent to the wrong region. In my scenario, the SSO request is being sent to the us-east-1 region instead of us-west-2, which causes the SSO authentication to fail

Steps to Recreate

Perform a fresh installation of SST v2.47.1. I was not experiencing this issue until I recently reinstalled my project dependencies. I believe this is because this issue was introduced in v3.699.0 of the @aws-sdk/credential-provider-ini package. It seems like SST is configured to use the latest minor version update of this dependency, so doing a fresh installation of SST should guarantee that you install the bugged version of this dependency.

Configure your ~/.aws/config to match this structure. In order to recreate this issue, your config file must have differing regions for the profile region and the SSO region. In my scenario, I have us-east-1 configured as my profile region and us-west-2 as my SSO region

[sso-session abc]
sso_start_url = testURL
sso_region = us-west-2
sso_registration_scopes = sso:account:access

[profile testProfile]
sso_session = abc
sso_region = us-west-2
sso_account_id = test
sso_role_name = test
region = us-east-1

Also, configure your project to deploy to the us-east-1 region (or whatever region you configured as your profile region), in your sst.config.ts file.

Once all of this has been setup, if you try to run sst dev or sst deploy, then you should get the following error message:

CredentialsProviderError: UnauthorizedException: Session token not found or invalid
    at resolveSSOCredentials (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-sso/dist-cjs/index.js:122:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async resolveProfileData (/node_modules/@aws-sdk/credential-provider-node/node_modules/@aws-sdk/credential-provider-ini/dist-cjs/index.js:244:12)

Version

SST Version: v2.47.1
CDK Version: v2.171.1

Possible Solution

It seems like the AWS CDK team experienced a similar issue in December 2024: aws/aws-cdk#32510 (comment)

The CDK team was able to resolve the issue by passing the client region in the parentClientConfig parameter instead of the clientConfig. The clientConfig parameter has the highest precedence when configuring SDK client, which means the region set in the clientConfig will be used for every client, including the SSO client. However, the parentClientConfig parameter has a lower precendence, which means that it will not override the SSO region when configuring the SSO client. This should ensure that the SSO authentication logic always uses the sso_region configured in the ~/.aws/config file.

I believe this issue can be solved by changing this line

v2/packages/sst/src/credentials.ts

Line 17 in 23d4233

clientConfig: { region: project.config.region },

from clientConfig: { region: project.config.region } to parentClientConfig: { region: project.config.region }

Additional Info

I believe this issue was introduced in v3.699.0 of the @aws-sdk/credential-provider-ini package. Before this update, the clientConfig was not being passed to the SSO clients, which meant the SSO authentication would always use the sso_region configured in the ~/.aws/config file. Since this change, the clientConfig config is now passed to the SSO client and will override the SSO region with whatever region is configured in the clientConfig. This is why this line used to work correctly, but is now unintentionally overriding the sso_region set in the ~/.aws/config file

v2/packages/sst/src/credentials.ts

Line 17 in 23d4233

clientConfig: { region: project.config.region },

I already opened an issue on the AWS SDK repo, but it looks like this is the intended behavior according to the AWS SDK team

[jayair]

Thanks for digging in. Would appreciate a PR for this.