👋 Hi everybody, I’m struggling with SSO authentication when using SSO token provider config. Legacy non-refreshable configuration works fine, but I’m curious to know if there’s a way to configure token provider properly as a default preferred auth. Any docs or ideas on that?

can you elaborate?

Absolutely. I’m using the Typescript sdk. The pulumi runtime fails to identify the

aws profile

I wish to use. This is output I’m getting when using SSO token provider config:

pulumi preview --diff                       
Previewing update (dev)

View Live: <https://app.pulumi.com/jorgeAtSama/starter-kit/dev/previews/57d1b163-9c01-4d69-bcd4-154e27f72c34>

+ pulumi:pulumi:Stack: (create)
    [urn=urn:pulumi:dev::starter-kit::pulumi:pulumi:Stack::starter-kit-dev]
    + pulumi:providers:aws: (create)
        [urn=urn:pulumi:dev::starter-kit::pulumi:providers:aws::us-east-1]
        region                   : "us-east-1"
        skipCredentialsValidation: "false"
        skipGetEc2Platforms      : "true"
        skipMetadataApiCheck     : "true"
        skipRegionValidation     : "true"
        version                  : "5.9.2"
    + pulumi:providers:aws: (create)
        [urn=urn:pulumi:dev::starter-kit::pulumi:providers:aws::us-east-2]
        region                   : "us-east-2"
        skipCredentialsValidation: "false"
        skipGetEc2Platforms      : "true"
        skipMetadataApiCheck     : "true"
        skipRegionValidation     : "true"
        version                  : "5.9.2"
    + awsx:ec2:Vpc: (create)
        [urn=urn:pulumi:dev::starter-kit::awsx:ec2:Vpc::default]
Error: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials. 

Details: no valid credential sources for  found.

Please see 

for more information about providing credentials.

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired

Make sure you have: 

         • Set your AWS region, e.g. `pulumi config set aws:region us-west-2` 

         • Configured your AWS credentials as per <https://pulumi.io/install/aws.html> 

         You can also set these via cli using `aws configure`. 

: Error: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials. 

Details: no valid credential sources for  found.

Please see 

for more information about providing credentials.

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired

Make sure you have: 

         • Set your AWS region, e.g. `pulumi config set aws:region us-west-2` 

         • Configured your AWS credentials as per <https://pulumi.io/install/aws.html> 

         You can also set these via cli using `aws configure`. 

    at Object.callback (/snapshot/awsx/node_modules/@pulumi/pulumi/runtime/invoke.js:148:33)

    at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client.ts:338:26)

    at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)

    at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)

    at /snapshot/awsx/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24

    at processTicksAndRejections (node:internal/process/task_queues:78:11)

error: Error: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials. 
Details: no valid credential sources for  found.

Please see 
for more information about providing credentials.

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired


Make sure you have: 

         • Set your AWS region, e.g. `pulumi config set aws:region us-west-2` 
         • Configured your AWS credentials as per <https://pulumi.io/install/aws.html> 
         You can also set these via cli using `aws configure`. 


    at Object.callback (/snapshot/awsx/node_modules/@pulumi/pulumi/runtime/invoke.js:148:33)
    at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client.ts:338:26)
    at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
    at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
    at /snapshot/awsx/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
    at processTicksAndRejections (node:internal/process/task_queues:78:11)
error: Error: failed to register new resource default [awsx:ec2:Vpc]: 2 UNKNOWN: invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: unable to validate AWS credentials. 
Details: no valid credential sources for  found.

Please see 
for more information about providing credentials.

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: access token is expired


Make sure you have: 

         • Set your AWS region, e.g. `pulumi config set aws:region us-west-2` 
         • Configured your AWS credentials as per <https://pulumi.io/install/aws.html> 
         You can also set these via cli using `aws configure`. 


    at Object.registerResource (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/runtime/resource.ts:339:27)
    at new Resource (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/resource.ts:398:13)
    at new ComponentResource (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/resource.ts:891:9)
    at new Vpc (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/@pulumi/ec2/vpc.ts:124:9)
    at Object.<anonymous> (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/index.ts:9:54)
    at Module._compile (node:internal/modules/cjs/loader:1254:14)
    at Module.m._compile (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/ts-node/src/index.ts:439:23)
    at Module._extensions..js (node:internal/modules/cjs/loader:1308:10)
    at Object.require.extensions.<computed> [as .ts] (/Users/jletelier/dev/test-kubernetes-upgrades/pulumi/starter-kit/node_modules/ts-node/src/index.ts:442:12)
    at Module.load (node:internal/modules/cjs/loader:1117:32)

So I’m not sure if this is what you’re talking about, but instead of using

aws configure sso

we’re using a couple of packages:

brew install aws-sso-util awsume

# populate ~/.aws/config with all profiles you have access to
export AWS_DEFAULT_SSO_START_URL=<https://YOURORG.awsapps.com/start>
export AWS_DEFAULT_SSO_REGION=us-east-1
aws-sso-util configure populate --region=us-east-1

# set up awsume alias and autocomplete for your shell
awsume-configure --shell {bash,zsh}

# source your shell rc file, or restart your shell
aws-sso-util login
awsume <TAB>  # should show a list of all your profiles

I was indeed refererring to SSO configuration. Thanks @dry-journalist-60579. Are you using the token provider config as well?

the providers don’t support the sso-session var yet, you need to grab temporary credentials

I see.

the aws provider doesn’t

ok, no problem, I’ll just keep using the legacy non-refreshable sso method then. Thanks so much @billowy-army-68599 and @dry-journalist-60579.

issue tracking https://github.com/pulumi/pulumi-aws/issues/2272