Hi there, I am getting crazy here. I am trying to ...
# aws
Hi there, I am getting crazy here. I am trying to update a aws stack but I keep getting the error
Copy code
aws:batch:JobDefinition (my-jobDefinition):
    error: 1 error occurred:
    	* Retrieving AWS account details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: b48d33a2-5fda-4c9d-829a-1ded6a2143ea, api error ExpiredToken: The security token included in the request is expired
The error occurs for three different jobDefinitions. The same error occurs with
pulumi destroy
. I am using a Pulumi environment with aws-oidc. I tried: 1. Recreating the oidc role. 2. Using a standard aws profile instead of a Pulumi environment a. Removing all configs and credentials and make them brand new 3. Using a sso profile. CLI command
aws sts get-caller-identity
returns correctly my info. Any idea?
Not only: I tried to create a new stack and then destroy it with the very same config (the Pulumi env with oidc) and eveything works fine 😕
The STS get-caller-identity instruction can't 403 in many cases, as you don't need any actual permissions for that instruction. The only times it can happen are when your temporary credentials aren't valid. So the problem is absolutely with your OIDC and SSO credentials. You can ignore the stuff about JobDefinition: that's probably just when it's happening, not why it's happening.
I would check the provider(s) you're using, and ensure that they're using the credentials that you think they ought to be using. Is it possible that you're renewing credentials that the provider isn't using?
Thanks for the answer, but how can it be that creating a new stack and destroying it works fine?
With the very same oidc credentials
Timing? Short-term credentials expire. I don't have enough information to debug, I'm just proposing areas of investigation.