Bug: aws-cli-auth InvalidClientTokenId Error and Ineffective Credential Clearing on MacOS

[dibyadhar]

Describe the bug

When attempting to use aws-cli-auth to fetch temporary credentials for AWS login via Okta, an error occurs during the process of updating the kubeconfig for an EKS cluster and when trying to switch to a target AWS account. The error message indicates an issue with validating credentials and mentions an InvalidClientTokenId.

I use https://github.com/common-fate/granted in CLI to manage my aws profiles but it seems it throughs up same error if you do native CLI calls to assume target role.

Additional troubleshooting steps included clearing the stale credential using aws-cli-auth clear-cache . There is an inconsistency with the command clear not functioning as expected in mac os with

To Reproduce
Steps to reproduce the behavior:
Execute the command to assume a profile:
aws-cli-auth saml -p "https://.okta.com/home/amazon_aws/xxxxx/xxxx" --principal "arn:aws:iam::012345678:saml-provider/PROVIDER-Okta" -r "arn:aws:iam::0123456789:role/TARGET-ROLE" -d 3600

In my case using [https://github.com/common-fate/granted ] assume target-aws-profile

The error is displayed in the terminal.

Expected behavior
The expected behavior is the successful assumption of the specified AWS profile without encountering credential validation errors.

Screenshots

Desktop (please complete the following information):

• OS: MacOS Ventura
• Version 13.6.4
  13.6.4 (22G513)

Additional context
aws-cli-auth version tried out
aws-cli-auth version v0.13.5-81b8ef042464a06c8733f2ec74fb0224c2c4dd41
aws-cli-auth version v0.14.0-ac79bd26aa5d29c83895a6552514e45870536b1c

[dnitsch]

thanks for the issue @dibyadhar - I'll take a look. it does sound like the clear-cache command needs to do a bit more work in the OS secret store.