aws-sts | Ansible role for assuming roles using the AWS STS service

When trying to create an apprunner service using aws apprunner create-service --cli-input-json file://./myconfig.json, I get the error in title:

An error occurred (InvalidRequestException) when calling the CreateService operation: Error in assuming access role arn:aws:iam::1234:role/my-role

The myconfig.json I'm using is fairly similar to example json from AWS CreateService docs, & I don't think it's particularly relevant here.

The error seems to imply I should assume the role... but I've already assumed the role with this command from this stackoverflow q/a:

eval $(aws sts assume-role --role-arn arn:aws:iam::1234:role/my-role --role-session-name apprunner-stuff1 --region us-east-1 | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"')

This runs without error & when I run:

aws sts get-caller-identity

it outputs the following which looks correct I think:

Our company's Active Directory accounts are somehow used to login to AWS using federation.

The last few days I've started getting this error, however, and I'm wondering if anyone knows what it means:

ERROR: error logging into role&{arn:aws:iam::111111111111:role/myrole arn:aws:iam::111111111111:saml-provider/MyCompanyPingID }: error retrieving STS credentials using SAML: InvalidIdentityToken: Invalid base64 SAMLResponse (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: 11111111-1111-1111-1111-111111111111; Proxy: null) status code: 400, request id: 22222222-2222-2222-2222-222222222222

My own interpretation is that arn:aws:iam::111111111111:saml-provider/MyCompanyPingID is returning a response to AWSOpenIdDiscoveryService that is not base64-encoded, but AWSOpenIdDiscoveryService expects it to be base64 encoded.

It seems this must be an issue with my account because I've asked other people in my team and they don't have this issue.

My question is, does anyone know what the error even means, and what is likely to cause it? Is it an incorrect encoding for example?

Edit:

I see that there are a couple of similar questions if I search for AuthSamlInvalidSamlResponseException:

• IAM SAML federation from local fails
• AWS SSO Custom App SAML Authentication error (InvalidIdentityToken, Invalid Base64 SAMLResponse
• How do I get AssumeRolewithSAML to work with CLI when same request works with Postman
• Get SAMLAssertion for AWS STS's assumeRoleWithSAML
• How to call AssumeRoleWithSAMLAsync without AmazonSecurityTokenServiceClient
• Invalid base64 SAMLResponse when trying to call AssumeRoleWithSAML

I have a problem with the AWS sdk on a Qt app.
I'm getting the STS tokens from Cognito after a click on a QML button.
The function is working perfectly fine and is printing me the token... as long as the debugger is attached [F5]. If I start the project without debugger (green arrow without bug on it) the returned object is empty.

Without the debugger attached I have the following in the aws logs that I don't have otherwise:

[INFO] 2020-09-18 12:33:02.569 CognitoCachingCredentialsProvider [140678610167936] A parent identity was from cognito which is different from the anonymous identity. Swapping that out now.
[INFO] 2020-09-18 12:33:02.569 CognitoCachingCredentialsProvider [140678610167936] Credentials will expire next at 0

Other logs around looks the same, I even have the STS token shown a couples of lines above this one on both cases:

[DEBUG] 2020-09-18 12:33:02.569 CURL [140678610167936] (DataIn) {"Credentials":{"AccessKeyId":"###","Expiration":1.600435982E9,"SecretKey":"###","SessionToken":"##########"},"IdentityId":""}

I have even edited the SDK and added the following logs which resulted in this (with the debugger attached the first line is also getting shown).

i want to parametrize jobs for different envs.

for example: