AWSCLI connection timeout

Trying to connect to AWS through AWSCLI tool and I receive the connection timeout error below. It may be the result of corporate proxy. I am able to successfully connect using Amazons CLI tool after configuring a HTTPS_PROXY setting.

.okta>set HTTPS_PROXY=https://<<PROXY.URL>>
.okta>aws iam get-user
{
“User”: {
“UserName”: “XXXX”,
“PasswordLastUsed”: “",
“CreateDate”: "
",
“UserId”: "*********",
“Path”: “/”,
“Arn”: "arn:aws:iam::
*********:user/

}
}

This environment variable and one for HTTP do not seem to have an impact on AWSCLI. Any suggestions on how to resolve this connection issue?

Thanks!

.okta>java -classpath ".okta\*" com.okta.tools.awscli
Username: *************
Password:
Exception in thread "main" **org.apache.http.conn.ConnectTimeoutException: Connect to XXXXX.oktapreview.com:443**
[XXXXX.oktapreview.com/999.999.226.139, XXXXX.oktapreview.com/999.999.81.89, XXXXX.oktapreview.com/999.999.80.210,
 XXXXX.oktapreview.com/999.999.76.2, XXXXX.oktapreview.com/000.999.80.174, XXXXX.oktapreview.com/999.999.226.145]
failed: Read timed out
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOp
erator.java:150)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionMan
ager.java:353)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at com.okta.tools.OktaAwsCliAssumeRole.logInToOkta(OktaAwsCliAssumeRole.java:271)
        at com.okta.tools.OktaAwsCliAssumeRole.getAuthnResponse(OktaAwsCliAssumeRole.java:208)
        at com.okta.tools.OktaAwsCliAssumeRole.getOktaSessionToken(OktaAwsCliAssumeRole.java:178)
        at com.okta.tools.OktaAwsCliAssumeRole.getSamlResponse(OktaAwsCliAssumeRole.java:124)
        at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:111)
        at com.okta.tools.awscli.main(awscli.java:31)
Caused by: java.net.SocketTimeoutException: Read timed out
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.socketRead(Unknown Source)
        at java.net.SocketInputStream.read(Unknown Source)
        at java.net.SocketInputStream.read(Unknown Source)
        at sun.security.ssl.InputRecord.readFully(Unknown Source)
        at sun.security.ssl.InputRecord.read(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket

Hello T-cog,

Can you please elaborate on the above? It is a bit vague for us to understand.

From the first paragraph it seems as if you were able to successfully use the tool once HTTP_PROXY was defined.

I apologize for the confusion. I am able to use Amazon’s CLI tool successfully after configuring the proxy variable as illustrated with the #aws iam, get-user command. Okta’s AWSCLI tool fails to connect with the connection timeout error.

I did perform a packet capture while attempting to connect using Okta’s AWSCLI to try and identify where the connection is timing out, and it appears to be while connection to Okta Preview. The image below shows the client and server handshake, followed by repeated retransmissions and eventually a client reset when the server fails to respond.

.okta>java -classpath ".okta\*" com.okta.tools.awscli
Username: XXXX
Password:
Exception in thread "main" org.apache.http.conn.ConnectTimeoutException: Connect to xxxxx.oktapreview.com:443
[xxxxx.oktapreview.com/50.17.226.139, xxxxx.oktapreview.com/54.225.76.2, xxxxx.oktapreview.com/54.225.80.174,
xxxxx.oktapreview.com/50.17.226.145, xxxxx.oktapreview.com/54.225.80.210, xxxxx.oktapreview.com/54.225.81.89]
failed: Read timed out

Thank you for the clarification provided. I have forwarded the information by submitting an issue on the GitHub repo, so that my colleagues can also take a look at it for a quick resolution.

You can see Issue #105 here.

Please continue monitoring that issue thread for updates. If we need more information, we’ll reach out to you on this thread.

Thank you,
Andrei Hava

1 Like