get_aws_console_oidc_url.py

#!/usr/bin/env python
import json
import urllib
import argparse

import boto3
import requests


LOGIN_URL = 'https://dev-analytics-moj.eu.auth0.com/'
CONSOLE_URL = 'https://console.aws.amazon.com/'
IAM_ROLE_ARN_BASE = 'arn:aws:iam::593291632749:role'

parser = argparse.ArgumentParser(description='Generate AWS console signin URL')
parser.add_argument('username', type=str, help='Analytics Platform username')
parser.add_argument('jwt', type=str,
  help='JWT from registered identity provider')
args = parser.parse_args()

sts = boto3.client('sts')

# Exchange JWT for temporary AWS credentials
sts_response = sts.assume_role_with_web_identity(
  RoleArn=f'{IAM_ROLE_ARN_BASE}/dev_user_{args.username}',
  RoleSessionName=args.username,
  WebIdentityToken=args.jwt
)
sts_temp_creds = sts_response['Credentials']

# Build session object with temporary AWS credentials
session = {
  'sessionId': sts_temp_creds['AccessKeyId'],
  'sessionKey': sts_temp_creds['SecretAccessKey'],
  'sessionToken': sts_temp_creds['SessionToken']
}

# Get console signin token, using temporary AWS creds
signin_token_response = requests.get(
  'https://signin.aws.amazon.com/federation',
  params={
    'Action': 'getSigninToken',
    'SessionDuration': 43200,
    'Session': json.dumps(session),
  }
)

signin_token_json = signin_token_response.json()
signin_token = signin_token_json['SigninToken']

# Generate console login URL
querystring = urllib.parse.urlencode({
  'Action': 'login',
  'Issuer': LOGIN_URL,
  'Destination': CONSOLE_URL,
  'SigninToken': signin_token,
})

print(f'https://signin.aws.amazon.com/federation?{querystring}')

I am getting error : botocore.errorfactory.InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements

Could you please suggest?