saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard

Published 20 hours ago verified publisher icon Versent

credential_process - expired tokens not getting refreshed by awscli

Open BEllis opened this issue 3 years ago • 2 comments

This ticket was originally raised on AWS-CLI project but fix is required in saml2aws,

https://github.com/aws/aws-cli/issues/5109

When using the --credential-process flag, the credentials are saved to the aws credentials file. AWS CLI does not auto-refresh in this case as it reads the credentials from the credentials file regardless if the tokens have expired or not (by design).

Can we change --credentials-process to not save creds to the .aws/credentials file to avoid this issue in aws-cli?

Work around for now is to specify something like --credentials-file=~/.aws/saml2aws.creds so creds are not stored in aws's credentials file.

e.g.

[profile dev]
region=us-east-1
output=json
credential_process = saml2aws login -a saml --skip-prompt --quiet --credential-process --role arn:aws:iam::0123456789:role/myrole-delegated-read --region us-east-1 --profile dev --credentials-file=~/.aws/saml2aws.creds

BEllis avatar Oct 13 '22 11:10 BEllis

As part of this ticket, I think --skip-prompt and --quiet should be implicit when using --credentials-process ?

BEllis avatar Oct 13 '22 11:10 BEllis

Implicitly set --quiet might not be suitable for some authentication methods. Such as pingidfed and okta, they require user to select number on their mobile apps which needs the hint from saml2aws's output.

However, aws-cli doesn't redirect stderr to console, I had to work on a wrapper to make hint visible . . .

silver886 avatar Aug 26 '23 09:08 silver886

This introduced new behavior... I use the browser provider with --credential-process and a custom credential file. My credentials would always be saved to the custom credential file and refreshed when necessary. This meant that the browser would only popup when the credentials expired. With this new change the credentials are never saved with --credential-process which means that every single AWS CLI call is making the browser popup. Very annoying.

I'm happy to submit a PR to fix this. I could implement a couple of approaches... 1.- Keep current behavior, but if a custom credential file is provided then save credentials with credential process. 2.- Keep current behavior and add option to save credentials with credential process 3.- Roll back to previous behavior and add a config option to not save credentials during credential process

I think #1 is probably the best as it will cover previous and current behavior without having to create any new flags. Let me know what you think and I can submit a PR.

timharris777 avatar May 17 '24 12:05 timharris777

I will look into this tomorrow

mapkon avatar May 21 '24 04:05 mapkon

Hi all,

Firstly I'm a big fan of this software and it really allows me to be productive, so thank you all for collaborating.

I'm a bit late here, because I hadn't updated to the new version, but I just did it today and realized this was a breaking change for me and probably for others as well.

Here's how I've been using while not having any issues:

[profile some_profile]
credential_process=saml2aws login --role arn:aws:iam::12314:role/role-name  --credential-process --cache-saml --skip-prompt --quiet --profile some_profile-credentials --session-duration=28800 --idp-account some_profile --browser-autofill

Basically the important bit here is that you can't use the same profile that saml2aws is the credential_process for it and also the same profile it writes the credentials to. Now with the version upgrade this broke for me because now it only saves the credentials to a file when a custom credential file was passed. This wasn't exactly in the README or release notes so I really had to read the code to find out what changed.

Personally I think this is more of a documentation problem. If the documentation about --credential-process is clear that it can't be used with the same profile name or same file, then users shouldn't have an issue with it. This is not something saml2aws can't really protect the users against because right now they still can pass the --credentials-file and also set AWS_SHARED_CREDENTIALS_FILE for AWS CLI and run in the same problem although a lot less likely.

Ideally I would like to use AWS default credential file because in some cases I'll need a bit more speed and I know my token is valid, but with the last PR, it's not possible to use --credential-process with default credential file anymore. I also think this sort of flexibility and configurability is what a lot of people like about saml2aws.

Anyway, of course with open source software not everyone can get whatever features they want, I like to hear what other think about this.

With a bit of more opinions chimed in, I'm happy to make a PR to update the docs and if agreed roll back the changes.

faridnsh avatar Aug 21 '24 19:08 faridnsh

@alFReD-NSH

I am happy either way, as long as the community feels that the underlying issue is satisfactorily fixed. We shall not get a perfect solution (as you mentioned), but we can arrive at a middle ground. Please submit a PR when ready

mapkon avatar Aug 21 '24 22:08 mapkon