saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard

Published 20 hours ago verified publisher icon Versent

IDP account flag (-a) when logging in does not work as expected

Open luckylittle opened this issue 7 years ago • 13 comments

Steps to reproduce

saml2aws configure -a default saml2aws login -a default

Expected result

Token is saved under the default AWS profile

Actual result

aws_access_key_id, aws_secret_access_key, aws_session_token, aws_security_token are saved under the saml AWS profile

luckylittle avatar Dec 20 '17 02:12 luckylittle

So I tried to follow the AWS convention of default being the default IDP account, this is different to aws default profile.

-a, --idp-account="default"  The name of the configured IDP account

As aposed to:

-p, --profile="saml"     The AWS profile to save the temporary credentials

I do have a feature where you can configure a IDP account to save to a particular configured profile. see #102

wolfeidau avatar Dec 20 '17 02:12 wolfeidau

We are having the same issue.

  1. saml2aws configure -a prod
  2. saml2aws configure -a dev

..to configure prod and dev with distinct prod and dev URLs

  1. saml2aws login -p dev returns the following:

Using IDP Account **default** to access JumpCloud https://sso.jumpcloud.com/saml2/**prod**

....which is the wrong IDP account.

BUT

when I do

  1. saml2aws login -p dev ---idp-account=dev this works and the correct IDP account is set.

This functionality is misleading and the documentation should be updated to reflect that the login command should be used in conjunction with the --idp-account to avoid confusion.

vr00n avatar Dec 28 '17 17:12 vr00n

@vr00n can you have a look in your ~/.saml2aws and see what you have configured as far as accounts.

I am assuming you have prod configured as the default idp account.

Are you saying you think -p dev should set both the IDP and AWS profile?

If you have some suggestions on how to make this clearer I am all ears.

wolfeidau avatar Dec 28 '17 20:12 wolfeidau

Thanks @wolfeidau.

Here is a scenario:

If I have multiple (similarly named) profiles for the different IDP Accounts then having -p dev auto change the IDP account could create more (avoidable) problems and lead to reduced functionality.

Instead I think a better fix would be to update -p arg to require --idp-acount

vr00n avatar Dec 28 '17 21:12 vr00n

@vr00n, agree that the documentation can probably be more clear on this, but just to clarify in general, the trick is to remember that:

  • the configure command is used to set up a named account (the details for which are stored in the ~/.saml2aws file)
  • the login command is used to establish an AWS STS session by using one of the named accounts previously setup via the configure command. Which account is used for this is determined by the value of the -a | --idp-account flag, which (when not specified) defaults to the "default" account.
  • the -p | --profile option of the login command simply lets you provide a name for the profile into which the session credentials are saved, however this is uncorrelated to the account that is used for the login

My concern is that if the --idp-account option is made mandatory to the login command, then this inconveniences a large percentage of the user base for whom there is only ever the "default" account in use, for which the current (defaulting) behaviour "just works". My understanding is that the use of multiple accounts is a specialised case for more complex setups, and therefore I think the additional conceptual complexity is worth isolating to those cases only.

@luckylittle would it be more in line with your expectations of the login behaviour if the following logic was applied:

  • If -a | --idp-account has been specified for login, but -p | --profile has not been specified, then default the value of --profile to equal the supplied value for --idp-account
  • If neither -a | --idp-account nor -p | --profile have been specified for login, then use the current defaulting rules, i.e. --idp-account as default and --profile as saml ?

chamila-c avatar Jan 03 '18 06:01 chamila-c

If I am understanding the above correctly, you cannot have two IDP provider profiles and switch between them?

For example, we have a non-prod and a prod okta account (both have their own emails). So when we want to use the production AWS account we have to login okta using prod credentials/email

I was hoping I could do this with this tool, but if I am understanding the above correctly this is NOT the case?

f1gjam avatar Dec 07 '23 16:12 f1gjam

just to provide some more information here is the saml2aws config

` [OUR-NON-PROD] name = OUR-NON-PROD app_id = url = https://mycompany.okta.com/home/amazon_aws/1oa913nmnbI6L2Ify1t6/443 username = [email protected] provider = Okta mfa = OKTA mfa_ip_address = skip_verify = false timeout = 0 aws_urn = urn:amazon:webservices aws_session_duration = 14400 aws_profile = OUR-NON-PROD resource_id = subdomain = role_arn = region = http_attempts_count = http_retry_delay = credentials_file = saml_cache = false saml_cache_file = target_url = disable_remember_device = false disable_sessions = false download_browser_driver = false headless = false prompter =

[OUR-PROD] name = OUR-PROD app_id = url = https://mycompany.okta.com/home/amazon_aws/1oa913nmnbI6L2Ify1t6/443 username = [email protected] provider = Okta mfa = Auto mfa_ip_address = skip_verify = false timeout = 0 aws_urn = urn:amazon:webservices aws_session_duration = 3600 aws_profile = OUR-PROD resource_id = subdomain = role_arn = region = http_attempts_count = http_retry_delay = credentials_file = saml_cache = false saml_cache_file = target_url = disable_remember_device = false disable_sessions = false download_browser_driver = false headless = false `

f1gjam avatar Dec 07 '23 18:12 f1gjam

@f1gjam In your example, you can do saml2aws login -a OUR-NON-PROD or saml2aws login -a OUR-PROD to swap between the two IDP accounts

And then the aws credentials should be stored under the aws OUR-NON-PROD and OUR-PROD profiles in the aws credentials file.

tinaboyce avatar Dec 08 '23 12:12 tinaboyce

Once I login to one profile, I cannot login to the other profile ... (even if i re-type the credentials in)

Using IdP Account OUR-PROD to access Okta https://mycompany.okta.com/home/amazon_aws/1oa913nmnbI6L2Ify1t6/443 To use saved password just hit enter. ? Username [email protected] ? Password

Authenticating as [email protected] ... ? Enter verification code 111111 ? Please choose the role Account: ourprd (111222333444) / aws-accountadmins Selected role: arn:aws:iam::111222333444:role/aws-accountadmins Requesting AWS credentials using SAML assertion. Logged in as: arn:aws:sts::111222333444:assumed-role/aws-accountadmins/[email protected]

Your new access key pair has been stored in the AWS configuration. Note that it will expire at 2023-12-08 14:20:26 +0000 GMT To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile OUR-PROD ec2 describe-instances).

MYLAPTOP ~ $ saml2aws login -a OUR-NON-PROD Using IdP Account OUR-NON-PROD to access Okta https://mycompany.okta.com/home/amazon_aws/1oa913nmnbI6L2Ify1t6/443 To use saved password just hit enter. ? Username ([email protected]) <-- Assumes prod username (even though profile given above) ? Password

So then I tried to force it

MYLAPTOP ~ $ saml2aws login -a OUR-NON-PROD --force Using IdP Account OUR-NON-PROD to access Okta https://mycompany.okta.com/home/amazon_aws/1oa913nmnbI6L2Ify1t6/443 To use saved password just hit enter. ? Username ([email protected]) <--- still showing prod user?? ? Password

f1gjam avatar Dec 08 '23 13:12 f1gjam

@f1gjam I think you could onto something, I'm leaning towards you found a new bug with the Username input.

I use multiple idp account in the past but all had the same username, hence why I probably didn't encounter any issue with multiple accounts.

To test out my theory, I have updated the "default" profile with saml2aws configure -a default from [email protected] to [email protected]. When I did saml2aws login -a default, it still showing [email protected] in the Username input field, even though [email protected] was in the .saml2aws file.

(above quote is outdated as it was wrong, please see my later message)

Are you able to create a new issue with your most recent message to separate the issues?

tinaboyce avatar Dec 09 '23 02:12 tinaboyce

@f1gjam After further investigation, I have discovered something. saml2aws uses keychain (which is why it remembered your password) and in it, it ties a username to your idp url, which in this case, you had the prod user.

So sadly in your case, it won't support having multiple username for the same idp url

tinaboyce avatar Dec 09 '23 12:12 tinaboyce

@tinaboyce - thank you for looking into this.

so I need a unique IdP url - is there any other work around?

I don’t know if it’s possible to get another unique idp url. I got the current via the okta tiles link

f1gjam avatar Dec 09 '23 12:12 f1gjam

So I doubled checked this and our non prod and prod okta page link are the same links. I thought it might be different for other team members but it's not. It would be nice, if the username was pulled from keystore based on the actual username and not the URL? or something like that.

f1gjam avatar Dec 11 '23 16:12 f1gjam