awsprocesscreds icon indicating copy to clipboard operation
awsprocesscreds copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Doesn't seem to work if MFA is configured on Okta

Open pcolmer opened this issue 7 years ago • 5 comments

If my Okta account has an MFA then authenticating fails with:

Traceback (most recent call last):
  File "/usr/local/bin/awsprocesscreds-saml", line 11, in <module>
    sys.exit(saml())
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 348, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "/home/philip/.local/lib/python2.7/site-packages/botocore/credentials.py", line 507, in fetch_credentials
    return self._get_cached_credentials()
  File "/home/philip/.local/lib/python2.7/site-packages/botocore/credentials.py", line 517, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 357, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 393, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 238, in retrieve_saml_assertion
    session_token = parsed['sessionToken']
KeyError: 'sessionToken'

If I unset the MFA in Okta, authentication succeeds.

Please add support for MFA as this is going to be a requirement if we adopt this authentication model.

Thanks.

pcolmer avatar Dec 14 '17 12:12 pcolmer

+1

Menahem1 avatar Dec 26 '17 16:12 Menahem1

Copy of the comment I just posted on the pull request:

Just a note that although this code does work on its own, it doesn't work with AWS CLI because the latter consumes all output received from the running authentication process. If you try to use this enhancement with AWS CLI, it appears to stall but it is actually waiting for the user to specify which MFA action to take.

My initial thought was to use sys.stderr to output the prompts but the existing awsprocesscreds code uses getpass.getpass to get the user's password and that works - apparently by writing to sys.stdout.

Also, it looks like botocore might not allow stderr to be used either: aws/aws-cli#3057

So ... not sure how to proceed. I don't know if this is something that needs to be altered in awsprocesscreds or if aws-cli needs a cleaner way of getting the results back from awsprocesscreds so that the user can be allowed to interact with awsprocesscreds?

pcolmer avatar Jan 09 '18 10:01 pcolmer

I've updated my code with a separate branch (revised_prompting) to use getpass instead of having botocore swallow the output and then confuse awsprocesscreds.

Waiting on a decision from the repo maintainers as to what is going to be done to close out this issue ...

pcolmer avatar Jan 17 '18 12:01 pcolmer

Running into this exact same issue. MFA is not optional for us. Any progress on getting support in this tool?

lorengordon avatar Nov 09 '18 11:11 lorengordon

I got exactly same issue. Any update on this?

lapkritinis avatar Sep 30 '19 13:09 lapkritinis