okta-aws-cli-assume-role
okta-aws-cli-assume-role copied to clipboard
Why is Okta SAML so slow compared to a naive implementation?
Describe the bug
Calling withOkta
while cookies.properties
is present is 3-7x slower than a naive implementation. I have also noticed that com.okta.tools.authentication.BrowserAuthentication.login()
seems to be a bit slower than com.okta.tools.saml.OktaSaml.getSamlResponseForAwsRefresh()
, but I don't quite understand why. Ideally, they would be using the same code when cookies.properties
is present and valid. A browser only needs to be opened if the cookie values are stale or a user needs to refresh their session.
To Reproduce
$ time okta-aws my-profile sts get-caller-identity
real 0m9.853s
user 0m6.332s
sys 0m0.470s
$ time pipenv run python2 get_sts_token.py
real 0m1.911s
user 0m0.507s
sys 0m0.224s
Expected behavior I would expect the Okta SAML implementation to be as fast, or faster than the Python implementation.
Additional context
import boto3
import botocore
import os
import datetime
import json
import urllib2
import re
import HTMLParser
from subprocess import call
def main():
cookes_file_path = '{0}/.okta/cookies.properties'.format(os.path.expanduser('~'))
saml_re = re.compile(r'^\s*<input name="SAMLResponse"')
html_parser = HTMLParser.HTMLParser()
role_arn = 'arn:aws:iam::1234567890:role/MY_ROLE'
principal_arn = 'arn:aws:iam::1234567890:saml-provider/Okta'
region = 'us-east-1'
with open(cookes_file_path, "r") as cookies_file:
lines = cookies_file.readlines()
opener = urllib2.build_opener()
cookies = [l.replace('\n', '') for l in filter(lambda x: x.find('#') == -1, lines)]
opener.addheaders.append(('Cookie', '; '.join(cookies)))
resp = opener.open('https://company.okta.com/app/amazon_aws/abc1234567890exz/sso/saml')
if resp.getcode() == 200:
dom_lines = resp.readlines()
START_STR = 'value="'
END_STR = '"/>'
saml_response_line = filter(lambda x: saml_re.match(x), dom_lines)[0].replace('\n','')
saml_response = html_parser.unescape(saml_response_line[saml_response_line.find(START_STR)+len(START_STR):saml_response_line.find(END_STR)])
bs = botocore.session.get_session({ 'profile': ( None, ['', ''], None, None ) })
bs.set_credentials('','','')
s = boto3.session.Session(botocore_session = bs)
client = s.client('sts', region_name = region)
assumed_role = client.assume_role_with_saml(RoleArn=role_arn, PrincipalArn=principal_arn, SAMLAssertion=saml_response)
bs = botocore.session.get_session({ 'profile': ( None, ['', ''], None, None ) })
bs.set_credentials(assumed_role['Credentials'][u'AccessKeyId'],
assumed_role['Credentials'][u'SecretAccessKey'],
assumed_role['Credentials'][u'SessionToken'])
s = boto3.session.Session(botocore_session = bs)
client = s.client('sts', region_name = region)
print(client.get_caller_identity())
else:
call(['get-okta-sts-token', '-r MY-PROFILE'])
if __name__ == "__main__":
main()