okta-aws-cli-assume-role
okta-aws-cli-assume-role copied to clipboard
STS Validation Error getting 400 - Issuer Not Present
Describe the bug
A clear and concise description of what the bug is.
Run:
okta-aws test sts get-caller-identity
or
okta-aws
OUTPUT:
Auto select role as only one is available : arn:aws:iam::account:saml-provider/okta-poc WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/Users/me/.okta/okta-aws-cli-2.0.0.jar) to constructor com.sun.org.apache.xpath.internal.XPathContext() WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Request ARN is invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: fcd99041-88b7-11e9-958d-f9bd86177fa2) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630) at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54) at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135) at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102) at com.okta.tools.WithOkta.main(WithOkta.java:30)
To Reproduce
Have Okta Tile working with okta already for AWS access. Set the URL and ORG properties and OKTA_BROWSER_AUTH=true.
Okta authenticates and the tile asks to select which login I want (two roles are present to assume)
^^^ After I had already failed with the undesired behavior I am cached (is there a reference to clear it). Steps to reproduce the behavior:
- Go to '...'
- Click on '....'
- Scroll down to '....'
- See error
Expected behavior A clear and concise description of what you expected to happen. I should be able to get a token etc. from the aws call.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here. After the authentication was cached from OKTA_BROWSER_AUTH=true. I was CLI output.
I would just like to know if it's the AWS configuration, cli or my configuration that caused this.
Machine details: javac -version javac 12.0.1 Mac: 16.7.0 Darwin Kernel Version 16.7.0