okta-aws-cli-assume-role
okta-aws-cli-assume-role copied to clipboard
Published
20 hours ago •
oktadev
oktadev
Login flow using this tool does not work
Describe the bug I cannot login using SAML and the AWS CLI
To Reproduce Steps to reproduce the behavior:
-
okta-aws production sts get-caller-identity - Select role you want to assume (in this case role 2)
Please choose the role you would like to assume:
Account: ops (REDACTED)
[ 1 ]: cross-account-admin
Account: production (REDACTED)
[ 2 ]: cross-account-admin
Account: REDACTED
[ 3 ]: cross-account-admin
Account: REDACTED
[ 4 ]: cross-account-admin
Selection: 2
- See error
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/Users/ahadi/.okta/okta-aws-cli-2.0.2.jar) to constructor com.sun.org.apache.xpath.internal.XPathContext()
WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value null at 'principalArn' failed to satisfy constraint: Member must not be null (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: f0c92191-8dde-11e9-8180-ad3956d13c9c)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630)
at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54)
at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135)
at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
at com.okta.tools.WithOkta.main(WithOkta.java:30)
Expected behavior The command execute successfully and I can do AWS CLI work now
Additional context
I tried out using OKTA_BROWSER_AUTH as well. I get signed into the AWS account I am choosing, but nothing else happens.
The java version I am using is:
openjdk version "12.0.1" 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode, sharing)
