okta-aws-cli-assume-role icon indicating copy to clipboard operation
okta-aws-cli-assume-role copied to clipboard

Published 20 hours ago verified publisher icon oktadev

okta-credential_process not authenticating on first attempt with MFA

Open nmulvihill opened this issue 5 years ago • 0 comments

Describe the bug When I authenticate to AWS using okta-credential_process I must authenticate twice, the first always fails.

To Reproduce Okta config:

#OktaAWSCLI
OKTA_ORG=myorg.okta.com
OKTA_AWS_APP_URL=https://myorg.okta.com/home/amazon_aws/123456789/123
OKTA_USERNAME=okta_username
OKTA_AWS_REGION=us-east-1
OKTA_MFA_CHOICE=OKTA.sms

AWS Config:

...
[okta]
aws_saml_url = home/amazon_aws/123456789/123
...

Commands to run:

okta-credential_process arn:aws:iam::$account_id:role/$aws_role # This should then prompt for an AWS SMS token after it is sent. Instead it sends the token and fails
okta-credential_process arn:aws:iam::$account_id:role/$aws_role # Here I am properly asked for my SMS token

Expected behavior I expect what happens on the second authentication command, to happen on the first

Screenshots No screenshots, but here is the full bash output:

()~/.okta/ C:> okta-credential_process arn:aws:iam::$account_id:role/$aws_role
Username: okta_username
Password: 

SMS Factor Authentication 
Enter 'change factor' to use a different factor
Exception in thread "main" org.json.JSONException: JSONObject["sessionToken"] not found.
	at org.json.JSONObject.get(JSONObject.java:566)
	at org.json.JSONObject.getString(JSONObject.java:851)
	at com.okta.tools.authentication.OktaMFA.verifyAnswer(OktaMFA.java:287)
	at com.okta.tools.authentication.OktaMFA.smsFactor(OktaMFA.java:166)
	at com.okta.tools.authentication.OktaMFA.getSessionToken(OktaMFA.java:97)
	at com.okta.tools.authentication.OktaMFA.promptForFactor(OktaMFA.java:64)
	at com.okta.tools.authentication.OktaAuthentication.getOktaSessionToken(OktaAuthentication.java:87)
	at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:47)
	at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
	at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
	at com.okta.tools.CredentialProcess.main(CredentialProcess.java:33)

()~/.okta/ C:> okta-credential_process arn:aws:iam::$account_id:role/$aws_role
Username: okta_username
Password: 

SMS Factor Authentication 
Enter 'change factor' to use a different factor
An SMS message was recently sent. Please wait 30 seconds before trying again.
SMS Code: 
123456
## Okta then output's my temporary keys

nmulvihill avatar Jul 02 '19 15:07 nmulvihill