okta-aws-cli-assume-role
okta-aws-cli-assume-role copied to clipboard
okta-credential_process not authenticating on first attempt with MFA
Describe the bug
When I authenticate to AWS using okta-credential_process
I must authenticate twice, the first always fails.
To Reproduce Okta config:
#OktaAWSCLI
OKTA_ORG=myorg.okta.com
OKTA_AWS_APP_URL=https://myorg.okta.com/home/amazon_aws/123456789/123
OKTA_USERNAME=okta_username
OKTA_AWS_REGION=us-east-1
OKTA_MFA_CHOICE=OKTA.sms
AWS Config:
...
[okta]
aws_saml_url = home/amazon_aws/123456789/123
...
Commands to run:
okta-credential_process arn:aws:iam::$account_id:role/$aws_role # This should then prompt for an AWS SMS token after it is sent. Instead it sends the token and fails
okta-credential_process arn:aws:iam::$account_id:role/$aws_role # Here I am properly asked for my SMS token
Expected behavior I expect what happens on the second authentication command, to happen on the first
Screenshots No screenshots, but here is the full bash output:
()~/.okta/ C:> okta-credential_process arn:aws:iam::$account_id:role/$aws_role
Username: okta_username
Password:
SMS Factor Authentication
Enter 'change factor' to use a different factor
Exception in thread "main" org.json.JSONException: JSONObject["sessionToken"] not found.
at org.json.JSONObject.get(JSONObject.java:566)
at org.json.JSONObject.getString(JSONObject.java:851)
at com.okta.tools.authentication.OktaMFA.verifyAnswer(OktaMFA.java:287)
at com.okta.tools.authentication.OktaMFA.smsFactor(OktaMFA.java:166)
at com.okta.tools.authentication.OktaMFA.getSessionToken(OktaMFA.java:97)
at com.okta.tools.authentication.OktaMFA.promptForFactor(OktaMFA.java:64)
at com.okta.tools.authentication.OktaAuthentication.getOktaSessionToken(OktaAuthentication.java:87)
at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:47)
at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
at com.okta.tools.CredentialProcess.main(CredentialProcess.java:33)
()~/.okta/ C:> okta-credential_process arn:aws:iam::$account_id:role/$aws_role
Username: okta_username
Password:
SMS Factor Authentication
Enter 'change factor' to use a different factor
An SMS message was recently sent. Please wait 30 seconds before trying again.
SMS Code:
123456
## Okta then output's my temporary keys