cevoaustralia / aws-google-auth Goto Github PK

The instructions in the readme mention theres a url with a number when going to Apps > SAML Apps > Settings for Amazon Web Services in GSuite/Google Apps. However, I'm not seeing any such URL.

Any help on where I can get the SP ID?

I seem to be having sporadic issues with logging in with 2FA. Following a login and clicking the 'Yes' button in the google app, I get an error asking me to check my creds. The full error is below.

Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
Open the Google App, and tap 'Yes' on the prompt to sign in ...
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/google.py", line 208, in parse_saml
    saml_element = parsed.find('input', {'name': 'SAMLResponse'}).get('value')
AttributeError: 'NoneType' object has no attribute 'get'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 224, in main
    cli(cli_args)
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 63, in cli
    process_auth(args, config)
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 185, in process_auth
    saml_xml = google_client.parse_saml()
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/google.py", line 210, in parse_saml
    raise RuntimeError('Could not find SAML response, check your credentials')
RuntimeError: Could not find SAML response, check your credentials

Most times this goes away after I try again a few times, but this time it is not going away. Any ideas?

No matter how many times I manually login, I'm still getting this warning. Not entirely sure why yet, but figured I would post here in case anyone has seen this before.

$ aws-google-auth -I C01sopdwp -S 135372135477 -u "$MY_EMAIL" -R us-east-1 -d 3600 -p terraform_state -a

Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 53, in main
    cli(sys.argv[1:])
  File "/usr/local/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 152, in cli
    google_client.do_login()
  File "/usr/local/lib/python2.7/site-packages/aws_google_auth/google.py", line 136, in do_login
    sess = self.handle_prompt(sess)
  File "/usr/local/lib/python2.7/site-packages/aws_google_auth/google.py", line 244, in handle_prompt
    data_key = response_page.find('div', {'data-api-key': True}).get('data-api-key')
AttributeError: 'NoneType' object has no attribute 'get'

Not sure whats happening. I get this after entering my password and doing the MFA challenge from google prompt.

Trying to authenticate with Google Prompt on my phone and it's asking me to confirm which one of 3 numbers is displayed by the app trying to login. I don't see this anywhere, should this module being parsing that number from the response from Google?

It may be due to be running the auth attempt from our build server which would not be one of my normal IPs/access patterns.

Once the Captcha is input, we don't need to keep the window around anymore. If we did something (like kept record of the PID) we could kill the process containing the image once the user input it.

That way we don't have a bunch of windows opening and sticking around.

Congrats! This is a useful tool 👍

Though we could improve it for cross-account AWS setup.

Some might find it easier to manage federated SSO if it is mapped to few roles of Accounts AWS account (X on diagram). Other AWS accounts roles are mapped to the Accounts' roles, eg: Dev roles on Staging and Production accounts are have cross-account trust to Dev role on X, etc. That way only few values needs to be pushed to google user profiles and it scales if number of AWS accounts increases.

Diagram:

# Currently supported multirole through custom musti-value profile field:
# --role-arn A
               -> { Option A   -> AWS Acc X, Role A
Google SSO App -> { Option B   -> AWS Acc X, Role B
               -> { Option C   -> AWS Acc X, Role C
                  
#Proposed for cross account setup
# --role-arn Dev --xa-role-arn Z-Dev [--xa-role-profile]
                                                            -> { Acc Y, Role Dev
Google SSO App -> { Option Dev   -> AWS Acc X, Role Dev     -> { Acc Z, Role Dev

                                                            -> { Acc Y, Role Admin
               -> { Option Admin -> AWS Acc X, Role Admin   -> { Acc Z, Role Admin

With current state of the tool to assume cross-account role for CLI requires something like:

aws-google-auth -a --sp-id 123456 --idp-id C01example --username [email protected]

aws sts assume-role --role-arn "arn:aws:iam::123455678:role/Dev" --profile sts

# here you need to parse output of the prev command and, for example, export it to env:

export AWS_ACCESS_KEY_ID=XKLKJLDFLDKLF
export AWS_SECRET_ACCESS_KEY="EXAMPLESECRET"
export AWS_SESSION_TOKEN="TOKENFOO"

It be nice to add feature to assume sts credentials for --xa-role-arn option and write down profile to config --xa-role-profile.

Hi.

Instead of storing the credentials in the .aws/credentials, we could adapt this lib to use the credential_process method of authentication (https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes).

To do that, we have to change the script to print to stdout:

{
  "Version": 1,
  "AccessKeyId": "ACCESS_KEY",
  "SecretAccessKey": "SECRET_KEY",
  "SessionToken": "SESSION_TOKEN",
  "Expiration": "EXPIRATION"
}

And then add a line to the .aws/config file:

[profile AWS_PROFILE_NAME]
region=AWS_REGION_NAME
credential-process=aws-google-auth -r AWS_ROLE_ARN

It would work even better if we stored the password of the user (#26), so we could do things like auto-renew of the credentials.

Hello, and apologies if this is a naive or impossible request.

I have a YubiKey Neo, and in conjunction with the AuthLite iOS app, I can perform a NFC touch of my YubiKey Neo to my iPhone, and via clipboard sharing, I can paste the string generated in and authenticate to Google this way, without having to plug the device in, which is a pain since newer Macbooks have USB-C and the Neo only comes in USB-A.

The ask here, would it be possible to allow the string to be pasted in, in lieu of actually having the YubiKey plugged into my USB port?

Thanks for the great auth utility!

When using this wonderful piece of tech to authenticate I get warnings from Google on a regular base:

• "New device just logged in!"
• "Was that you?"
• etc

Is this a known problem? Is there a way to store some kind of token / identifier / etc that allows google to remember that this device did already authenticate?

hi, when we have only one role to assume the following dialog is prompt. if i press a simple enter without choose 1 I face this error:

Type the number (1 - 1) of the role to assume:

Traceback (most recent call last):
File "/usr/local/bin/aws-google-auth", line 11, in
sys.exit(main())
File "/usr/local/lib/python2.7/site-packages/aws_google_auth/init.py", line 226, in main
cli(cli_args)
File "/usr/local/lib/python2.7/site-packages/aws_google_auth/init.py", line 65, in cli
process_auth(args, config)
File "/usr/local/lib/python2.7/site-packages/aws_google_auth/init.py", line 213, in process_auth
config.role_arn, config.provider = util.Util.pick_a_role(roles)
File "/usr/local/lib/python2.7/site-packages/aws_google_auth/util.py", line 53, in pick_a_role
return list(roles.items())[int(choice) - 1]
ValueError: invalid literal for int() with base 10: 'Type the number (1 - 1) of the role to assume:'

I'm getting the following error, introduced in 48d22e4 (Determined by git bisect). I don't have the time to dig right now, but I will later.

$ aws-google-auth --help 
Traceback (most recent call last):
  File "/Users/mide/virtualenv/aws-google-auth-dev/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth', 'console_scripts', 'aws-google-auth')()
TypeError: main() takes exactly 1 argument (0 given)

This is a landing page for people to discuss the end of support of Python 2.6.

As of aws-google-auth version 0.0.16, there will be no support for Python 2.6. Feel free to check out the pull request (#38) for more information.

Contributing Factors:

• pip doesn't support 2.6 since fall 2016 pypa/pip#3955
• pytest doesn't support 2.6 since fall 2017 pytest-dev/pytest#2812
• setuptools doesn't support 2.6 since fall 2017 pypa/setuptools#878
• Many other tools look like they're moving in this direction (and eventually moving to remove all 2.* support, but we're not going that far yet.)

The credential exports aren't printed when using docker. It seems the config.profile has a value no matter what and the else that should print them is never reached.

Hi and thanks for good tool. It is much better than my custom script.
I had an error today:

  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth==0.0.8', 'console_scripts', 'aws-google-auth')()
  File "/Library/Python/2.7/site-packages/aws_google_auth/__init__.py", line 327, in cli
    roles = dict([x.split(',') for x in doc.xpath('//*[@Name = "https://aws.amazon.com/SAML/Attributes/Role"]//text()')])
ValueError: dictionary update sequence element #0 has length 3; 2 is required

So the problem that I had configured:
<role-arn>,<idp-arn>, - for all my roles. And this is a valid description for the AWS. All login operations working fine.

Solution:
In my cases, I updated the Google Attributes for the user - removed the second comma.
I don't know if it is needed somehow checked in this tool, perhaps someone will find the error and apply the same solution.

Hello, first of all thank you for this project, its really helpful!

I would like to propose a change to increase integration possibilities of this tool with other security tools ( mainly a password manager ).

Currently due to the implementation of password read you face 2 choices:

1. write the password when asked ( which ends with copy-paste if you have a complex password )
2. use the keyring

The implementation is in aws_google_auth/__init__.py#L168:L178:

        # There is no way (intentional) to pass in the password via the command
        # line nor environment variables. This prevents password leakage.
        if config.keyring:
            keyring_password = keyring.get_password(
                "aws-google-auth", config.username)
            if keyring_password:
                config.password = keyring_password
            else:
                config.password = getpass.getpass("Google Password: ")
        else:
            config.password = getpass.getpass("Google Password: ")

Option 2 avoids copy-paste but lacks flexibility: if the password changes often, you still have no other choice than copy-paste.
Option 1 is tedious, as you have to copy-paste your password at each login. Plus working with multiple accounts makes this more tedious. More over the password is stored in the OS clipboard, which is prone to accidental paste in other places.

A general good strategy for managing passwords is a password manager. That could avoid usability issues in both option 1 and 2 ( password is always up to date and there could be no need to copy-paste ).

Unfortunately as aws-google-auth does not implement any non-tty input method, there is no way to directly pipe the output of the password manager in the getpass input. That would be really handy, and would increase security.

The objection that could be raised in letting user do this is that it allows passing the password from the command line. In my option however, there could be a way that respect your concerns for password leakage ( please note that copy-paste does not reduce that risk whatsoever ) while increasing usability.

The implementation I'm looking at is along the line of:

if sys.stdin.isatty():
    password = getpass.getpass("Google Password: ")
else:
    password = sys.stdin.readline()

This would allow to keep the current behaviour while allowing direct pipe from another software in this tool:

$ password-manager show password | aws-google-auth

In my option it also has enough friction to discourage users from writing the password in the terminal ( like echo "password" | aws-google-auth ): writing echo ... | is way less handy than using the interactive method.

Thank you for considering this feature request.

Hello, on version 0.0.27 (tested on 0.0.25, too).

This previously worked, however, I now get the "forbidden accessing" message above.

Any suggestions where to look?

Hi there, Just curious if there is a reason for not accepting unicode objects as well as strings in the configuration.py library.

When using python2.7 for 0.0.19, I get:

[email protected] ~ $ aws-google-auth -a --resolve-aliases 
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Traceback (most recent call last):
  File "/usr/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth==0.0.19', 'console_scripts', 'aws-google-auth')()
  File "/usr/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 54, in main
    cli(sys.argv[1:])
  File "/usr/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 79, in cli
    config.read(config.profile)
  File "/usr/lib/python2.7/site-packages/aws_google_auth/configuration.py", line 182, in read
    read_ask_role = config_parser[profile_string].getboolean('google_config.ask_role', None)
AttributeError: RawConfigParser instance has no attribute '__getitem__'

because the python3 syntax for RawConfigParser to get a whole section via config_parser['section name'] is not available in the native python2.7 configparser

A version-independent syntax would be config_parser.getboolean(profile_string, item) or config_parser.getint(profile_string, item)

I've successfully logged in and stored a password in the keystore, when I attempt to reauthenticate it fails with a unicode issue.

$ aws-google-auth -p cevo-dev --duration 43200 -k
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth', 'console_scripts', 'aws-google-auth')()
  File "/Users/steve.mactaggart/development/cevo/aws-google-auth/aws_google_auth/__init__.py", line 224, in main
    cli(cli_args)
  File "/Users/steve.mactaggart/development/cevo/aws-google-auth/aws_google_auth/__init__.py", line 63, in cli
    process_auth(args, config)
  File "/Users/steve.mactaggart/development/cevo/aws-google-auth/aws_google_auth/__init__.py", line 181, in process_auth
    config.raise_if_invalid()
  File "/Users/steve.mactaggart/development/cevo/aws-google-auth/aws_google_auth/configuration.py", line 117, in raise_if_invalid
    assert (self.password.__class__ is str), "Expected password to be a string. Got {}.".format(self.password.__class__)

AssertionError: Expected password to be a string. Got <type 'unicode'>.

Minor grumble, just installed the 0.0.8 release with pip3 and running aws-google-auth --help

breaks with:

$ aws-google-auth --help
Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth==0.0.8', 'console_scripts', 'aws-google-auth')()
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 561, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2631, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2291, in load
    return self.resolve()
  File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2297, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 55
    print "WARNING: Clamping duration_seconds to 3600"
                                                     ^
SyntaxError: Missing parentheses in call to 'print'

Currently in version 0.0.19 both with and without the --disable-u2f you get an error message:

$ aws-google-auth --disable-u2f
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
$ aws-google-auth
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:

Given how uncommon U2F is, could we disable it by default and not print the Failed to import U2F libraries error unless --enable-u2f is passed?

Both the docker run and the local-install Python methods simply print acquired credentials to the screen, requiring the user to copy-and-paste them back into the terminal in order to become active. This is a bit lame.

We should provide some simple bash/zsh wrappers which can be used to eval the credentials into the running shell, so this step isn't necessary.

Sometimes, it seems that Google doesn't emit a GALX cookie or hidden value in the initial page returned from hitting the SSO signin url. This breaks keyme, because it assumes that the value is always there.

It's not yet clear whether this is something google does randomly, or in response to certain circumstances, or whether I've accidentally stumbled on a coincidental change in behaviour, but the tool shouldn't crash with a nasty stack trace in any case:

Traceback (most recent call last):
  File "/usr/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth==0.0.1', 'console_scripts', 'aws-google-auth')()
  File "/usr/lib/python2.7/site-packages/aws_google_auth/aws_google_auth.py", line 70, in main
    google.session = google.login_to_google()
  File "/usr/lib/python2.7/site-packages/keyme/__init__.py", line 74, in login_to_google
    galx = decoded.find('input', {'name': 'GALX'}).get('value')
AttributeError: 'NoneType' object has no attribute 'get'

When executing the command line:
sudo pip install aws-google-auth[u2f]
I got this error:
no matches found: aws-google-auth[u2f]

Could you help me with this?

The command line sudo pip install aws-google-auth works well. The tool is installed but I got the message Failed to import U2F libraries, U2F login unavailable. Other methods can still continue. when I try to run the tool.

In order to aid in debugging, we should have debug-level logging in the package which sensibly elides sensitive information

I am trying to get UnitTests to work:

python -m unittest discover . "test*.py"

I get 4 failures and they all seem to be for the same underlying reason.

Am I right that this clever coalesce function # Ask Role (Option priority = ARGS, ENV_VAR, DEFAULT)

        config.ask_role = bool(coalesce(
        args.ask_role,
        os.getenv('AWS_ASK_ROLE'),
        config.ask_role))

Will always return 'False' as the value in args.ask_role is not None it is set to False by Default in configuration.py
In Class Configuration

        # Set up some defaults. These can be overridden as fit.
        self.ask_role = False
        ...
        ...

In this case, the value can never be overridden by environment??

(This also maybe flags the importance of Unit Tests in Travis Build ....)
Happy to be shot down!

Open the Google App, and tap 'Yes' on the prompt to sign in ...
Traceback (most recent call last):
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/google.py", line 259, in parse_saml
    'name': 'SAMLResponse'
AttributeError: 'NoneType' object has no attribute 'get'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    sys.exit(main())
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/__init__.py", line 226, in main
    cli(cli_args)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/__init__.py", line 65, in cli
    process_auth(args, config)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/__init__.py", line 187, in process_auth
    saml_xml = google_client.parse_saml()
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/google.py", line 263, in parse_saml
    'Could not find SAML response, check your credentials')
RuntimeError: Could not find SAML response, check your credentials

Any idea?

I'm using version 0.0.5 of the library and have set configuration via environment variables but having issues.

$ export GOOGLE_IDP_ID=<google_idp_id>
$ export GOOGLE_SP_ID=<google_sp_id>
$ export GOOGLE_USERNAME=<my_email_address>

When running aws-google-auth I get the following issue.

Password: 
Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 229, in cli
    google.do_login()
  File "/usr/local/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 137, in do_login
    tl = response_page.find('input', {'name': 'TL'}).get('value')
AttributeError: 'NoneType' object has no attribute 'get'

Create credentials either relative to AWS_CONFIG_FILE (if not null) or use another variable AWS_CREDENTIALS_FILE to provide the location of credentials files.

https://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html

Getting exception:

 aws-google-auth -D --no-cache  -d 3400 -p default
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google username: [email protected]
Google Password: 
Open the Google App, and tap 'Yes' on the prompt to sign in ...
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.7/site-packages/aws_google_auth/amazon.py", line 75, in resolve_aws_alias
    saml = self.sts_client.assume_role_with_saml(RoleArn=role,
  File "/usr/lib/python2.7/site-packages/aws_google_auth/amazon.py", line 20, in sts_client
    return boto3.client('sts', region_name=self.config.region)
  File "/usr/lib/python2.7/site-packages/boto3/__init__.py", line 83, in client
    return _get_default_session().client(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/boto3/session.py", line 263, in client
    aws_session_token=aws_session_token, config=config)
  File "/usr/lib/python2.7/site-packages/botocore/session.py", line 828, in create_client
    verify = self.get_config_variable('ca_bundle')
  File "/usr/lib/python2.7/site-packages/botocore/session.py", line 279, in get_config_variable
    elif self._found_in_config_file(methods, var_config):
  File "/usr/lib/python2.7/site-packages/botocore/session.py", line 306, in _found_in_config_file
    return var_config[0] in self.get_scoped_config()
  File "/usr/lib/python2.7/site-packages/botocore/session.py", line 383, in get_scoped_config
    raise ProfileNotFound(profile=profile_name)
ProfileNotFound: The config profile (default) could not be found

$ DURATION=3600 aws-google-auth
...
Traceback (most recent call last):
File "/Users/stan/src/cevo-aws/bin/aws-google-auth", line 11, in
sys.exit(cli())
File "/Users/stan/src/cevo-aws/lib/python2.7/site-packages/aws_google_auth/init.py", line 324, in cli
DurationSeconds=args.duration)
File "/Users/stan/src/cevo-aws/lib/python2.7/site-packages/botocore/client.py", line 310, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/Users/stan/src/cevo-aws/lib/python2.7/site-packages/botocore/client.py", line 573, in _make_api_call
api_params, operation_model, context=request_context)
File "/Users/stan/src/cevo-aws/lib/python2.7/site-packages/botocore/client.py", line 628, in _convert_to_request_dict
api_params, operation_model)
File "/Users/stan/src/cevo-aws/lib/python2.7/site-packages/botocore/validate.py", line 291, in serialize_to_request
raise ParamValidationError(report=report.generate_report())
botocore.exceptions.ParamValidationError: Parameter validation failed:
Invalid type for parameter DurationSeconds, value: 3600, type: <type 'str'>, valid types: <type 'int'>, <type 'long'>

If I run aws-google-auth im not prompted for 2FA pin

And I get this error:

Traceback (most recent call last):
File "C:\ProgramData\chocolatey\lib\python3\tools\Scripts\aws-google-auth-script.py", line 11, in
load_entry_point('aws-google-auth==0.0.25', 'console_scripts', 'aws-google-auth')()
File "c:\programdata\chocolatey\lib\python3\tools\lib\site-packages\aws_google_auth_init_.py", line 224, in main
cli(cli_args)
File "c:\programdata\chocolatey\lib\python3\tools\lib\site-packages\aws_google_auth_init_.py", line 63, in cli
process_auth(args, config)
File "c:\programdata\chocolatey\lib\python3\tools\lib\site-packages\aws_google_auth_init_.py", line 184, in process_auth
google_client.do_login()
File "c:\programdata\chocolatey\lib\python3\tools\lib\site-packages\aws_google_auth\google.py", line 139, in do_login
profile_information = challenge_page.find('input', {'name': 'ProfileInformation'}).get('value')
AttributeError: 'NoneType' object has no attribute 'get'

On Ubuntu with version 0.0.12. Two runs of aws-google-auth results in ~/.aws/credentials with two "[None]" sections. The config parser of aws-cli throws error configparser.DuplicateSectionError.

I just tested out 0.0.23 and 0.0.22, but I receive an error when I get to the 2-factor step.

First the CLI asks me for my google password, then it responds with an error:

Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
This extra step shows that it’s really you trying to sign in
Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth==0.0.22', 'console_scripts', 'aws-google-auth')()
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 54, in main
    cli(sys.argv[1:])
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/__init__.py", line 159, in cli
    google_client.do_login()
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/google.py", line 127, in do_login
    self.check_extra_step(response_page)
  File "/usr/local/lib/python3.6/site-packages/aws_google_auth/google.py", line 163, in check_extra_step
    raise ValueError(response)
ValueError: {Some HTML}

I tried dumping the html to a file and opening it, which resulted in this:

So it seems that 0.0.22 has broken the "Google Prompt" 2-factor challenge. I have not tested other 2FA methods.

I tested out 0.0.22, which shows the same issue. 0.0.21 does not suffer from the same problem though.

The limit was recently increased on the AWS side: https://aws.amazon.com/about-aws/whats-new/2018/03/longer-role-sessions/

I got the following exception after inserting my key and pressing enter.

No U2F device found. 5 attempts remaining.
Insert your U2F device and press enter to try again...
Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth==0.0.18', 'console_scripts', 'aws-google-auth')()
  File "/Library/Python/2.7/site-packages/aws_google_auth/__init__.py", line 53, in main
    cli(sys.argv[1:])
  File "/Library/Python/2.7/site-packages/aws_google_auth/__init__.py", line 152, in cli
    google_client.do_login()
  File "/Library/Python/2.7/site-packages/aws_google_auth/google.py", line 138, in do_login
    sess = self.handle_sk(sess)
  File "/Library/Python/2.7/site-packages/aws_google_auth/google.py", line 184, in handle_sk
    input("Insert your U2F device and press enter to try again...")
  File "<string>", line 0
    
    ^
SyntaxError: unexpected EOF while parsing

First, I love this tool and thank you very much for making it. I'm using it in conjunction with other CLI tools like awsudo, awscli, Ansible and Terraform, and it makes it really easy to securely manage multiple AWS accounts through IAM Roles from CLI.

The only issue I have with it, is that it doesn't automatically prompt me to re-enter my Google credentials when temporary AWS security credentials issued with AssumeRoleWithSAML have expired.

Right now my workflow is as follows:

1. store temp creds under 'saml' profile in ~/.aws/credentials using aws-google-auth -p saml
2. use various CLI utilities which support shared credentials files (~/.aws/credentials & ~/.aws/config)
3. get authentication error and a failed/interrupted command execution when 3600 seconds have ran out
4. repeat step 1

I would love to have this tool to also support the following workflow:

1. run aws-google-auth -p saml -- ANY_CLI_COMMAND
2. if temp creds stored in ~/.aws/credentials already have or about to expire (e.g. T - 300s) prompt for Google credentials and insert new temp credentials into ~/.aws/credentials
3. let ANY_CLI_COMMAND execute

For an example of such implementation see awsudo.

The profile support changes broke emitting credentials to stdout -- if no profile is specified, it always uses the name default which results in updating a credentials file.

This also breaks the dockerised workflow, because the credentials file that's updated is inside the container, instead of being the user's credentials file.

Hi.

If I try to set the duration parameter to more than 3600 seconds, an error is returned:

Duration must be less than or equal to 3600

But, from what I understand from the documentation, the real limit for most cases is 129600 seconds, given that the 3600 seconds limitation only apply to root accounts:

The GetSessionToken action must be called by using the long-term AWS security credentials of the AWS account or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours); credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1 hour.

(Reference: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html)

Can we remove this limitation, then?
Or maybe just print it as a warning, but without altering the DURATION parameter (init.py#L400)

Thanks!

I do 2-factor auth with a Google prompt on my phone. Recently, they have added a multiple choice numerical code to the challenge. I saved and opened the HTML for the auth page, and here is what it looks like:

Then, the prompt on my phone asks me to choose between several numbers. I am expected to choose the one that appears on the auth page (in this case, 91). However, this was not displayed in the command line, so I was unable to complete the challenge without guessing. I believe all that's necessary is to parse this number from the HTML and echo it.

If you're interested in supporting this, I can provide the HTML for the auth page in a Gist or something. Or I could put in a PR.

I'd love to see a summary success message like the following:

https://github.com/ThoughtWorksInc/aws_role_credentials/blob/master/aws_role_credentials/actions.py#L27-L33

Related, this project prints an export statement though I wonder how often it is used. This project encourages the use of the profile best practice, so wonder why people need to export the vars.

When Google Prompt enabled for 2-Step verification the following error is generated. It would be really nice to have support for Google Prompt.

$ aws-google-auth Setting duration to 3600 seconds Password: Traceback (most recent call last): File "/usr/local/bin/aws-google-auth", line 9, in <module> load_entry_point('aws-google-auth==0.0.5', 'console_scripts', 'aws-google-auth')() File "/Library/Python/2.7/site-packages/aws_google_auth/__init__.py", line 229, in cli google.do_login() File "/Library/Python/2.7/site-packages/aws_google_auth/__init__.py", line 140, in do_login challenge_id = challenge_url.split("totp/")[1] IndexError: list index out of range

I get this sometimes:

$ aws-google-auth --idp-id qqqqqqqq --sp-id 123456879 --username [email protected] --duration 43200 --role-arn arn:aws:iam::6666666666:role/sso/sso-administrator --profile xxx-xxx --keyring
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Open the Google App, and tap 'Yes' on the prompt to sign in ...
Assuming arn:aws:iam::6666666666:role/sso/sso-administrator
Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    sys.exit(main())
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/__init__.py", line 226, in main
    cli(cli_args)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/__init__.py", line 65, in cli
    process_auth(args, config)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/__init__.py", line 216, in process_auth
    print("Credentials Expiration: " + format(amazon_client.expiration.astimezone(get_localzone())))
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/amazon.py", line 50, in expiration
    return self.token['Credentials']['Expiration']
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/amazon.py", line 29, in token
    self.__token = self.sts_client.assume_role_with_saml(
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/aws_google_auth/amazon.py", line 20, in sts_client
    return boto3.client('sts', region_name=self.config.region)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/boto3/__init__.py", line 91, in client
    return _get_default_session().client(*args, **kwargs)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/boto3/__init__.py", line 80, in _get_default_session
    setup_default_session()
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/boto3/__init__.py", line 34, in setup_default_session
    DEFAULT_SESSION = Session(**kwargs)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/boto3/session.py", line 80, in __init__
    self._setup_loader()
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/boto3/session.py", line 120, in _setup_loader
    self._loader = self._session.get_component('data_loader')
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/botocore/session.py", line 729, in get_component
    return self._components.get_component(name)
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/botocore/session.py", line 946, in get_component
    self._components[name] = factory()
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/botocore/session.py", line 186, in <lambda>
    lambda:  create_loader(self.get_config_variable('data_path')))
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/botocore/session.py", line 281, in get_config_variable
    elif self._found_in_config_file(methods, var_config):
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/botocore/session.py", line 308, in _found_in_config_file
    return var_config[0] in self.get_scoped_config()
  File "/Users/max.williams/Library/Python/3.6/lib/python/site-packages/botocore/session.py", line 385, in get_scoped_config
    raise ProfileNotFound(profile=profile_name)
botocore.exceptions.ProfileNotFound: The config profile (xxx-xxxx) could not be found

Hi, this project looks great.

I have a question I hope you have the time to answer:
Does this project use some public Google APIs or does it use some kind of "hack"?

I don't have much knowledge about SAML and SSO, which my question my reflect. But I can see that Okta has a command line tool which allows to easily acquire temporary credentials for federated users and update the .aws/credentials file. That project, as I understand it, calls an Okta API to acquire a SAML assertion which is then forwarded to an AWS API.

I have read that Google does not expose their API for this, for which reason one must do stuff like browser automation to log in the user. The reason why I ask is because I am looking for a relatively stable solution that allows for easily changing AWS credentials to shift between accounts. (And Okta's product is too expensive)

Before finding your project, I considered created a G Suite version of Okta's tool, but I dropped the project since I could not find any way to acquire a SAML assertion from G Suite. Now I have found your project which seems to have solved the problem I had.

Currently it looks like this when we have to choose which account role to assume:

$ aws-google-auth --idp-id xxxxxxx --sp-id 6666666 --username [email protected] --duration 43200 --ask-role
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
Open the Google App, and tap 'Yes' on the prompt to sign in ...
[  1] arn:aws:iam::111111:role/sso/sso-administrator
[  2] arn:aws:iam::22222:role/sso/sso-administrator
[  3] arn:aws:iam::333333:role/sso/sso-administrator
[  4] arn:aws:iam::44444:role/sso/sso-administrator
Type the number (1 - 4) of the role to assume: 4
Assuming arn:aws:iam::4444444:role/sso/sso-administrator
Credentials Expiration: 2018-08-02 19:19:07+02:00

Problem is that these ARNs are not very informative as one would have to remember the AWS account number.

Is it possible to show the account alias?

When you do Google SSO auth (using SAML) to the AWS console, it shows the account aliases like this:

Account: my-account-1 (1111111)
Account: my-account-2 (22222)
etc

HomeBrew-installed Python 2.7.15.

Bottom-line error: AssertionError: Expected password to be a string. Got <type 'unicode'>.

(I am entering the correct password for KeyChain access, etc.)

Full debug detail:
Traceback (most recent call last): File "/usr/local/bin/aws-google-auth", line 11, in <module> sys.exit(main()) File "/usr/local/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 225, in main cli(cli_args) File "/usr/local/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 64, in cli process_auth(args, config) File "/usr/local/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 182, in process_auth config.raise_if_invalid() File "/usr/local/lib/python2.7/site-packages/aws_google_auth/configuration.py", line 117, in raise_if_invalid assert (self.password.__class__ is str), "Expected password to be a string. Got {}.".format(self.password.__class__) AssertionError: Expected password to be a string. Got <type 'unicode'>.

Option to save credentials into ~/.aws/credentials file to make the authorisation available to multiple shells.

Awesome tool!

I'm working on a patch to add a cookie store to suppress the Security alerts generated every time I use the script. Let me know if you have any other ideas or concerns regarding this issue.

I have been trying out this command-line tool to move our AWS Users over to SAML, including their CLI usage. Unfortunately you always need to sign-in again after 1 hour. Some of our users run processes which take more than an hour to complete and need AWS access throughout the process.

AWS allows SAML users to stay signed in for up to 12 hours. Amazon STS still only allows the generated keys to last for up to 1 hour.

I would love if this command-line tool would allow me to stay signed in, such that I don't have to re-enter my password every hour.

I have two ideas for how to achieve this:

1. Introduce a command-line switch such as --auto, which keeps the script running, remembering the user password in memory, and automatically re-authenticating when the time is about to run out.
2. Grab the cookie which contains the token, and write it to the ~/.aws/config file, and when running the command again, check if the token is still valid, and generate a new STS credential.

The two tactics might even be complementary, such that the --auto parameter makes the script wait until the credentials are about to expire, and then re-authenticates using the token in step 2.

I have not looked deeply into the options for solving this, but I might be able to create a Pull Request, I would just like to know what method would be preferred.

While using aws-google-auth from ec2 instances with various ip I've encountered some cases not yet handled :

aws-google-auth --idp-id C01234567 --sp-id 123456789012 -u [email protected] -p default
Google Password: 
Traceback (most recent call last):
  File "/usr/bin/aws-google-auth", line 11, in <module>
    load_entry_point('aws-google-auth==0.0.20', 'console_scripts', 'aws-google-auth')()
  File "/usr/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 54, in main
    cli(sys.argv[1:])
  File "/usr/lib/python2.7/site-packages/aws_google_auth/__init__.py", line 160, in cli
    saml_xml = google_client.parse_saml()
  File "/usr/lib/python2.7/site-packages/aws_google_auth/google.py", line 153, in parse_saml
    raise RuntimeError('Could not find SAML response, check your credentials')
RuntimeError: Could not find SAML response, check your credentials

For some user I may have to select the challenge https://raw.githubusercontent.com/JeremJR/aws-google-auth/issue/aws_google_auth/tests/selectchallenge_2.html
For another user I may have to enter a phone number to retrieve a token https://raw.githubusercontent.com/JeremJR/aws-google-auth/issue/aws_google_auth/tests/challenge_iap_3.html

I have proposed a PR to handle such cases : #54
But I have no feeback on it yet, maybe due to the coverage test issue.
If so, any advices will be appreciated in order to help increasing the test coverage.