Comments (12)
FrederikNJS
commented on May 30, 2024
2
So now that SAML caching works, and I have also successfully had 12 hour STS credentials generated, I don't really feel this issue is a problem anymore. I can now sign in with just my password once a day, which is perfectly fine.
I'm content with closing this issue unless anyone else has additional needs.
from aws-google-auth.
mide
commented on May 30, 2024
1
Interesting; thanks for the info. I'll take a look when I get a chance.
from aws-google-auth.
mide
commented on May 30, 2024
I personally feel that keeping the user's password in memory could be a dangerous solution - If the user left for the day without closing the application, their computer would effectively always have an active STS token. I feel part of what makes STS special is that they are short lived (even if they're 12 hours).
I think --auto would be fine if it just cached the SAML assertion, and used it to renew the STS tokens. (This would be a mix of both your solutions). That way, at the end of 12 hours, the assertion would expire and it would force the user to re-enter their password. Edit: No, that wouldn't work if you have 2FA turned on.
I started working on a SAML assertion caching PR, but I've got a few others in flight (#34, #33, #29) that I want to get in before I get too far with this one.
from aws-google-auth.
nonspecialist
commented on May 30, 2024
The SAML assertion caching is a preferred way of achieving this; the simplest thing to do would be to just save it to disk ... something like ~/.aws/assertions/<escaped-role-arn>.xml
Then, checking whether there's an existing assertion, loading it, verifying the expiry time and either re-using it to refresh the credentials or prompting the user to renew should be fairly straightforward.
from aws-google-auth.
mide
commented on May 30, 2024
Yep; I've got a PR in the making. Just working out some minor issues and then tests.
from aws-google-auth.
mide
commented on May 30, 2024
I think we should store the SAML assertion in the file ~/.aws/saml-assertion.xml, since one SAML assertion can be valid for multiple ARNs. Likewise, we don't want to store in a given profile, since the SAML assertion could be used in any profile.
from aws-google-auth.
mide
commented on May 30, 2024
PR #47 takes a whack at this.
from aws-google-auth.
mide
commented on May 30, 2024
FWIW, the --auto flag is just part of the workflow proposed in #47. When using aws-google-auth, it will try to use the SAML cache first, and if invalid will prompt the user for credentials. I figure most people will want to use SAML caching by default.
There is also a --no-cache flag to force a full credential prompt.
from aws-google-auth.
mide
commented on May 30, 2024
I propose #47 addressed this issue.
from aws-google-auth.
max-rocket-internet
commented on May 30, 2024
How exactly is this supposed to work?
aws-google-auth -u [email protected] -S 99999999 -I XXXXX --ask-role --disable-u2f --duration 3600
Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
Open the Google App, and tap 'Yes' on the prompt to sign in ...
[ 1] arn:aws:iam::9999999:role/sso/sso-xxxxx
[ 2] arn:aws:iam::99999999:role/sso/sso-xxxxx
Type the number (1 - 2) of the role to assume: 1
Assuming arn:aws:iam::999999999:role/sso/sso-xxxxx
Credentials Expiration: 2018-01-31 17:07:49+01:00
But then I have no interesting files in ~/.aws:
$ ll ~/.aws/
total 16
-rw------- 1 max.williams staff 509 Jan 31 16:12 config
-rw------- 1 max.williams staff 1246 Jan 31 16:12 credentials
-rw------- 1 max.williams staff 0 Jan 31 16:12 saml_cache.xml
Note that saml_cache.xml size is 0.
If this is working, we should be able to renew STS token without Google password and 2FA for 12 hours, is that correct?
from aws-google-auth.
mide
commented on May 30, 2024
That's interesting. saml_cache.xml should have some contents. I wonder why that's not getting written. That's likely the issue.
Otherwise, you're mostly correct - if everything works, you'll be able to renew the STS token without being asked for Google Password / 2FA for five minutes; See #47 (comment).
from aws-google-auth.
FrederikNJS
commented on May 30, 2024
@mide I'm seeing the same issues as @max-rocket-internet. I get authenticated, but when I run the script again, I get prompted for a password and 2FA. The saml_cache.xml file is empty.
I'm running version 0.0.19.
from aws-google-auth.
Related Issues (20)
- Unable to log in with google from security reasons HOT 7
- User Experience issue: use of $AWS_PROFILE sometimes results in data loss
- Took me ages to find where SP_ID is despite docs
- Usability enhancements
- Failed to get password chalenge HOT 10
- aws-google-auth is failing on ubuntu 20.04.4 LTS HOT 2
- 'NoneType' object has no attribute 'get' 'https://accounts.google.com' + form.get('action') - Not Able to Login HOT 6
- aws-google-auth failing after captcha with AttributeError HOT 22
- throwing this error after entering password HOT 2
- Docker image not at latest version
- Something went wrong - Could not find SAML response, check your credentials or use --save-failure-html to debug HOT 6
- Provide means to run local unit tests consistently
- Anyone knows whats the error: No module Named as "aws_google_auth" it is underscore? not aws-google-auth HOT 4
- View captcha on Linux over SSH fails
- ERROR:root:'NoneType' object has no attribute 'find_all' HOT 8
- response signature invalid (u2f) HOT 3
- Publish the version of the docker code that does not ask captcha HOT 1
- how to get rid of captcha?
- Suddenly receiving error HOT 1
- ERROR:root:'NoneType' object has no attribute 'get' HOT 22
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-google-auth.