moritzheiber / crowbar Goto Github PK
View Code? Open in Web Editor NEWSecurily generates temporary AWS credentials through identity providers using SAML
License: Apache License 2.0
Securily generates temporary AWS credentials through identity providers using SAML
License: Apache License 2.0
The only substantive change that I see in the transition from 0.4.6 -> 0.4.7 seems to be in the AWS library versions from 0.11.0 to 0.15.0, and something within that broke it. The behavior is that you get prompted for an Okta push or TOTP, you select either and confirm, crowbar responds and says Authentication Successful, and then it asks you once again for Okta push or TOTP, in an endless loop.
I am trying to use an already configured profile with crowbar, which I remember was working earlier.
It fails before prompting for login credentials.
$ crowbar exec myprofile -- aws s3 ls
Unable to login
Caused by:
1: HTTP status client error (401 Unauthorized) for url (https://<subdomain>.okta.com/api/v1/authn)
Using crowbar v0.3.7
Running the following in a docker container with Centos 7
$ crowbar --version
crowbar 0.4.5
$ crowbar profiles add test --username email --provider okta --url 'https://myorg.okta.com'
Profile test added successfully!
$ env AWS_PROFILE=test aws s3 ls
Password for email at https://myorg.okta.com: [hidden]
Authentication successful!
Platform secure storage failure: zbus error: I/O error: No such file or directory (os error 2)
Error when retrieving credentials from custom-process:
$
to install crowbar:
At my org, I have a few roles that are in various AWS accounts. Each of these AWS accounts represents a different environment within our CICD process: dev/stage/prod.
If I create multiple aws profiles so I can switch between multiple accounts/roles quickly like this:
$ crowbar profiles add my-org-dev -u paul.baker -p okta --url https://my-org.okta.com/home/amazon_aws/....
$ crowbar profiles add my-org-stage -u paul.baker -p okta --url https://my-org.okta.com/home/amazon_aws/....
$ crowbar profiles add my-org-prod -u paul.baker -p okta --url https://my-org.okta.com/home/amazon_aws/....
It gets a little difficult to manage, because when the token expires it'll ask you to select which factor to use (I have multiple options, but I only ever want push) and it'll ask me which role I wish to assume. I can't swap roles until the token expires so if my intent was to target a development environment but I specify production by accident, I can't fix it until the token expires and I re-select the correct account.
Is there a way to tell crowbar which factor method and role I want to assume by default within the credential_process
command?
I had crowbar working from my Mac for several AWS accounts, but then it stopped working one day with the following error and I cannot figure out the issue. Can someone help? From looking at the code I think there's something it doesn't like about the response from Okta, but I don't know specifically what and even with -ltrace
it doesn't show me enough to know what's wrong. I will say that if my credentials are wrong, I get an authentication error as expected, but with correct credentials, I can see that Okta gives a 200 response but then parsing it fails.
Unable to login
Caused by:
2: error decoding response body: invalid type: null, expected a string at line 1 column 1403
1: invalid type: null, expected a string at line 1 column 1403
I'm trying to use crowbar within a docker container. Long story short, we have individuals on our team who's machines are super locked down. I can run crowbar
on my host machine and profiles are added as expected, but within docker the error is strange and unclear.
FROM ubuntu:latest
RUN apt-get update -y && apt-get install -y \
curl \
wget \
unzip
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && unzip awscliv2.zip && ./aws/install
RUN wget https://github.com/moritzheiber/crowbar/releases/download/v0.3.7/crowbar-x86_64-linux -o /bin/crowbar && chmod +x /bin/crowbar
$ docker build --tag general-terminal:latest .
$ docker run --rm -ti general-terminal:latest bash
$ crowbar profiles add my-profile -u paul.baker -p okta --url "https://redacted.okta.com/home/amazon_aws/redacted"
> /usr/bin/crowbar: line 1: --2020-09-08: command not found
> /usr/bin/crowbar: line 2: syntax error near unexpected token `('
> /usr/bin/crowbar: line 2: `Resolving github.com (github.com)... 140.82.114.4'
I'm not sure what this error means, but it seems like any profiles command triggers it.
$ crowbar profiles list
> /usr/bin/crowbar: line 1: --2020-09-08: command not found
> /usr/bin/crowbar: line 2: syntax error near unexpected token `('
> /usr/bin/crowbar: line 2: `Resolving github.com (github.com)... 140.82.114.4'
Authentication successful!
Could not find SAML element in HTML response
I always get this, when trying to use crowbar. It also only asked me for my password, never one of my MFA options.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.