I use 1Password to store my credentials. I am able to retrieve passwords from 1Password via their own CLI tool. It would be nice if I could chain them together and retrieve the password from 1Password and send it as an argument to okta-awscli.

When a region is set in ~/.aws/config, the STS call using boto will use that region, instead of a default of us-east-1.

Most of the time, this isn't problematic, since the region set there is valid. However, if the region is set to an invalid value, okta-awscli will fail.

For example, this ~/.aws/config will cause issues:

[default]
region = None

Resulting in this trace:

Traceback (most recent call last):
  File "/usr/local/bin/okta-awscli", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/oktaawscli/okta_awscli.py", line 55, in main
    get_credentials(aws_auth, okta_profile, profile, verbose)
  File "/usr/local/lib/python2.7/dist-packages/oktaawscli/okta_awscli.py", line 16, in get_credentials
    token = aws_auth.get_sts_token(role_arn, principal_arn, assertion)
  File "/usr/local/lib/python2.7/dist-packages/oktaawscli/aws_auth.py", line 51, in get_sts_token
    SAMLAssertion=assertion)
  File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 317, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 602, in _make_api_call
    operation_model, request_dict)
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 143, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 172, in _send_request
    success_response, exception):
  File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 265, in _needs_retry
    caught_exception=caught_exception, request_dict=request_dict)
  File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 210, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 183, in __call__
    if self._checker(attempts, response, caught_exception):
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 251, in __call__
    caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 277, in _should_retry
    return self._checker(attempt_number, response, caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 317, in __call__
    caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 223, in __call__
    attempt_number, caught_exception)
  File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 359, in _check_caught_exception
    raise caught_exception
botocore.exceptions.EndpointConnectionError: Could not connect to the endpoint URL: "https://sts.None.amazonaws.com/"

I'm not sure why this region is getting set to None. The user that reported this says that it was set to None upon installing awscli and with no further configuration, although I have not independently confirmed.

Either way, the region in the STS calls should be set explicitly or set to ignore invalid values, such as None

Using this config:

[default]
username = MY_EMAIL
base-url = MY_OKTA_URL
duration = 3600
app-link = MY_OKTA_URL
role = arn:aws:iam::MY_AWS_UID:role:role/MY_AWS_ROLE

This is the debug output (sanitized):

REMMACD2ZWGTDY:aws ahjr$ okta-awscli --profile default --force --debug
DEBUG - Setting AWS role to arn:aws:iam::MY_AWS_UID:role/MY_AWS_ROLE
INFO - STS credentials are valid. Nothing to do.
INFO - Force option selected,                 getting new credentials anyway.
INFO - Authenticating to: MY_OKTA_URL
INFO - Authenticating as: MY_EMAIL
Enter password:
INFO - App Link set as: https://MY_OKTA_URL
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
Please select the MFA factor: 1
INFO - Performing secondary authentication using: OKTA
DEBUG - [SOME_PII_SO_SNIPPED]
Waiting for push verification...
Multi-factor Authentication required.
Pick a factor:
[ 0 ] Okta Verify App: SmartPhone_IPhone: iPhone
[ 1 ] token:software:totp( OKTA ) : MY_EMAIL
Selection: 0
INFO - Okta Verify push sent...
INFO - Using predefined role: arn:aws:iam::MY_AWS_UID:role/MY_AWS_ROLE
INFO - Authenticating to: MY_OKTA_URL
DEBUG - Requesting a duration of 3600 seconds
INFO - Session token expires on: 2020-05-01 04:04:41+00:00
INFO - Temporary credentials written to profile: default
INFO - Invoke using: aws --profile default <service> <command>

Adding factor = OKTA to the config doesn't make a difference - I just don't get this part:

Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
Please select the MFA factor: 1

I still get 2 push notifications that I have to acknowledge.

Is there a config I'm missing?

When attempting to use the CLI in Python 3.6 this error message occurs.

1. OSX (10.13.6), Python 3.6.6, pip-3.6
2. AWS CLI = awscli-1.15.68
   aws-cli/1.15.68 Python/3.6.6 Darwin/17.7.0 botocore/1.10.67

~ cbitterfield$ okta-awscli
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
Please select the MFA factor: 1
Traceback (most recent call last):
File "/Users/cbitterfield/Library/Python/3.6/bin/okta-awscli", line 11, in
load_entry_point('okta-awscli==0.2.3', 'console_scripts', 'okta-awscli')()
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 722, in call
return self.main(*args, **kwargs)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_awscli.py", line 104, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_awscli.py", line 19, in get_credentials
_, assertion = okta.get_assertion()
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_auth.py", line 199, in get_assertion
session_token = self.primary_auth()
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_auth.py", line 40, in primary_auth
session_token = self.verify_mfa(factors_list, state_token)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_auth.py", line 97, in verify_mfa
factor_choice = input('Please select the MFA factor: ') - 1
TypeError: unsupported operand type(s) for -: 'str' and 'int'

Describe the bug
Expired password leads to an exception with a KeyError stack trace (not sure if it'd behave the same with other organizations)

To Reproduce
Steps to reproduce the behavior:

1. When your (okta) password is expired and you use two factor auth (not sure of behaviour with other second factors)
2. attempt to retrieve new aws credentials
3. KeyError trying to get a key (I think it was id) in the response (sorry i lost the stack trace, but will update if i manage to get it)

Expected behavior
A message indicating that your password is expired

Output
unfortunately lost this, but will try to reproduce at a later point.

Environment (please complete the following information):

• OS: [e.g. MacOS, Ubuntu, CentOS, etc.]
  • ubuntu 18.04.03
• Version of okta-awscli you're running. okta-awscli -V
  • 0.4.0

Additional context
EOM

Is your feature request related to a problem? Please describe.
I have few different roles with in the same account. So when I authenticate with one role, it automatically adds it to the config file. So, if I re-authenticate with --force it refreshes STS but authenticate with same role. I need to manually go and delete the role in config file.

$ okta-awscli --okta-profile test --profile test
Enter password: 
Multi-factor Authentication required.
Pick a factor:
[ 0 ] Okta Verify App: SmartPhone_Android: xxxxxxxx
[ 1 ] token:software:totp( OKTA ) : [email protected]
Selection: 0
1: arn:aws:iam::xxxxxxxxx:role/xxxxxx-admins
2: arn:aws:iam::xxxxxxxxx:role/xxxxxx-developer
Please select the AWS role: 1
$ okta-awscli --okta-profile test --profile test --force
Enter password: 
Multi-factor Authentication required.
Pick a factor:
[ 0 ] Okta Verify App: SmartPhone_Android: xxxxxxxx
[ 1 ] token:software:totp( OKTA ) : [email protected]
Selection: 0

Describe the solution you'd like
I think solution can be emptying role in config when --force is triggered.

Any help is appreciated, thanks.

Describe the bug
Not able to login using Okta Verify. Checked both kinds regular and Push and result are the same - TypeError: can only concatenate str (not "NoneType") to str

To Reproduce
Steps to reproduce the behavior:

1. Configure ~/.okta-aws
2. Run CLI tool with specific okta and aws profiles
   okta-awscli --okta-profile okta-aws206 --profile okta-aws206 --debug
3. Catch the error

Expected behavior
~/.aws/credentials should be updated with a token for okta-aws206

Output
Output of your okta-awscli run, using the --debug flag.

okta-awscli --okta-profile okta-aws206 --profile okta-aws206 --debug
INFO - Temporary credentials have expired. Requesting new credentials.
INFO - Authenticating to: somecompany.okta.com
INFO - Authenticating as: name.surname
Enter password: 
INFO - App Link set as: https://somecompany.okta.com/home/amazon_aws/0oa1f32y7xf1K56aT1d8/272  # Found in Okta's configuration for your AWS account.
ERROR - Unsupported factorType: sms
Registered MFA factors:
1: Google Authenticator
2: Okta Verify - Push
3: Okta Verify
Please select the MFA factor: 2
INFO - Performing secondary authentication using: OKTA
DEBUG - {'id': 'opf1drfq8icq0OkZ21d8', 'factorType': 'push', 'provider': 'OKTA', 'vendorName': 'OKTA', 'profile': {'credentialId': '[email protected]', 'deviceType': 'SmartPhone_IPhone', 'keys': [{'kty': 'PKIX', 'use': 'sig', 'kid': 'default', 'x5c': ['MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsua0l7mgnN1NmZ8aS9gNLhEeEPpft40umIouk+TjyugDFKMFXD8L5vYcstLxKjzMkm/E+0o0HUeF3zRpKci+QlYGv6rhZ7udwTRKHyCoIQ9gpF3T95qM5NRLjscg1rFSURfmjXMPTmDOTDOXcTBlNvfSqU0DZSSf9MTF2kvL9MI37HkNRU307x26tSzNMTykqhQ1/gNd0AYaQ9es7yJhE5HYaUBqY1oRMJh3Xhm1C068NKgcc58mHXwXSF91Z9l9+ZvgHGboMEajZMIp5FmmajzS9BJb9A6PaBb4W6M96q1yU9RNHQcG4uYjBAY1vAnVXJjNs1Ygd4pBvCr0951HHwIDAQAB']}], 'name': 'GS.phone', 'platform': 'IOS', 'version': '11.2.6'}, '_links': {'verify': {'href': 'https://somecompany.okta.com/home/amazon_aws/0oa1f32y7xf1K56aT1d8/verify', 'hints': {'allow': ['POST']}}}}
Waiting for push verification...
ERROR - No Extra Verification
Traceback (most recent call last):
  File "/usr/local/bin/okta-awscli", line 10, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_awscli.py", line 113, in main
    aws_auth, okta_profile, profile, verbose, logger, token, cache
  File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_awscli.py", line 19, in get_credentials
    _, assertion = okta.get_assertion()
  File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_auth.py", line 363, in get_assertion
    assertion = self.get_saml_assertion(resp)
  File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_auth.py", line 285, in get_saml_assertion
    self.logger.error("SAML assertion not valid: " + assertion)
TypeError: can only concatenate str (not "NoneType") to str

Environment (please complete the following information):

• OS: MacOS 10.14.4
• Python 3.7.3
• Version of okta-awscli 0.4.0

Additional context
~/.okta-aws

➜ cat ~/.okta-aws     looks like this                                           
[okta-aws206]
base-url = somecompany.okta.com

username =name.surname
app-link = https://somecompany.okta.com/home/amazon_aws/0oa1f32y7xf1K56aT1d8/272  

Describe the bug
I have an account, which I want to use in us-west-2 region. After authentication with okta-awscli, us-east-1 region gets written to .aws/credentials. This overwrites my settings in .aws/config, which now I have to overwrite in other way.

Simply removing the 'region' line in .aws/credentials solves the problem for me.

To Reproduce
Steps to reproduce the behavior:

1. authenticate with profile name specified
2. launch aws-shell or aws-cli
3. check that region might be different for what you set in .aws/config

Expected behavior
I can store my preferred region for profile in .aws/config and it will work with aws-shell after authentication.

Environment (please complete the following information):

• OS: Debian
• okta-cli version 0.2.5

Error handling is mostly non-existent, so we're seeing ugly traces when we encounter issues and the CLI puking on some errors that may be recoverable.

Is your feature request related to a problem? Please describe.
My Okta org requires MFA when connecting from outside our network (eg: on an EC2 instance), making okta-awscli depend on answering a push notification on my phone. This works but when CICD jobs are triggered periodically I have to answer notifications that I didn't originate (bad security practice).

Describe the solution you'd like
Allow users to proxy requests to Okta for secure credentials through a specified server in their organization's network to avoid MFA requirements when possible (after an appropriate warning). This would reduce friction in automated awscli uses such as CICD systems.

Add argument: okta-awscli --okta-profile $profile_name --proxy-server 1.2.3.4:1234

Describe alternatives you've considered
Currently I use Okta app based MFA, and it has the limitations described above.

Additional context
Any suggestions are appreciated. Thanks for considering!

Hi,

Thanks for your valuable project. What Python version should I use?

I have problem with Python 3.6 at CentOs 7 as below.

Could you help me to resolve below error?

.okta-aws file:

[default]
base-url = xxx.okta.com/home/amazon_aws/0oaxxxxfw1bRFjTaDM0x7/NNN
username = xxx
password = yyy
role = zzz

command:
okta-awscli --profile dev iam users

error:
[root@centos75a ~]# okta-awscli iam list-user
Traceback (most recent call last):
File "/usr/local/bin/okta-awscli", line 11, in
load_entry_point('okta-awscli==0.2.4', 'console_scripts', 'okta-awscli')()
File "/usr/lib64/python3.6/site-packages/click/core.py", line 764, in call
return self.main(*args, **kwargs)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 104, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 19, in get_credentials
_, assertion = okta.get_assertion()
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_auth.py", line 199, in get_assertion
session_token = self.primary_auth()
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_auth.py", line 35, in primary_auth
resp_json = resp.json()
File "/usr/lib/python3.6/site-packages/requests/models.py", line 897, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib64/python3.6/json/init.py", line 354, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Is there anyway to adjust the STS token duration?

Currently, only the TOTP option for Okta Verify is supported.

Add support for the push notification method as well.

https://developer.okta.com/docs/api/resources/factors.html#verify-push-factor

Looking at the return saml, if you want to keep a same role name across the board, you end up with a screen of role names. Add several accounts and you're playing spin the wheel to figure out what account you're using.

Proposing either id=alias mapping in the default config or ability to specify a yaml/json/whatever file which is more or less account:alias, one per line. Yaml would probably be my first choice for ease of eyeballing/editing. Specifying the file to read would be done in the config file.

If you want to get extra fancy, another field could be added to give a profile name to use as well, which opens up possibility for "always force profile" to be an option, etc..

Will try to get a pull request submitted for this soon.

In the regular OKTA UI (i.e. regular OKTA browser application) I can switch between apps without re-authentication.

However using the command line tool okta-awscli, I have to re-authenticate for each application (in my operations day to day work I switching applications frequently) so the multiple re-authentications is cumbersome and complicates task automation.

Please can the okta-awscli be updated to work in the same manner as the regular OKTA UI.

Is there any way to prevent the user password from being saved in .okta-aws file but to be prompted during login?
Thanks

Allie

Can the okta password be encrypted in .okta-aws? How about skipping from storing the password?
Thanks

Is your feature request related to a problem? Please describe.
N/A

Describe the solution you'd like
DUO is a supported authentication mechanism when using Okta. It would be nice if this tool supported it.

Describe alternatives you've considered
N/A

Additional context
N/A

When selecting a GovCloud account to retrieve credential for, the cli bombs out in the aws_auth.get_sts_token() function. Presumably because of the change in ARN structure that happens in GovCloud, but I need to investigate further.

Stack trace after selecting a GovCloud AWS app and a role:

Traceback (most recent call last):
  File "/usr/local/bin/okta-awscli", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 55, in main
    get_credentials(aws_auth, okta_profile, profile, verbose)
  File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 16, in get_credentials
    token = aws_auth.get_sts_token(role_arn, principal_arn, assertion)
  File "/usr/local/lib/python2.7/site-packages/oktaawscli/aws_auth.py", line 46, in get_sts_token
    SAMLAssertion=assertion)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 317, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 615, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: 3cd5eb44-f141-11e7-96a2-e5cb4ab98b8b)

I'm getting an error back from the application.

The error is as stated above. The gist of it is that I'm not seeing SAMLResponse in the html. I have 2 input tags, _xsrfToken and fromURI.

Any reason why I wouldn't have gotten a SAMLResponse back?

Some users may want to run the script without the need for any interactive prompts. This could be supported by #3, #4, #12 and one final addition:

Add an optional parameter --mfa_code (supported only if the factor choice is specified in config) where the use can specify this on the command and avoid all interactive prompts

If an org has multiple MFA factor methods enabled, the user may only use one on a regular basis, and having to select it every time can get annoying.

We should support pre-selecting this in the profile defined in ~/.okta-aws

Maybe also have a --prompt flag to override this on a per-execution basis and prompt for which factor to use.

Describe the bug
When running okta-awscli I get an error after entering the password field (no matter what is entered for URL and username)

To Reproduce
Steps to reproduce the behavior:
pip install okta-awscli
okta-awscli
Enter anything for password field

Expected behavior
For password field to pass

Output

okta-awscli --debug
Enter username: test
Enter password: 
Traceback (most recent call last):
  File "/Users/jwake/Library/Python/3.8/bin/okta-awscli", line 8, in <module>
    sys.exit(main())
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_awscli.py", line 114, in main
    get_credentials(
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_awscli.py", line 18, in get_credentials
    okta = OktaAuth(okta_profile, verbose, logger, totp_token, okta_auth_config)
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_auth.py", line 25, in __init__
    self.app_link = okta_auth_config.app_link_for(okta_profile)
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_auth_config.py", line 45, in app_link_for
    if not validators.url(app_link):
  File "<decorator-gen-29>", line 2, in url
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/validators/utils.py", line 83, in wrapper
    value = func(*args, **kwargs)
  File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/validators/url.py", line 148, in url
    result = pattern.match(value)
TypeError: expected string or bytes-like `object`

Environment (please complete the following information):

• OS: MacOS
• Version of okta-awscli you're running. 0.4.4
• Python 3.8.2
• Also tried on 3.9.0 and 3.6.5 and in pyenv virtual environment and outside of pyenv virtual environment

Additional context

I'm trying to source the default credential output, but i have some warnings in my output which cause problems. It looks like this is doing some manual log setup which is defaulting to stdout instead of stderr, switching to logging.basicConfig should resolve this.

Describe the bug
When no [default] profile is included in ~/.okta-aws, okta-awscli outputs a ugly trace.

To Reproduce
Steps to reproduce the behavior:

1. Create a ~/.okta-aws file with no [default] profile.
2. Run okta-awscli without specifying a named profile via --okta-profile.

Expected behavior
okta-awscli should output a clean message, telling the user to either define a default profile or specify a named profile in the command line argument.

Output

okta-awscli --debug                                                                                                        ✘  09:11:32  okta
Traceback (most recent call last):
  File "/usr/local/Cellar/python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/configparser.py", line 1138, in _unify_values
    sectiondict = self._sections[section]
KeyError: 'default'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/jhale/.virtualenvs/okta/bin/okta-awscli", line 11, in <module>
    sys.exit(main())
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 104, in main
    aws_auth, okta_profile, profile, verbose, logger, token, cache
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 17, in get_credentials
    okta = OktaAuth(okta_profile, verbose, logger, totp_token, okta_auth_config)
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_auth.py", line 25, in __init__
    self.https_base_url = "https://%s" % okta_auth_config.base_url_for(okta_profile)
  File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_auth_config.py", line 30, in base_url_for
    base_url = self._value.get('default', 'base-url')
  File "/usr/local/Cellar/python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/configparser.py", line 781, in get
    d = self._unify_values(section, vars)
  File "/usr/local/Cellar/python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/configparser.py", line 1141, in _unify_values
    raise NoSectionError(section)
configparser.NoSectionError: No section: 'default'

Environment (please complete the following information):

• OS: MacOS 10.14
• Version of okta-awscli you're running. okta-awscli -V: 0.2.5

Describe the bug

• Trying to use okta-awscli with yubikey returns error related to the U2F

Enter password:
ERROR - Unsupported factorType: webauthn
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify

To Reproduce
Steps to reproduce the behavior:

1. execute okta-awscli

Expected behavior

• I expected to be able to use YubiKey to verify the login

Output
Output of your okta-awscli run, using the --debug flag

INFO - STS credentials are valid. Nothing to do.
INFO - Force option selected, getting new credentials anyway.
INFO - Using base-url from default profile some_okta_subdomain.okta.com
Enter username: some_user
Enter password: *hidden*
INFO - App Link set as: None
ERROR - Unsupported factorType: webauthn
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify

Environment (please complete the following information):

• OS: MacOS
• Version of okta-awscli you're running. okta-awscli -V

okta-awscli -V
0.4.1

Additional context
In case this is not a bug, but I forgot to install/configure something, please point me to the right direction.

Currently, the default operation (no arguments) displays the commands needed to export the obtained credentials to environment variables.

This creates an unnecessary step of copying and pasting them, as well as being insecure, as those secrets now persist in the shell's history.

The default action should export the credentials automatically and move the display functionality to a command line option, --show.

Is there any documentation anywhere what the 'app-link' is?

app-link = <app_link_from_okta> # Found in Okta's configuration for your AWS account.****

When I google okta 'app-link' or 'okta application link' nothing comes up. I don't have access to Okta's configuration information so I need to ask for the app link from the client, but as there's no real information what this means or even is, it's a bit difficult for me to ask for it.

Is this something that's required? Does this application interactively request it from me when running? So far, all I'm getting is 'authentication failed' errors and no information as to why via debug.

If an org has multiple AWS roles configured, the user may only use one on a regular basis, and having to select it every time can get annoying.

We should support pre-selecting this in the profile defined in ~/.okta-aws

Maybe also have a --prompt flag to override this on a per-execution basis and prompt for which role to use. (Similar to what is proposed in #3)

To supplement #6, it'd be nice to also have a way to more easily authenticate more terminals than just one.

New flags: --use-cache

User Authentication Workflow

• User authenticates via okta-awscli
• okta-awscli saves credentials to ~/.kube/okta-awscli.credentials each time
• User runs okta-awscli --use-cache on each terminal
  • If credentials are cached
    • okta-awscli re-exports the cached credentials
    • okta-awscli exits with status code 0
  • If credentials are not cached
    • okta-awscli re-exports the cached credentials
    • okta-awscli exits with status code -1

Automated Workflow

• User authenticates via okta-awscli
• okta-awscli saves credentials to ~/.kube/okta-awscli.credentials each time
• User prepends okta-awscli --use-cache to each script
  • If credentials are cached
    • okta-awscli re-exports the cached credentials
    • okta-awscli exits with status code 0
  • If credentials are not cached
    • okta-awscli re-exports the cached credentials
    • okta-awscli exits with status code -1
• Example: okta-awscli --use-cache

It seems that okta-awscli doesn't support passing through commands with multiple parameters (or isn't parsing them correectly)

Works fine:
okta-awscli --profile okta s3 ls s3://bucket-name/client/

But this does not:
okta-awscli --profile okta s3 ls s3://bucket-name/client/ --human-readable --summarize --recursive
It returns:
Error: no such option: --human-readable

However running the same directly with aws cli works:
aws --profile okta s3 ls s3://bucket-name/client/ --human-readable --summarize --recursive

Describe the bug
Running okta-awscli under zsh gives ImportError: No module named parse

To Reproduce
Steps to reproduce the behavior:
pip install okta-awscli
okta-awscli

Expected behavior
No stack trace

Output

Traceback (most recent call last):
  File "/Users/ctote/Library/Python/2.7/bin/okta-awscli", line 5, in <module>
    from oktaawscli.okta_awscli import main
  File "/Users/ctote/Library/Python/2.7/lib/python/site-packages/oktaawscli/okta_awscli.py", line 8, in <module>
    from oktaawscli.okta_auth import OktaAuth
  File "/Users/ctote/Library/Python/2.7/lib/python/site-packages/oktaawscli/okta_auth.py", line 9, in <module>
    from urllib.parse import parse_qs
ImportError: No module named parse

Environment (please complete the following information):

• OS: MacOS
• Version of okta-awscli you're running. exits too soon

Additional context
This wasn't an issue, but after Mac made zsh the default shell I had to reinstall okta-awscli - after doing that, I now get this trace.

Enter password:
ERROR - Unsupported factorType: sms
MFA required, but no supported factors enrolled! Exiting.

Inside a Python 3.6.5 virtualenv:

okta-awscli
Traceback (most recent call last):
  File "/usr/local/bin/okta-awscli", line 7, in <module>
    from oktaawscli.okta_awscli import main
  File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 4, in <module>
    from version import __version__
ModuleNotFoundError: No module named 'version'

Following on from #3 and #4, if you can add support to specify the "app" in the profile defined in ~/.okta-aws then the tool becomes even more efficient to use (leaving the only interactive prompt being the MFA code)

I have several profiles where all the info is the same except for the role name. I added all the repeated items to the default profile but it only recognizes the base-url. It pulled that from default but asked me for the username even though it was defined in default as well

Describe the bug
When an AWS GovCloud token expires, okta-awscli reports INFO - STS credentials are valid. Nothing to do.

To Reproduce
Steps to reproduce the behavior:

1. Request a govcloud token
2. Allow it to expire
3. Try to acquire new token via okta-awscli with debug turned on
4. See okta-awscli reports INFO - STS credentials are valid. Nothing to do.

Expected behavior
okta-awscli prompts the user for credentials and requests a new token

Output

± okta-awscli --okta-profile {oktaProfile} --profile {profile} -d
DEBUG - Setting AWS role to {roleArn}
INFO - STS credentials are valid. Nothing to do.

Environment (please complete the following information):

• OS: MacOS
• Version of okta-awscli you're running. okta-awscli -V : 0.4.1

Additional context
Default aws credentials are for us-west-2. Changing to us-gov-east-1 did not resolve.

👋 Hey folks, I've been using okta-awscli successfully against the standard aws partition for a few months now and started encountering this strange behavior when using the tool to authenticate to AWS GovCloud. At first, my resolution was to delete the profile created in ~/.aws/credentials (but now I know there's a --force command!). After getting frustrated, I decided to look deeper and found what appears to be a mishandling of the GovCloud partition when checking if a token is still valid.

I have created a patch that was able to resolve the issue for me and I'll submit a PR shortly. Let me know if there's any other information I can provide.

Cheers!

Sometimes, the MFA factor chosen doesn't match up with the factor being verified against Okta.

Results in a secondary authentication failure.

okta-awscli --verbose
Authenticating as: <<redacted>>
Enter password:
Registered MFA factors:
1: Okta Verify
2: Google Authenticator
Please select the MFA factor: 2
Performing secondary authentication using: OKTA
Enter MFA token:

When running okta-awscli on Windows, it fails to find the aws cli executable to invoke after retrieving credentials. It looks like a similar issue existed in the SAM cli and was resolved here:

aws/aws-sam-cli#786

When trying to authenticate to Okta, having only a single factor enrolled, okta-awscli fails with the following stack trace:

Traceback (most recent call last):
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/bin/okta-awscli", line 11, in <module>
    sys.exit(main())
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 100, in main
    aws_auth, okta_profile, profile, verbose, logger, token, cache
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 16, in get_credentials
    app_name, assertion = okta.get_assertion()
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 216, in get_assertion
    session_token = self.primary_auth()
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 58, in primary_auth
    session_token = self.verify_mfa(factors_list, state_token)
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 88, in verify_mfa
    supported_factors[0]['id'], state_token)
  File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 133, in verify_single_factor
    if factor['factorType'] == 'token:software:totp':
TypeError: string indices must be integers

Expected result: Primary auth should succeed and prompt for the single factor token.

Is your feature request related to a problem? Please describe.
When testing python modules, I like to do it as a docker container. Also for application automation and giving the command to other non-technical users is easier to do though docker. Over providing the instructions to install on the various Linux/Windows/Kubernetes servers we run

Describe the solution you'd like
Solution provided: A docker file with instructions on how to use it.

Describe alternatives you've considered
Following the standard build dock or python install to user space

Additional context
Provided Pull request with the proposed feature request
#130

If a role statement is listed in ~/.okta-aws, a TypeError exception is thrown after making a selection from the list of available apps:

Traceback (most recent call last):
  File "/usr/local/bin/okta-awscli", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python2.7/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 104, in main
    aws_auth, okta_profile, profile, verbose, logger, token, cache
  File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 20, in get_credentials
    role = aws_auth.choose_aws_role(assertion)
  File "/usr/local/lib/python2.7/site-packages/oktaawscli/aws_auth.py", line 38, in choose_aws_role
    predefined_role = self.__find_predefiend_role_from(roles)
  File "/usr/local/lib/python2.7/site-packages/oktaawscli/aws_auth.py", line 156, in __find_predefiend_role_from
    return next(found_roles)
TypeError: list object is not an iterator

If the role line is deleted from ~/.okta-aws, then the exception is not encountered. Looking at aws_auth.py:

    def __find_predefiend_role_from(self, roles):
        found_roles = filter(lambda role_tuple: role_tuple.role_arn == self.role, roles)
        if not found_roles:
            return None
        else:
            return next(found_roles)

found_roles is of <type 'list'> which is causing the TypeError when next(found_roles) is called. Setting return next(iter(found_roles)) prevents the Exception as a work-around.

Since the support for per-app MFA was included, two separate mechanisms for handling MFA has begun to emerge. They're doing very similar things, but in different ways.

I refactored the Okta auth code to pull each of these out into their own classes in order to help reason about what each of them are doing, but the ultimate goal should be to combine these into one of the existing or a new class and use that for both login flows.

Currently, we have support for different factors depending on if the user is authenticating to the base org or an app. Okta doesn't differentiate between the two on what factors are allowed, so neither should we.

Describe the bug
bs4 is a pure wrapper for beautifulsoup4, use beautifulsoup4 directory to reduce dependency confusion

To Reproduce
Steps to reproduce the behavior:

1. pip install okta-awscli
2. pip list

Expected behavior
Only beautifulsoup4, which contains the actual software, should be present.

bs4 merely provides a requirement for beautifulsoup4, it doesn't specify the version. If you want to lock the versions of all dependencies, beautifulsoup4 must be listed directly and locked specifically.

Is your feature request related to a problem? Please describe.
https://github.com/jmhale/okta-awscli/blob/ceeab286525bc4be78e703932dc3f41024cc4419/oktaawscli/okta_awscli.py#L23

The script assumes that you want to save the role that you select and then doesn't prompt upon further invocations. Maybe I want to choose a different role and different times. It would be nice to have that option without having to edit the dot file

Describe the solution you'd like
Add a command-line option and a config option to not save the role
--no-save-role or

no-save-role = true

Describe alternatives you've considered
All other alternatives involve munging the config file, which sucks.
perl -p -i -e 's/role = .*//g' ~/.okta-aws etc

Describe the bug
I have noticed that app-link URLs like: https://company.okta.com/home/amazon_aws/0obm6u4wyuVYgbLdJ0x7/172 cause parsing error in okta_auth_config.py at line 45 (version 0.4.4).
It is caused by an underscore character '_' that should be encoded prior verification like '%5F'.

Traceback (most recent call last):
  File "/Users/nowam1/Library/Python/3.7/bin/okta-awscli", line 8, in <module>
    sys.exit(main())
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_awscli.py", line 115, in main
    aws_auth, okta_profile, profile, verbose, logger, token, cache, refresh_role
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_awscli.py", line 18, in get_credentials
    okta = OktaAuth(okta_profile, verbose, logger, totp_token, okta_auth_config)
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_auth.py", line 25, in __init__
    self.app_link = okta_auth_config.app_link_for(okta_profile)
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_auth_config.py", line 45, in app_link_for
    if not validators.url(app_link):
  File "<decorator-gen-29>", line 2, in url
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/validators/utils.py", line 83, in wrapper
    value = func(*args, **kwargs)
  File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/validators/url.py", line 148, in url
    result = pattern.match(value)
TypeError: expected string or bytes-like object
➜  ~ cat /Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_auth_config.py

To Reproduce
Steps to reproduce the behavior:

1. Specify app-link URLs in the form specified above.
2. Run octa-awscli
3. See error

Expected behavior
A clear and concise description of what you expected to happen.

Output
Output of your okta-awscli run, using the --debug flag.

Environment (please complete the following information):

• OS: MacOS
• okta-awscli 0.4.4

Additional context
Workaround:

• comment out line 45 - 47
  - OR -
• encode underscore or other invalid URL character with proper sequence e.g. '%5F'

Is your feature request related to a problem? Please describe.
Our corporation uses web filtering on traffic out to the internet, and these filters have self-signed certificates. We need a way to use this tool where we can disable ssl verification

Describe the solution you'd like
I'm thinking a flag that can be set when running the command:
'okta-awscli --okta-profile okta-profile-name --profile awscli-profile-name --ssl-verify false'

However, there could be other solutions. Maybe it could also be something when installed:
'pip install okta-awscli --ssl-verfiy false'

Describe alternatives you've considered
I've actually gone into 'okta_auth.py' and manually edited line 34 from:

'self._verify_ssl_certs = True'

to:

'self._verify_ssl_certs = False'

However, this isn't very scalable...

Additional context
Any help is appreciated. Thanks!

I noticed today that my factors list has recently become skewed. The factor I choose didn't match up with the factor that was actually selected.

This is because the list being presented to the use is from the supported_factors list, while the choice is pulled from the encompassing factors_list object. When no U2F factor is registered, then these lists are one in the same, but once you register a U2F factor, they start to diverge and the indexing gets skewed.

The fix here is to have the actual factor chose come from supported_factors, instead of factors_list.

Hey, I'm just curious what these lines of code are for?

https://github.com/jmhale/okta-awscli/blob/b85dd963853bb90006ac637e795ff258d5bae306/oktaawscli/okta_auth.py#L271-L273

Hello,
I'm trying to implement an okta authentification to get an aws access by CLI. but I'm getting this error :

DEBUG - Selected app: Amazon Web Services
Traceback (most recent call last):
File "C:\Users\lmechtaoui\AppData\Local\Programs\Python\Python35\Scripts\okta-awscli-script.py", line 33, in
sys.exit(load_entry_point('okta-awscli==0.4.5', 'console_scripts', 'okta-awscli')())
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 829, in call
return self.main(*args, **kwargs)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 782, in main
rv = self.invoke(ctx)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 610, in invoke
return callback(*args, **kwargs)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\oktaawscli\okta_awscli.py", line 121, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache, refresh_role, okta_username, okta_password
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\oktaawscli\okta_awscli.py", line 23, in get_credentials
_, assertion = okta.get_assertion()
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\oktaawscli\okta_auth.py", line 156, in get_assertion
self.okta_auth_config.save_chosen_app_link_for_profile(self.okta_profile, self.app_link)
AttributeError: 'OktaAuthConfig' object has no attribute 'save_chosen_app_link_for_profile'

Is there something wrong with my setup ? python version ?
thanks