okta-awscli / okta-awscli Goto Github PK
View Code? Open in Web Editor NEWProvides Okta authentication for awscli
License: Apache License 2.0
Provides Okta authentication for awscli
License: Apache License 2.0
Enter password:
ERROR - Unsupported factorType: sms
MFA required, but no supported factors enrolled! Exiting.
Can the okta password be encrypted in .okta-aws? How about skipping from storing the password?
Thanks
I have several profiles where all the info is the same except for the role name. I added all the repeated items to the default profile but it only recognizes the base-url. It pulled that from default but asked me for the username even though it was defined in default as well
When trying to authenticate to Okta, having only a single factor enrolled, okta-awscli fails with the following stack trace:
Traceback (most recent call last):
File "/Users/jhale/Repos/virtualenvs/okta-awscli/bin/okta-awscli", line 11, in <module>
sys.exit(main())
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 100, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 16, in get_credentials
app_name, assertion = okta.get_assertion()
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 216, in get_assertion
session_token = self.primary_auth()
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 58, in primary_auth
session_token = self.verify_mfa(factors_list, state_token)
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 88, in verify_mfa
supported_factors[0]['id'], state_token)
File "/Users/jhale/Repos/virtualenvs/okta-awscli/lib/python2.7/site-packages/oktaawscli/okta_auth.py", line 133, in verify_single_factor
if factor['factorType'] == 'token:software:totp':
TypeError: string indices must be integers
Expected result: Primary auth should succeed and prompt for the single factor token.
When selecting a GovCloud account to retrieve credential for, the cli bombs out in the aws_auth.get_sts_token()
function. Presumably because of the change in ARN structure that happens in GovCloud, but I need to investigate further.
Stack trace after selecting a GovCloud AWS app and a role:
Traceback (most recent call last):
File "/usr/local/bin/okta-awscli", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 55, in main
get_credentials(aws_auth, okta_profile, profile, verbose)
File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 16, in get_credentials
token = aws_auth.get_sts_token(role_arn, principal_arn, assertion)
File "/usr/local/lib/python2.7/site-packages/oktaawscli/aws_auth.py", line 46, in get_sts_token
SAMLAssertion=assertion)
File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 317, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 615, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: 3cd5eb44-f141-11e7-96a2-e5cb4ab98b8b)
Describe the bug
Enter password:
ERROR - Unsupported factorType: webauthn
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
To Reproduce
Steps to reproduce the behavior:
okta-awscli
Expected behavior
Output
Output of your okta-awscli run, using the --debug
flag
INFO - STS credentials are valid. Nothing to do.
INFO - Force option selected, getting new credentials anyway.
INFO - Using base-url from default profile some_okta_subdomain.okta.com
Enter username: some_user
Enter password: *hidden*
INFO - App Link set as: None
ERROR - Unsupported factorType: webauthn
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
Environment (please complete the following information):
okta-awscli -V
okta-awscli -V
0.4.1
Additional context
In case this is not a bug, but I forgot to install/configure something, please point me to the right direction.
Describe the bug
When running okta-awscli I get an error after entering the password field (no matter what is entered for URL and username)
To Reproduce
Steps to reproduce the behavior:
pip install okta-awscli
okta-awscli
Enter anything for password field
Expected behavior
For password field to pass
Output
okta-awscli --debug
Enter username: test
Enter password:
Traceback (most recent call last):
File "/Users/jwake/Library/Python/3.8/bin/okta-awscli", line 8, in <module>
sys.exit(main())
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_awscli.py", line 114, in main
get_credentials(
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_awscli.py", line 18, in get_credentials
okta = OktaAuth(okta_profile, verbose, logger, totp_token, okta_auth_config)
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_auth.py", line 25, in __init__
self.app_link = okta_auth_config.app_link_for(okta_profile)
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/oktaawscli/okta_auth_config.py", line 45, in app_link_for
if not validators.url(app_link):
File "<decorator-gen-29>", line 2, in url
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/validators/utils.py", line 83, in wrapper
value = func(*args, **kwargs)
File "/Users/jwake/Library/Python/3.8/lib/python/site-packages/validators/url.py", line 148, in url
result = pattern.match(value)
TypeError: expected string or bytes-like `object`
Environment (please complete the following information):
Additional context
Is there any documentation anywhere what the 'app-link' is?
app-link = <app_link_from_okta> # Found in Okta's configuration for your AWS account.****
When I google okta 'app-link' or 'okta application link' nothing comes up. I don't have access to Okta's configuration information so I need to ask for the app link from the client, but as there's no real information what this means or even is, it's a bit difficult for me to ask for it.
Is this something that's required? Does this application interactively request it from me when running? So far, all I'm getting is 'authentication failed' errors and no information as to why via debug.
Describe the bug
I have an account, which I want to use in us-west-2 region. After authentication with okta-awscli, us-east-1 region gets written to .aws/credentials. This overwrites my settings in .aws/config, which now I have to overwrite in other way.
Simply removing the 'region' line in .aws/credentials solves the problem for me.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I can store my preferred region for profile in .aws/config and it will work with aws-shell after authentication.
Environment (please complete the following information):
If a role
statement is listed in ~/.okta-aws
, a TypeError
exception is thrown after making a selection from the list of available apps:
Traceback (most recent call last):
File "/usr/local/bin/okta-awscli", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 104, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/usr/local/lib/python2.7/site-packages/oktaawscli/okta_awscli.py", line 20, in get_credentials
role = aws_auth.choose_aws_role(assertion)
File "/usr/local/lib/python2.7/site-packages/oktaawscli/aws_auth.py", line 38, in choose_aws_role
predefined_role = self.__find_predefiend_role_from(roles)
File "/usr/local/lib/python2.7/site-packages/oktaawscli/aws_auth.py", line 156, in __find_predefiend_role_from
return next(found_roles)
TypeError: list object is not an iterator
If the role
line is deleted from ~/.okta-aws
, then the exception is not encountered. Looking at aws_auth.py
:
def __find_predefiend_role_from(self, roles):
found_roles = filter(lambda role_tuple: role_tuple.role_arn == self.role, roles)
if not found_roles:
return None
else:
return next(found_roles)
found_roles
is of <type 'list'>
which is causing the TypeError
when next(found_roles)
is called. Setting return next(iter(found_roles))
prevents the Exception as a work-around.
Hello,
I'm trying to implement an okta authentification to get an aws access by CLI. but I'm getting this error :
DEBUG - Selected app: Amazon Web Services
Traceback (most recent call last):
File "C:\Users\lmechtaoui\AppData\Local\Programs\Python\Python35\Scripts\okta-awscli-script.py", line 33, in
sys.exit(load_entry_point('okta-awscli==0.4.5', 'console_scripts', 'okta-awscli')())
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 829, in call
return self.main(*args, **kwargs)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 782, in main
rv = self.invoke(ctx)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\click\core.py", line 610, in invoke
return callback(*args, **kwargs)
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\oktaawscli\okta_awscli.py", line 121, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache, refresh_role, okta_username, okta_password
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\oktaawscli\okta_awscli.py", line 23, in get_credentials
_, assertion = okta.get_assertion()
File "c:\users\lmechtaoui\appdata\local\programs\python\python35\lib\site-packages\oktaawscli\okta_auth.py", line 156, in get_assertion
self.okta_auth_config.save_chosen_app_link_for_profile(self.okta_profile, self.app_link)
AttributeError: 'OktaAuthConfig' object has no attribute 'save_chosen_app_link_for_profile'
Is there something wrong with my setup ? python version ?
thanks
Is your feature request related to a problem? Please describe.
N/A
Describe the solution you'd like
DUO is a supported authentication mechanism when using Okta. It would be nice if this tool supported it.
Describe alternatives you've considered
N/A
Additional context
N/A
It seems that okta-awscli doesn't support passing through commands with multiple parameters (or isn't parsing them correectly)
Works fine:
okta-awscli --profile okta s3 ls s3://bucket-name/client/
But this does not:
okta-awscli --profile okta s3 ls s3://bucket-name/client/ --human-readable --summarize --recursive
It returns:
Error: no such option: --human-readable
However running the same directly with aws cli works:
aws --profile okta s3 ls s3://bucket-name/client/ --human-readable --summarize --recursive
Inside a Python 3.6.5 virtualenv:
okta-awscli
Traceback (most recent call last):
File "/usr/local/bin/okta-awscli", line 7, in <module>
from oktaawscli.okta_awscli import main
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 4, in <module>
from version import __version__
ModuleNotFoundError: No module named 'version'
Is your feature request related to a problem? Please describe.
Our corporation uses web filtering on traffic out to the internet, and these filters have self-signed certificates. We need a way to use this tool where we can disable ssl verification
Describe the solution you'd like
I'm thinking a flag that can be set when running the command:
'okta-awscli --okta-profile okta-profile-name --profile awscli-profile-name --ssl-verify false'
However, there could be other solutions. Maybe it could also be something when installed:
'pip install okta-awscli --ssl-verfiy false'
Describe alternatives you've considered
I've actually gone into 'okta_auth.py' and manually edited line 34 from:
'self._verify_ssl_certs = True'
to:
'self._verify_ssl_certs = False'
However, this isn't very scalable...
Additional context
Any help is appreciated. Thanks!
Is there anyway to adjust the STS token duration?
Error handling is mostly non-existent, so we're seeing ugly traces when we encounter issues and the CLI puking on some errors that may be recoverable.
Describe the bug
I have noticed that app-link URLs like: https://company.okta.com/home/amazon_aws/0obm6u4wyuVYgbLdJ0x7/172
cause parsing error in okta_auth_config.py
at line 45 (version 0.4.4).
It is caused by an underscore character '_' that should be encoded prior verification like '%5F'.
Traceback (most recent call last):
File "/Users/nowam1/Library/Python/3.7/bin/okta-awscli", line 8, in <module>
sys.exit(main())
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_awscli.py", line 115, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache, refresh_role
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_awscli.py", line 18, in get_credentials
okta = OktaAuth(okta_profile, verbose, logger, totp_token, okta_auth_config)
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_auth.py", line 25, in __init__
self.app_link = okta_auth_config.app_link_for(okta_profile)
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_auth_config.py", line 45, in app_link_for
if not validators.url(app_link):
File "<decorator-gen-29>", line 2, in url
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/validators/utils.py", line 83, in wrapper
value = func(*args, **kwargs)
File "/Users/nowam1/Library/Python/3.7/lib/python/site-packages/validators/url.py", line 148, in url
result = pattern.match(value)
TypeError: expected string or bytes-like object
➜ ~ cat /Users/nowam1/Library/Python/3.7/lib/python/site-packages/oktaawscli/okta_auth_config.py
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Output
Output of your okta-awscli run, using the --debug
flag.
Environment (please complete the following information):
Additional context
Workaround:
Currently, the default operation (no arguments) displays the commands needed to export the obtained credentials to environment variables.
This creates an unnecessary step of copying and pasting them, as well as being insecure, as those secrets now persist in the shell's history.
The default action should export the credentials automatically and move the display functionality to a command line option, --show
.
Sometimes, the MFA factor chosen doesn't match up with the factor being verified against Okta.
Results in a secondary authentication failure.
okta-awscli --verbose
Authenticating as: <<redacted>>
Enter password:
Registered MFA factors:
1: Okta Verify
2: Google Authenticator
Please select the MFA factor: 2
Performing secondary authentication using: OKTA
Enter MFA token:
Since the support for per-app MFA was included, two separate mechanisms for handling MFA has begun to emerge. They're doing very similar things, but in different ways.
I refactored the Okta auth code to pull each of these out into their own classes in order to help reason about what each of them are doing, but the ultimate goal should be to combine these into one of the existing or a new class and use that for both login flows.
Currently, we have support for different factors depending on if the user is authenticating to the base org or an app. Okta doesn't differentiate between the two on what factors are allowed, so neither should we.
Is your feature request related to a problem? Please describe.
When testing python modules, I like to do it as a docker container. Also for application automation and giving the command to other non-technical users is easier to do though docker. Over providing the instructions to install on the various Linux/Windows/Kubernetes servers we run
Describe the solution you'd like
Solution provided: A docker file with instructions on how to use it.
Describe alternatives you've considered
Following the standard build dock or python install to user space
Additional context
Provided Pull request with the proposed feature request
#130
Describe the bug
When an AWS GovCloud token expires, okta-awscli
reports INFO - STS credentials are valid. Nothing to do.
To Reproduce
Steps to reproduce the behavior:
okta-awscli
with debug turned onokta-awscli
reports INFO - STS credentials are valid. Nothing to do.
Expected behavior
okta-awscli
prompts the user for credentials and requests a new token
Output
± okta-awscli --okta-profile {oktaProfile} --profile {profile} -d
DEBUG - Setting AWS role to {roleArn}
INFO - STS credentials are valid. Nothing to do.
Environment (please complete the following information):
okta-awscli -V
: 0.4.1
Additional context
Default aws credentials are for us-west-2
. Changing to us-gov-east-1
did not resolve.
👋 Hey folks, I've been using okta-awscli
successfully against the standard aws partition for a few months now and started encountering this strange behavior when using the tool to authenticate to AWS GovCloud. At first, my resolution was to delete the profile created in ~/.aws/credentials
(but now I know there's a --force
command!). After getting frustrated, I decided to look deeper and found what appears to be a mishandling of the GovCloud partition when checking if a token is still valid.
I have created a patch that was able to resolve the issue for me and I'll submit a PR shortly. Let me know if there's any other information I can provide.
Cheers!
I noticed today that my factors list has recently become skewed. The factor I choose didn't match up with the factor that was actually selected.
This is because the list being presented to the use is from the supported_factors
list, while the choice is pulled from the encompassing factors_list
object. When no U2F factor is registered, then these lists are one in the same, but once you register a U2F factor, they start to diverge and the indexing gets skewed.
The fix here is to have the actual factor chose come from supported_factors
, instead of factors_list
.
If an org has multiple MFA factor methods enabled, the user may only use one on a regular basis, and having to select it every time can get annoying.
We should support pre-selecting this in the profile defined in ~/.okta-aws
Maybe also have a --prompt
flag to override this on a per-execution basis and prompt for which factor to use.
Describe the bug
When no [default]
profile is included in ~/.okta-aws
, okta-awscli outputs a ugly trace.
To Reproduce
Steps to reproduce the behavior:
~/.okta-aws
file with no [default]
profile.okta-awscli
without specifying a named profile via --okta-profile
.Expected behavior
okta-awscli should output a clean message, telling the user to either define a default profile or specify a named profile in the command line argument.
Output
okta-awscli --debug ✘ 09:11:32 okta
Traceback (most recent call last):
File "/usr/local/Cellar/python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/configparser.py", line 1138, in _unify_values
sectiondict = self._sections[section]
KeyError: 'default'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/jhale/.virtualenvs/okta/bin/okta-awscli", line 11, in <module>
sys.exit(main())
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 104, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 17, in get_credentials
okta = OktaAuth(okta_profile, verbose, logger, totp_token, okta_auth_config)
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_auth.py", line 25, in __init__
self.https_base_url = "https://%s" % okta_auth_config.base_url_for(okta_profile)
File "/Users/jhale/.virtualenvs/okta/lib/python3.6/site-packages/oktaawscli/okta_auth_config.py", line 30, in base_url_for
base_url = self._value.get('default', 'base-url')
File "/usr/local/Cellar/python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/configparser.py", line 781, in get
d = self._unify_values(section, vars)
File "/usr/local/Cellar/python/3.6.5/Frameworks/Python.framework/Versions/3.6/lib/python3.6/configparser.py", line 1141, in _unify_values
raise NoSectionError(section)
configparser.NoSectionError: No section: 'default'
Environment (please complete the following information):
okta-awscli -V
: 0.2.5
Hey, I'm just curious what these lines of code are for?
Describe the bug
Not able to login using Okta Verify. Checked both kinds regular and Push and result are the same - TypeError: can only concatenate str (not "NoneType") to str
To Reproduce
Steps to reproduce the behavior:
Expected behavior
~/.aws/credentials should be updated with a token for okta-aws206
Output
Output of your okta-awscli run, using the --debug
flag.
okta-awscli --okta-profile okta-aws206 --profile okta-aws206 --debug
INFO - Temporary credentials have expired. Requesting new credentials.
INFO - Authenticating to: somecompany.okta.com
INFO - Authenticating as: name.surname
Enter password:
INFO - App Link set as: https://somecompany.okta.com/home/amazon_aws/0oa1f32y7xf1K56aT1d8/272 # Found in Okta's configuration for your AWS account.
ERROR - Unsupported factorType: sms
Registered MFA factors:
1: Google Authenticator
2: Okta Verify - Push
3: Okta Verify
Please select the MFA factor: 2
INFO - Performing secondary authentication using: OKTA
DEBUG - {'id': 'opf1drfq8icq0OkZ21d8', 'factorType': 'push', 'provider': 'OKTA', 'vendorName': 'OKTA', 'profile': {'credentialId': '[email protected]', 'deviceType': 'SmartPhone_IPhone', 'keys': [{'kty': 'PKIX', 'use': 'sig', 'kid': 'default', 'x5c': ['MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsua0l7mgnN1NmZ8aS9gNLhEeEPpft40umIouk+TjyugDFKMFXD8L5vYcstLxKjzMkm/E+0o0HUeF3zRpKci+QlYGv6rhZ7udwTRKHyCoIQ9gpF3T95qM5NRLjscg1rFSURfmjXMPTmDOTDOXcTBlNvfSqU0DZSSf9MTF2kvL9MI37HkNRU307x26tSzNMTykqhQ1/gNd0AYaQ9es7yJhE5HYaUBqY1oRMJh3Xhm1C068NKgcc58mHXwXSF91Z9l9+ZvgHGboMEajZMIp5FmmajzS9BJb9A6PaBb4W6M96q1yU9RNHQcG4uYjBAY1vAnVXJjNs1Ygd4pBvCr0951HHwIDAQAB']}], 'name': 'GS.phone', 'platform': 'IOS', 'version': '11.2.6'}, '_links': {'verify': {'href': 'https://somecompany.okta.com/home/amazon_aws/0oa1f32y7xf1K56aT1d8/verify', 'hints': {'allow': ['POST']}}}}
Waiting for push verification...
ERROR - No Extra Verification
Traceback (most recent call last):
File "/usr/local/bin/okta-awscli", line 10, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.7/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.7/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_awscli.py", line 113, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_awscli.py", line 19, in get_credentials
_, assertion = okta.get_assertion()
File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_auth.py", line 363, in get_assertion
assertion = self.get_saml_assertion(resp)
File "/usr/local/lib/python3.7/site-packages/oktaawscli/okta_auth.py", line 285, in get_saml_assertion
self.logger.error("SAML assertion not valid: " + assertion)
TypeError: can only concatenate str (not "NoneType") to str
Environment (please complete the following information):
Additional context
~/.okta-aws
➜ cat ~/.okta-aws looks like this
[okta-aws206]
base-url = somecompany.okta.com
username =name.surname
app-link = https://somecompany.okta.com/home/amazon_aws/0oa1f32y7xf1K56aT1d8/272
Is your feature request related to a problem? Please describe.
I have few different roles with in the same account. So when I authenticate with one role, it automatically adds it to the config file. So, if I re-authenticate with --force it refreshes STS but authenticate with same role. I need to manually go and delete the role in config file.
$ okta-awscli --okta-profile test --profile test
Enter password:
Multi-factor Authentication required.
Pick a factor:
[ 0 ] Okta Verify App: SmartPhone_Android: xxxxxxxx
[ 1 ] token:software:totp( OKTA ) : [email protected]
Selection: 0
1: arn:aws:iam::xxxxxxxxx:role/xxxxxx-admins
2: arn:aws:iam::xxxxxxxxx:role/xxxxxx-developer
Please select the AWS role: 1
$ okta-awscli --okta-profile test --profile test --force
Enter password:
Multi-factor Authentication required.
Pick a factor:
[ 0 ] Okta Verify App: SmartPhone_Android: xxxxxxxx
[ 1 ] token:software:totp( OKTA ) : [email protected]
Selection: 0
Describe the solution you'd like
I think solution can be emptying role in config when --force is triggered.
Any help is appreciated, thanks.
Describe the bug
Expired password leads to an exception with a KeyError stack trace (not sure if it'd behave the same with other organizations)
To Reproduce
Steps to reproduce the behavior:
id
) in the response (sorry i lost the stack trace, but will update if i manage to get it)Expected behavior
A message indicating that your password is expired
Output
unfortunately lost this, but will try to reproduce at a later point.
Environment (please complete the following information):
okta-awscli -V
Additional context
EOM
Is your feature request related to a problem? Please describe.
https://github.com/jmhale/okta-awscli/blob/ceeab286525bc4be78e703932dc3f41024cc4419/oktaawscli/okta_awscli.py#L23
The script assumes that you want to save the role that you select and then doesn't prompt upon further invocations. Maybe I want to choose a different role and different times. It would be nice to have that option without having to edit the dot file
Describe the solution you'd like
Add a command-line option and a config option to not save the role
--no-save-role
or
no-save-role = true
Describe alternatives you've considered
All other alternatives involve munging the config file, which sucks.
perl -p -i -e 's/role = .*//g' ~/.okta-aws
etc
If an org has multiple AWS roles configured, the user may only use one on a regular basis, and having to select it every time can get annoying.
We should support pre-selecting this in the profile defined in ~/.okta-aws
Maybe also have a --prompt flag to override this on a per-execution basis and prompt for which role to use. (Similar to what is proposed in #3)
In the regular OKTA UI (i.e. regular OKTA browser application) I can switch between apps without re-authentication.
However using the command line tool okta-awscli, I have to re-authenticate for each application (in my operations day to day work I switching applications frequently) so the multiple re-authentications is cumbersome and complicates task automation.
Please can the okta-awscli be updated to work in the same manner as the regular OKTA UI.
When a region is set in ~/.aws/config
, the STS call using boto will use that region, instead of a default of us-east-1
.
Most of the time, this isn't problematic, since the region set there is valid. However, if the region is set to an invalid value, okta-awscli will fail.
For example, this ~/.aws/config
will cause issues:
[default]
region = None
Resulting in this trace:
Traceback (most recent call last):
File "/usr/local/bin/okta-awscli", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/oktaawscli/okta_awscli.py", line 55, in main
get_credentials(aws_auth, okta_profile, profile, verbose)
File "/usr/local/lib/python2.7/dist-packages/oktaawscli/okta_awscli.py", line 16, in get_credentials
token = aws_auth.get_sts_token(role_arn, principal_arn, assertion)
File "/usr/local/lib/python2.7/dist-packages/oktaawscli/aws_auth.py", line 51, in get_sts_token
SAMLAssertion=assertion)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 317, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/client.py", line 602, in _make_api_call
operation_model, request_dict)
File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 143, in make_request
return self._send_request(request_dict, operation_model)
File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 172, in _send_request
success_response, exception):
File "/usr/local/lib/python2.7/dist-packages/botocore/endpoint.py", line 265, in _needs_retry
caught_exception=caught_exception, request_dict=request_dict)
File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 227, in emit
return self._emit(event_name, kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/hooks.py", line 210, in _emit
response = handler(**kwargs)
File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 183, in __call__
if self._checker(attempts, response, caught_exception):
File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 251, in __call__
caught_exception)
File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 277, in _should_retry
return self._checker(attempt_number, response, caught_exception)
File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 317, in __call__
caught_exception)
File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 223, in __call__
attempt_number, caught_exception)
File "/usr/local/lib/python2.7/dist-packages/botocore/retryhandler.py", line 359, in _check_caught_exception
raise caught_exception
botocore.exceptions.EndpointConnectionError: Could not connect to the endpoint URL: "https://sts.None.amazonaws.com/"
I'm not sure why this region is getting set to None. The user that reported this says that it was set to None
upon installing awscli
and with no further configuration, although I have not independently confirmed.
Either way, the region in the STS calls should be set explicitly or set to ignore invalid values, such as None
To supplement #6, it'd be nice to also have a way to more easily authenticate more terminals than just one.
New flags: --use-cache
okta-awscli
okta-awscli --use-cache
on each terminal
okta-awscli
okta-awscli --use-cache
to each script
okta-awscli --use-cache
Using this config:
[default]
username = MY_EMAIL
base-url = MY_OKTA_URL
duration = 3600
app-link = MY_OKTA_URL
role = arn:aws:iam::MY_AWS_UID:role:role/MY_AWS_ROLE
This is the debug output (sanitized):
REMMACD2ZWGTDY:aws ahjr$ okta-awscli --profile default --force --debug
DEBUG - Setting AWS role to arn:aws:iam::MY_AWS_UID:role/MY_AWS_ROLE
INFO - STS credentials are valid. Nothing to do.
INFO - Force option selected, getting new credentials anyway.
INFO - Authenticating to: MY_OKTA_URL
INFO - Authenticating as: MY_EMAIL
Enter password:
INFO - App Link set as: https://MY_OKTA_URL
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
Please select the MFA factor: 1
INFO - Performing secondary authentication using: OKTA
DEBUG - [SOME_PII_SO_SNIPPED]
Waiting for push verification...
Multi-factor Authentication required.
Pick a factor:
[ 0 ] Okta Verify App: SmartPhone_IPhone: iPhone
[ 1 ] token:software:totp( OKTA ) : MY_EMAIL
Selection: 0
INFO - Okta Verify push sent...
INFO - Using predefined role: arn:aws:iam::MY_AWS_UID:role/MY_AWS_ROLE
INFO - Authenticating to: MY_OKTA_URL
DEBUG - Requesting a duration of 3600 seconds
INFO - Session token expires on: 2020-05-01 04:04:41+00:00
INFO - Temporary credentials written to profile: default
INFO - Invoke using: aws --profile default <service> <command>
Adding factor = OKTA
to the config doesn't make a difference - I just don't get this part:
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
Please select the MFA factor: 1
I still get 2 push notifications that I have to acknowledge.
Is there a config I'm missing?
Describe the bug
Running okta-awscli under zsh gives ImportError: No module named parse
To Reproduce
Steps to reproduce the behavior:
pip install okta-awscli
okta-awscli
Expected behavior
No stack trace
Output
Traceback (most recent call last):
File "/Users/ctote/Library/Python/2.7/bin/okta-awscli", line 5, in <module>
from oktaawscli.okta_awscli import main
File "/Users/ctote/Library/Python/2.7/lib/python/site-packages/oktaawscli/okta_awscli.py", line 8, in <module>
from oktaawscli.okta_auth import OktaAuth
File "/Users/ctote/Library/Python/2.7/lib/python/site-packages/oktaawscli/okta_auth.py", line 9, in <module>
from urllib.parse import parse_qs
ImportError: No module named parse
Environment (please complete the following information):
Additional context
This wasn't an issue, but after Mac made zsh the default shell I had to reinstall okta-awscli
- after doing that, I now get this trace.
Some users may want to run the script without the need for any interactive prompts. This could be supported by #3, #4, #12 and one final addition:
Add an optional parameter --mfa_code (supported only if the factor choice is specified in config) where the use can specify this on the command and avoid all interactive prompts
Hi,
Thanks for your valuable project. What Python version should I use?
I have problem with Python 3.6 at CentOs 7 as below.
Could you help me to resolve below error?
.okta-aws file:
[default]
base-url = xxx.okta.com/home/amazon_aws/0oaxxxxfw1bRFjTaDM0x7/NNN
username = xxx
password = yyy
role = zzz
command:
okta-awscli --profile dev iam users
error:
[root@centos75a ~]# okta-awscli iam list-user
Traceback (most recent call last):
File "/usr/local/bin/okta-awscli", line 11, in
load_entry_point('okta-awscli==0.2.4', 'console_scripts', 'okta-awscli')()
File "/usr/lib64/python3.6/site-packages/click/core.py", line 764, in call
return self.main(*args, **kwargs)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib64/python3.6/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 104, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_awscli.py", line 19, in get_credentials
_, assertion = okta.get_assertion()
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_auth.py", line 199, in get_assertion
session_token = self.primary_auth()
File "/usr/local/lib/python3.6/site-packages/oktaawscli/okta_auth.py", line 35, in primary_auth
resp_json = resp.json()
File "/usr/lib/python3.6/site-packages/requests/models.py", line 897, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/lib64/python3.6/json/init.py", line 354, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
I use 1Password to store my credentials. I am able to retrieve passwords from 1Password via their own CLI tool. It would be nice if I could chain them together and retrieve the password from 1Password and send it as an argument to okta-awscli.
Describe the bug
bs4 is a pure wrapper for beautifulsoup4, use beautifulsoup4 directory to reduce dependency confusion
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Only beautifulsoup4, which contains the actual software, should be present.
bs4 merely provides a requirement for beautifulsoup4, it doesn't specify the version. If you want to lock the versions of all dependencies, beautifulsoup4 must be listed directly and locked specifically.
Looking at the return saml, if you want to keep a same role name across the board, you end up with a screen of role names. Add several accounts and you're playing spin the wheel to figure out what account you're using.
Proposing either id=alias mapping in the default config or ability to specify a yaml/json/whatever file which is more or less account:alias, one per line. Yaml would probably be my first choice for ease of eyeballing/editing. Specifying the file to read would be done in the config file.
If you want to get extra fancy, another field could be added to give a profile name to use as well, which opens up possibility for "always force profile" to be an option, etc..
Will try to get a pull request submitted for this soon.
I'm getting an error back from the application.
The error is as stated above. The gist of it is that I'm not seeing SAMLResponse in the html. I have 2 input tags, _xsrfToken and fromURI.
Any reason why I wouldn't have gotten a SAMLResponse back?
When running okta-awscli on Windows, it fails to find the aws cli executable to invoke after retrieving credentials. It looks like a similar issue existed in the SAM cli and was resolved here:
Is there any way to prevent the user password from being saved in .okta-aws file but to be prompted during login?
Thanks
Allie
Currently, only the TOTP option for Okta Verify is supported.
Add support for the push notification method as well.
https://developer.okta.com/docs/api/resources/factors.html#verify-push-factor
I'm trying to source the default credential output, but i have some warnings in my output which cause problems. It looks like this is doing some manual log setup which is defaulting to stdout instead of stderr, switching to logging.basicConfig should resolve this.
Is your feature request related to a problem? Please describe.
My Okta org requires MFA when connecting from outside our network (eg: on an EC2 instance), making okta-awscli
depend on answering a push notification on my phone. This works but when CICD jobs are triggered periodically I have to answer notifications that I didn't originate (bad security practice).
Describe the solution you'd like
Allow users to proxy requests to Okta for secure credentials through a specified server in their organization's network to avoid MFA requirements when possible (after an appropriate warning). This would reduce friction in automated awscli uses such as CICD systems.
Add argument: okta-awscli --okta-profile $profile_name --proxy-server 1.2.3.4:1234
Describe alternatives you've considered
Currently I use Okta app based MFA, and it has the limitations described above.
Additional context
Any suggestions are appreciated. Thanks for considering!
When attempting to use the CLI in Python 3.6 this error message occurs.
~ cbitterfield$ okta-awscli
Registered MFA factors:
1: Okta Verify - Push
2: Okta Verify
Please select the MFA factor: 1
Traceback (most recent call last):
File "/Users/cbitterfield/Library/Python/3.6/bin/okta-awscli", line 11, in
load_entry_point('okta-awscli==0.2.3', 'console_scripts', 'okta-awscli')()
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 722, in call
return self.main(*args, **kwargs)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_awscli.py", line 104, in main
aws_auth, okta_profile, profile, verbose, logger, token, cache
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_awscli.py", line 19, in get_credentials
_, assertion = okta.get_assertion()
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_auth.py", line 199, in get_assertion
session_token = self.primary_auth()
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_auth.py", line 40, in primary_auth
session_token = self.verify_mfa(factors_list, state_token)
File "/Users/cbitterfield/Library/Python/3.6/lib/python/site-packages/oktaawscli/okta_auth.py", line 97, in verify_mfa
factor_choice = input('Please select the MFA factor: ') - 1
TypeError: unsupported operand type(s) for -: 'str' and 'int'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.