search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
920 stars 262 forks source link

Request: Handle Okta user password expiration #233

Open tsndqst opened 4 years ago

tsndqst commented 4 years ago

In addition to the user password expiration the other user status values shown in the Okta documentation should be handled.

Expected Behavior

When a user's Okta password is expired gimme-aws-creds should print out a friendly error message without a large stack trace. A message similar to the LOCKED_OUT message https://github.com/Nike-Inc/gimme-aws-creds/blob/master/gimme_aws_creds/okta.py#L302 would be preferred.

Current Behavior

Currently a large stack trace is printed with the RuntimeError of Unknown login status. Example:

Traceback (most recent call last):
  File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
    GimmeAWSCreds().run()
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 468, in run
    self._run()
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 795, in _run
    for data in self.iter_selected_aws_credentials():
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 771, in iter_selected_aws_credentials
    for role in self.aws_selected_roles:
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 671, in aws_selected_roles
    selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 662, in aws_roles
    self.saml_data['SAMLResponse'],
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 653, in saml_data
    self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'])
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 646, in aws_app
    self._cache['aws_app'] = aws_app = self._get_selected_app(self.conf_dict.get('aws_appname'), self.aws_results)
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 599, in aws_results
    self.auth_session
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/main.py", line 581, in auth_session
    auth_result = self.okta.auth_session()
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/okta.py", line 158, in auth_session
    login_response = self.auth()
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/okta.py", line 151, in auth
    flow_state = self._next_login_step(
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds/okta.py", line 317, in _next_login_step
    raise RuntimeError('Unknown login status: ' + status)
RuntimeError: Unknown login status: PASSWORD_EXPIRED

Possible Solution

Add the following lines of code after https://github.com/Nike-Inc/gimme-aws-creds/blob/master/gimme_aws_creds/okta.py#L302

        elif status == 'PASSWORD_EXPIRED':
            raise errors.GimmeAWSCredsError("Your Okta password has expired.", 2)

Steps to Reproduce (for bugs)

  1. Wait for Okta password to expire.
  2. Attempt to get AWS creds
  3. View Unknown login status RuntimeError

Context

Okta passwords expire periodically and the large stack trace is confusing to some users.

Your Environment

Xeoneid commented 3 years ago

Please consider adding this. I run into the same exact problem and have to go here in order to know what was going on