niklasvm
commented
3 years ago I can confirm I am also receiving this error suddenly. I have not carried out any package updates recently
Open iniquityx2 opened 3 years ago
niklasvm
commented
3 years ago I can confirm I am also receiving this error suddenly. I have not carried out any package updates recently
inadler
commented
3 years ago We are having the same issue
ChristophShyper
commented
3 years ago This is very urgent matter.
I've opened also ticket on Okta side https://support.okta.com/help/s/question/0D54z000072DT6HCAW/gimmeawscreds-broke-aws-sso?language=en_US
autarchprinceps
commented
3 years ago Hmm, I have tried the possible solution, and it didn't fix the issue for me.
runningman84
commented
3 years ago update this line: auth_result **** did not work for me:
I still get:
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 469, in run
self._run()
File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 804, in _run
for data in self.iter_selected_aws_credentials():
File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 775, in iter_selected_aws_credentials
for role in self.aws_selected_roles:
File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 674, in aws_selected_roles
selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 665, in aws_roles
self.saml_data['SAMLResponse'],
File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 656, in saml_data
self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'])
File "/usr/local/Cellar/gimme-aws-creds/2.4.1/libexec/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 725, in get_saml_response
raise RuntimeError(saml_error)
RuntimeError: Did not receive SAML Response after successful authentication [https://example.okta-emea.com/home/amazon_aws/xxxxxxxxxx/272]
An error occurred (ExpiredToken) when calling the AssumeRole operation: The security token included in the request is expired
gimme-aws-creds did not work correctly try it manually
thorbenheins
commented
3 years ago The workaround (as committed in fd01e7e) works for me and my team.
ChristophShyper
commented
3 years ago @runningman84 Your error is a totally different one.
autarchprinceps
commented
3 years ago @ChristophShyper If one doesn't change the auth_result the same error as mentioned in the ticket occurs, the different error only comes after the change suggested.
ChristophShyper
commented
3 years ago @autarchprinceps It's probably because of the difference in SAML configuration. Please make sure you follow AWS and Okta documentation and use newest gimme-aws-creds.
autarchprinceps
commented
3 years ago We are running on 2.4.1 and it has worked until today. No changes to AWS or Okta configs have been made on our side that I'm aware of.
goshiz
commented
3 years ago The workaround (as committed in fd01e7e) works for me and my team.
Tested and approved.
therealsebo
commented
3 years ago @runningman84 Your error is a totally different one.
@ChristophShyper I´m facing the exact same issue. To get rid of the error we have comment out the following line https://github.com/Nike-Inc/gimme-aws-creds/blob/9fd4c4835315413b3104be601ac7e16b81bd0715/gimme_aws_creds/okta.py#L1032
We´re using an OKTA tenant in EMEA and don´t have an english title "Extra Verification" but instead a german one "Zusätzliche Bestätigung". Is it possible to handle the title text more generic?
ChristophShyper
commented
3 years ago @therealsebo I don't know, I'm just a user of of gimme-aws-creds same as you.
If you know how to fix it then propose a pull request for it. But it should be ready for any translation, I believe.
@autarchprinceps do you also use language other than English?
autarchprinceps
commented
3 years ago Hmm, when using it through the browser the pages are all in English, but theresalsebo's fix works for me.
therealsebo
commented
3 years ago @ChristophShyper is it possible to call the OKTA Api with a fixed language of "en"? If we change our user profiles from default "german" to "english" it worked for us. Maybe it is the more generic way to call the API alway with language "en" instead of maintaining a dictionary of possible titles
gyang-vonage
commented
3 years ago I'm building docker image locally, the fixes works for me.
ChristophShyper
commented
3 years ago 
dland-ethos
commented
3 years ago Happy this is getting addressed but it looks like the push to pypi failed: https://github.com/Nike-Inc/gimme-aws-creds/actions/runs/983595057
RyPeck
commented
3 years ago Looks like the version at https://github.com/Nike-Inc/gimme-aws-creds/blob/master/gimme_aws_creds/__init__.py#L2 needs to be updated.
ranjithvaddepally
commented
3 years ago I've tried to install it, it doesn't have the latest version
pip install gimme-aws-creds==2.4.2 ERROR: Could not find a version that satisfies the requirement gimme-aws-creds==2.4.2 (from versions: 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.6, 1.1.7, 1.1.8, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1) ERROR: No matching distribution found for gimme-aws-creds==2.4.2
Also I've downloaded the source code and tried but still hitting with same error
[demo@test gimme-aws-creds-2.4.2]$ cd bin/
[demo@test bin]$ ls
gimme-aws-creds gimme-aws-creds.cmd
[demo@test bin]$ ./gimme-aws-creds
/home/demo/aws_access/lib/python3.6/site-packages/secretstorage/dhcrypto.py:16: CryptographyDeprecationWarning: int_from_bytes is deprecated, use i
nt.from_bytes instead
from cryptography.utils import int_from_bytes
/home/demo/aws_access/lib/python3.6/site-packages/secretstorage/util.py:25: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.f
rom_bytes instead
from cryptography.utils import int_from_bytes
Okta Password for demo:
Traceback (most recent call last):
File "./gimme-aws-creds", line 17, in
ChristophShyper
commented
3 years ago Looks like the version at https://github.com/Nike-Inc/gimme-aws-creds/blob/master/gimme_aws_creds/__init__.py#L2 needs to be updated.
@bwynsm can you have a look at version there?
Pip is throwing File already exists. See https://pypi.org/help/#file-name-reuse for more information.
EDIT: Confirming now version 2.4.3 installed from pip works properly :) Thank you all for fixing it.
jonotto
commented
3 years ago Thanks for these changes @ChristophShyper. It has resolved our issues. I'm really curious what changed in Okta's platform. It appears their weekly update began on 6/28, although I'm not really seeing anything overly obvious in the fixes.
https://help.okta.com/en/prod/Content/Topics/ReleaseNotes/production.htm#Weekly-2106
mjuszczak
commented
3 years ago Thank you for the updates. Would it be possible to release 2.4.3 to homebrew?
ChristophShyper
commented
3 years ago I opened a ticket in Okta, but no response https://support.okta.com/help/s/question/0D54z000072DT6HCAW/gimmeawscreds-broke-aws-sso?language=en_US&t=1624982233632
jphuynh
commented
3 years ago In case anyone hits the same issue, version 2.4.3 worked for us but only after adding the app_url value in our ~/.okta_aws_login_config config file. (It used to work without that attribute)
ie:
app_url = https://yourOrg.okta.com
flangr-lucid
commented
3 years ago In case anyone hits the same issue, version 2.4.3 worked for us but only after adding the
app_urlvalue in our~/.okta_aws_login_configconfig file. (It used to work without that attribute)ie:
app_url = 'https://yourOrg.okta.com'
Thanks! If someone is still struggling, try removing ' quotation marks around URL string (helped in my case).
jphuynh
commented
3 years ago Thanks! If someone is still struggling, try removing
'quotation marks around URL string (helped in my case).
Ah right good spot thanks. Sorry bad copy paste from me. (Edited my original comment)
pulkitgupta378
commented
3 years ago Upgrading gimme-aws-creds to version 2.43 fixed this issue for me.
pip3 install --upgrade gimme-aws-creds
li2
commented
3 years ago Upgrading
gimme-aws-credsto version 2.43 fixed this issue for me.pip3 install --upgrade gimme-aws-creds
I tried and can see "Successfully installed gimme-aws-creds-2.4.3" but it shows 2.3.5 when I check the version, any suggestions? thanks
Installing collected packages: gimme-aws-creds Successfully installed gimme-aws-creds-2.4.3 $ gimme-aws-creds --version gimme-aws-creds 2.3.5
ChristophShyper
commented
3 years ago How proficient are you with *nix systems?
Probably you have other installation of gimme-aws-creds, e.g. from brew, manual instal, etc.
li2
commented
3 years ago @ChristophShyper thanks for reminding, I just deleted 2.3.5 manually and installed 2.4.3 which works for me, thanks!
$ whereis gimme-aws-creds $ which gimme-aws-creds /Library/Frameworks/Python.framework/Versions/3.9/bin/gimme-aws-creds
ghost
commented
3 years ago I had, I think, the same issue on version 2.4.3 and I could fix it with the same workaround.
RuntimeError: Did not receive SAML Response after successful authentication [<okta url>]The Okta UI for me was in English but in settings it was saying that it was actually using the browser default language which I guess wasn't applying to the CLI, so I went in my Okta settings, set it to a different language and then back to English and then gimme-aws-creds started working again.
igetom
commented
2 years ago When I try to upgrade gimme-aws-creds version on windows I get to 2.4.0, can't install 2.4.3, is this version not compatible with windows?
prakashrajpoudel
commented
2 years ago The workaround (as committed in fd01e7e) works for me and my team.
Work around suggested here works for me.
Expected Behavior
I should be able to auth against OKTA after entering my password and MFA token
Current Behavior
Starting this afternoon ( with no updates to the gimme-aws-creds application) numerous people encountered the exception below when trying to authenticate against OKTA. Earlier today there was no issue. We expect a change was made on the OKTA side. We do not see anything on their status page currently.
Other OKTA login tools are working.
Possible Solution
This solution got the application working again. In short it looks like http://localhost:8080/login was previously accepted but now it's not and we get a 403 response back.
update this line: auth_result = self.okta.auth_session() as so: auth_result = self.okta.auth_session(redirect_uri=self.conf_dict.get('app_url'))
Your Environment
2.3.1 and 2.4.1 both had same issues Python 3.8 Windows 10 & Mac experiencing same issue (haven't tested on linux yet)
exception from Gimme-Aws-Creds
❯gimme-aws-creds Using password from keyring for $SCRUBBED Multi-factor Authentication required. token:software:totp( GOOGLE ) :Enter verification code: Traceback (most recent call last): File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/bin/gimme-aws-creds", line 17, in
GimmeAWSCreds().run()
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 469, in run
self._run()
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 802, in _run
for data in self.iter_selected_aws_credentials():
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 773, in iter_selected_aws_credentials
for role in self.aws_selected_roles:
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 672, in aws_selected_roles
selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 663, in aws_roles
self.saml_data['SAMLResponse'],
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 654, in saml_data
self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'])
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 647, in aws_app
self._cache['aws_app'] = aws_app = self._get_selected_app(self.conf_dict.get('aws_appname'), self.aws_results)
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 600, in aws_results
self.auth_session
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/main.py", line 582, in auth_session
auth_result = self.okta.auth_session()
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/gimme_aws_creds/okta.py", line 183, in auth_session
"session": response.cookies['sid'],
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/requests/cookies.py", line 328, in getitem
return self._find_no_duplicates(name)
File "/Users/$SCRUBBED/.asdf/installs/python/3.9.5/lib/python3.9/site-packages/requests/cookies.py", line 399, in _find_no_duplicates
raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path))
KeyError: "name='sid', domain=None, path=None"