search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

Version 2.6.1 doesn't work with Okta #399

Closed snambi closed 1 year ago

snambi commented 1 year ago

Expected Behavior

simple invocation is expected to create $HOME/.aws/credentials file

Current Behavior

Fails with error.

Traceback (most recent call last):
  File "/usr/local/bin/gimme-aws-creds", line 4, in <module>
    __import__('pkg_resources').run_script('gimme-aws-creds==2.6.1', 'gimme-aws-creds')
  File "/usr/local/lib/python3.8/site-packages/pkg_resources/__init__.py", line 720, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/local/lib/python3.8/site-packages/pkg_resources/__init__.py", line 1570, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/EGG-INFO/scripts/gimme-aws-creds", line 17, in <module>
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 475, in run
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 861, in _run
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 831, in iter_selected_aws_credentials
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 723, in aws_selected_roles
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 714, in aws_roles
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 705, in saml_data
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 698, in aws_app
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 648, in aws_results
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/main.py", line 629, in auth_session
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/okta_identity_engine.py", line 65, in auth_session
  File "/usr/local/lib/python3.8/site-packages/gimme_aws_creds-2.6.1-py3.8.egg/gimme_aws_creds/okta_identity_engine.py", line 115, in _start_device_flow
  File "/usr/local/lib/python3.8/site-packages/requests-2.30.0-py3.8.egg/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://lucid.okta.com/oauth2/v1/device/authorize

Possible Solution

Steps to Reproduce (for bugs)

  1. Install the latest version
  2. Execute the command.
  3. Error happens

Your Environment

epierce commented 1 year ago

It looks like your domain has been migrated to Okta Identity Engine. Have you configured your domain to work with gimme-aws-creds (https://github.com/Nike-Inc/gimme-aws-creds#using-gimme-aws-creds-with-okta-identity-engine)

snambi commented 1 year ago

@epierce Yes, I found that our domain is migrated to Okta Identity Engine. Thanks for the pointer.

jggatter commented 1 year ago

We just encountered the same problem in our organization when we migrated to OIE. The README section was useful, thanks!

I do have a question about this though:

When using gimme-aws-creds with an OIE domain, you will authenticate using your browser. Storing credentials in keychain or passing MFA codes through the command-line is NOT POSSIBLE.

Why is it no longer possible to use push notifications, keychain, and MFA codes?

epierce commented 1 year ago

Okta is requiring the use of the Device Authorization Flow in OIE, which happens in the browser. Since you have to authenticate in the browser, you won't be able to cache the password to your device's keychain or pass the MFA code using the --mfa-code parameter.