Closed nsharma-fy closed 1 year ago
Has your Okta domain been upgraded to Okta Identity Engine?
Yes, looks like we have Okta Identity Engine domain, not a classical one. Not sure if this has been upgraded recently or not, as gimme-aws-creds 2.5.0 and older does not seem to have this check and still works fine.
We have exactly the same issue. Since today it seems that all gimme-aws-creds apps above 2.5.0 stopped working. We have Okta Identity Engine but Okta support claims that we had it from the beginning. Yet, something happened just recently :(
the sessionToken used with Okta Classic domains was removed from OIE, so I don't know how v2.5.0 worked with an OIE domain. What value are you using for gimme_creds_server
in your config file? I'll try to replicate this in my test OIE domain
We are using gimme_creds_server = appurl
I just added a --force-classic
parameter which will force the use of the old login process when connecting to an OIE domain. However, there is functionality that's been removed in OIE, so not everything works (there are some details in the README). Please install the version in the dev branch (pip3 install --upgrade https://github.com/Nike-Inc/gimme-aws-creds/archive/dev.zip
) and let me know if it works for you.
I see the same issue with the version provided
$ gimme-aws-creds --version
gimme-aws-creds 2.6.2
$ gimme-aws-creds
OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.
$ gimme-aws-creds --force-classic
OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.
I think it must just have been an oversight, the assignment of True to force_classic was commented out, so it just stayed False. After uncommenting it, it worked fine for me. Really minor fix!
Yes, @ryanashmore is correct. I was testing the force_classic
option in the config file and forgot to re-enable the command line option. Please try out the latest version in the dev branch - gimme-aws-creds --force-classic
should work for you now.
Reninstalled the dev version, but getting a different error now
$ gimme-aws-creds --force-classic
Okta Classic login flow enabled
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 475, in run
self._run()
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 873, in _run
for data in self.iter_selected_aws_credentials():
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 842, in iter_selected_aws_credentials
aws_results = executor.map(generate_credentials_prepare_data, self.aws_selected_roles)
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 734, in aws_selected_roles
selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 725, in aws_roles
self.saml_data['SAMLResponse'],
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 716, in saml_data
self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'], self.auth_session)
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/main.py", line 588, in okta
okta = self._cache['okta'] = OktaClassicClient(
File "/usr/local/lib/python3.8/dist-packages/gimme_aws_creds/okta_classic.py", line 82, in __init__
retries = Retry(total=5, backoff_factor=1,
TypeError: __init__() got an unexpected keyword argument 'allowed_methods'
If you do pip3 list
, what version do you have for requests and urllib3? You should have urllib3>=1.26 and requests>=2.25
Thanks, it works now. A note, urllib3 version must be < 2, with higher versions below error is seen
ImportError: cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_' (/usr/local/lib/python3.8/dist-packages/urllib3/util/ssl_.py)
Confirmed. I get the same issue with urllib3
Hi with brew install gimme-aws-creds
version 2.6.1 there is no option to "--force-classic"
Also, will it allow to use touch id like in 2.5.0?
the version with --force-classic
hasn't been released yet. You'll need to use the pip3 command I posted above to install the latest build from the dev branch
My bad, it works perfectly with touch id, thanks!
hi guys! Can you suggest me what to do in my situation? I'm facing the same issue. after running the command with '--force_classic' parameter, I've got an error: Step-up authetication is not supported when using the '--force_classic' parameter
is there is any workaround to fix it?
Step-up auth is triggered by the authentication policy that's been applied to your AWS app in Okta. If you have a Global Session Policy that requires MFA, the MFA factor you used to login meets the requirements of the app's authentication policy and the reauthentication frequency in the auth policy isn't set to "Every Sign-in Attempt", you can disable remember_device
and clear out device_token
in your config file and that should work.
Right now, the Device Authorization flow is the only way to authenticate to an OIE domain regardless of the Global Session Policy and Authentication Policy configurations.
--force-classic
and the changes to the required Python libraries will be available in the next release
Yes, @ryanashmore is correct. I was testing the
force_classic
option in the config file and forgot to re-enable the command line option. Please try out the latest version in the dev branch -gimme-aws-creds --force-classic
should work for you now.
This Works in MacOS
Getting below error with 2.6.x version, it used to work fine with 2.5.0 . We are using Okta-AWS Federation.
OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.
Expected Behavior
$ gimme-aws-creds Okta Password for:
Current Behavior
$gimme-aws-creds OAuth Client ID is required for Okta Identity Engine domains. Try running --config again.
Possible Solution
Not a solution, but w/a is to use 2.5.0
Steps to Reproduce (for bugs)
Context
No able to generate temporary AWS tokens
Your Environment
App Name : AWS Account Federation OS Versions: Ubuntu 20.04 and macOS 12.6.3