search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
914 stars 263 forks source link

Single Role Being Autoselected if "resolve_aws_alias = True" yet I have 60+ Roles #405

Open JRman opened 1 year ago

JRman commented 1 year ago

If I have "resolve_aws_alias = True" which I DO want to decode my AWS acct ids.. gimme-aws-creds is autoselecting a SINGLE role for me with no prompting: (acct ids and REAL role names redacted)

Detected single role: arn:aws:iam::y:role/test-saml

If I set the same variable False in my .okta_aws_login_config I get the complete role list and prompted:

(I have over 60 roles I cut the list off for brevity... the X denoting the acctid is UNIQUE for each role)

Pick a role:

[0] arn:aws:iam::x:role/test-saml [1] arn:aws:iam::x:role/othertest-saml [2] arn:aws:iam::x:role/test-saml [9] arn:aws:iam::x:role/test-saml [4] arn:aws:iam::x:role/othertest-saml [5] arn:aws:iam::x:role/test-saml [6] arn:aws:iam::x:role/test-saml [7] arn:aws:iam::x:role/othertest-saml [8] arn:aws:iam::x:role/test-saml [9] arn:aws:iam::x:role/test-saml [10] arn:aws:iam::x:role/test-saml [11] arn:aws:iam::x:role/test-saml [12] arn:aws:iam::y:role/test-saml [19] arn:aws:iam::x:role/test-saml [14] arn:aws:iam::x:role/test-saml [15] arn:aws:iam::x:role/test-saml [16] arn:aws:iam::x:role/test-saml ...

Expected Behavior

Would expect prompting for role regardless of the Alias setting.

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

Your Environment

epierce commented 1 year ago

Do your accounts have unique aliases? If not, the account data won't get read correctly from the AWS role selection screen. If you do have unique aliases, is there anything that's not typical about your setup (i.e. your accounts are in GovCloud, your machine is set to a non-English locale, etc)? The aliases are scraped out of the AWS role selection screen, so if the HTML elements in your screen are different of some reason, the parser would miss the Account names.

JRman commented 1 year ago

Yes, all the aliases are unique.

The REALLY interesting thing, we only see this when run from the CLI on an AWS EC2 instance. If I run this from my laptop it does NOT happen, I get prompted correctly for role even if alias setting is True.

And the "auto selected" role is the ONE role that matches the account where the EC2 instance is deployed.

So not sure what is going on here... Not sure if somewhere the instance role/profile is being used and confusing things?

epierce commented 1 year ago

I can't replicate this on an EC2 instance. I thought it might be an environment variable that boto is picking up from the EC2 instance, but I can't find any that would cause that issue.

JRman commented 1 year ago

I was looking for any debug flags, etc that maybe I could try, but did not find any....

solarce commented 10 months ago

I am seeing similar behavior when I have resolve_aws_alias = True and from what I can see, the overall HTML of the AWS page for choosing a role has changed dramatically for me, as of today.

See my redacted screenshot for how it looks for me now, Amazon Web Services Sign-In_2023-08-21_10 19 13

joeclarktx commented 2 months ago

I'm seeing this issue as well. i can reproduce it every time i login. it happens when in a Mac, but not on a Windows machine attaching to the same IdP