400 Client Error: Bad Request for url:

[sayeedhussain]

Unable to login in. Getting error 400 Client Error: Bad Request for url: #467

Expected Behavior

Should be able to login

Current Behavior

When trying to login, getting this error 400 Client Error: Bad Request for url: On further investigation, this is the error received {'error': 'invalid_grant', 'error_description': "The application's assurance requirements are not met by the 'subject_token'."}

~/.okta_aws_login_config is configured correctly

Possible Solution

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

Your Environment

• App Version used: 2.8.2
• Environment name and version: Terminal (2.14)
• Operating System and version: MacOS (Sonoma 14.5)

[epierce]

Are you using --force-classic or the browser-based login? What Global Session Policy and Authentication Policy is applied to the clientID that gimme-aws-creds is using and to the AWS app you're trying to access?

[sayeedhussain]

force_classic = False open_browser = True%

What Global Session Policy and Authentication Policy is applied to the clientID that gimme-aws-creds is using

• Not Sure

and to the AWS app you're trying to access

• Is this relevant given I am failing to acquire the credentials itself before I can try accessing any app.

~/.okta_aws_login_config contents is as below

okta_org_url = okta_auth_server = client_id = gimme_creds_server = appurl aws_appname = aws_rolename = write_aws_creds = True cred_profile = role okta_username = app_url = resolve_aws_alias = False include_path = False preferred_mfa_type = push remember_device = True aws_default_duration = 3600 device_token = output_format = json force_classic = False open_browser = True%

[jggatter]

Hi @sayeedhussain, my organization is encountering the same response and has a config that appears to be roughly the same, but I don't have enough information to guarantee we have the same issue.

On further investigation, this is the error received {'error': 'invalid_grant', 'error_description': "The application's assurance requirements are not met by the 'subject_token'."}

It would be great if you could clarify, how did you find this error message? Did you modify or debug the code to inspect the response object? Any specifics would be helpful!

[sayeedhussain]

Hi @jggatter Yes I added print stmt to this file

/opt/homebrew/Cellar/gimme-aws-creds/2.8.2_1/libexec/lib/python3.12/site-packages/gimme_aws_creds/okta_identity_engine.py

[jggatter]

Got around to checking. Yep, I have the same error message but on an Ubuntu EC2 instance. On my local macOS workstation however, everything works properly.

[jggatter]

I updated from gimme-aws-creds 2.7.2 to 2.8.2 via pip install -U gimme-aws-creds and it worked. Since you are on 2.8.2 I wonder if it's a dependency that needs updating.

❯ gimme --version gimme-aws-creds 2.7.2 ❯ pip install -U gimme-aws-creds Defaulting to user installation because normal site-packages is not writeable Requirement already satisfied: gimme-aws-creds in ./.local/lib/python3.9/site-packages (2.7.2) Collecting gimme-aws-creds Downloading gimme_aws_creds-2.8.2-py2.py3-none-any.whl.metadata (2.1 kB) Requirement already satisfied: boto3<2.0.0,>=1.7.70 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (1.34.34) Requirement already satisfied: beautifulsoup4<5.0.0,>=4.6.0 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (4.12.2) Requirement already satisfied: keyring>=21.4.0 in /usr/lib/python3/dist-packages (from gimme-aws-creds) (23.5.0) Requirement already satisfied: requests<3.0.0,>=2.25.0 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (2.30.0) Requirement already satisfied: fido2<0.10.0,>=0.9.1 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (0.9.3) Collecting okta<3.0.0,>=2.9.0 (from gimme-aws-creds) Downloading okta-2.9.7-py2.py3-none-any.whl.metadata (1.6 kB) Requirement already satisfied: pyjwt<3.0.0,>=2.4.0 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (2.8.0) Requirement already satisfied: urllib3<2.0.0,>=1.26.0 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (1.26.18) Collecting html5lib<2.0.0,>=1.1 (from gimme-aws-creds) Downloading html5lib-1.1-py2.py3-none-any.whl.metadata (16 kB) Requirement already satisfied: furl<3.0.0,>=2.1.3 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (2.1.3) Requirement already satisfied: ctap-keyring-device==1.0.6 in ./.local/lib/python3.9/site-packages (from gimme-aws-creds) (1.0.6) Requirement already satisfied: cryptography>=3.4.6 in ./.local/lib/python3.9/site-packages (from ctap-keyring-device==1.0.6->gimme-aws-creds) (40.0.2) Requirement already satisfied: soupsieve>1.2 in ./.local/lib/python3.9/site-packages (from beautifulsoup4<5.0.0,>=4.6.0->gimme-aws-creds) (2.4.1) Requirement already satisfied: botocore<1.35.0,>=1.34.34 in ./.local/lib/python3.9/site-packages (from boto3<2.0.0,>=1.7.70->gimme-aws-creds) (1.34.34) Requirement already satisfied: jmespath<2.0.0,>=0.7.1 in ./.local/lib/python3.9/site-packages (from boto3<2.0.0,>=1.7.70->gimme-aws-creds) (1.0.1) Requirement already satisfied: s3transfer<0.11.0,>=0.10.0 in ./.local/lib/python3.9/site-packages (from boto3<2.0.0,>=1.7.70->gimme-aws-creds) (0.10.0) Requirement already satisfied: six in /usr/lib/python3/dist-packages (from fido2<0.10.0,>=0.9.1->gimme-aws-creds) (1.16.0) Requirement already satisfied: orderedmultidict>=1.0.1 in ./.local/lib/python3.9/site-packages (from furl<3.0.0,>=2.1.3->gimme-aws-creds) (1.0.1) Requirement already satisfied: webencodings in ./.local/lib/python3.9/site-packages (from html5lib<2.0.0,>=1.1->gimme-aws-creds) (0.5.1) Collecting aenum==3.1.11 (from okta<3.0.0,>=2.9.0->gimme-aws-creds) Downloading aenum-3.1.11-py3-none-any.whl.metadata (3.7 kB) Requirement already satisfied: aiohttp in ./.local/lib/python3.9/site-packages (from okta<3.0.0,>=2.9.0->gimme-aws-creds) (3.8.4) Collecting flatdict (from okta<3.0.0,>=2.9.0->gimme-aws-creds) Downloading flatdict-4.0.1.tar.gz (8.3 kB) Preparing metadata (setup.py) ... done Collecting jwcrypto (from okta<3.0.0,>=2.9.0->gimme-aws-creds) Downloading jwcrypto-1.5.6-py3-none-any.whl.metadata (3.1 kB) Collecting pycryptodomex (from okta<3.0.0,>=2.9.0->gimme-aws-creds) Downloading pycryptodomex-3.20.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.4 kB) Collecting pydash (from okta<3.0.0,>=2.9.0->gimme-aws-creds) Downloading pydash-8.0.1-py3-none-any.whl.metadata (4.5 kB) Requirement already satisfied: pyyaml in ./.local/lib/python3.9/site-packages (from okta<3.0.0,>=2.9.0->gimme-aws-creds) (6.0) Requirement already satisfied: xmltodict in ./.local/lib/python3.9/site-packages (from okta<3.0.0,>=2.9.0->gimme-aws-creds) (0.13.0) Requirement already satisfied: yarl in ./.local/lib/python3.9/site-packages (from okta<3.0.0,>=2.9.0->gimme-aws-creds) (1.9.2) Requirement already satisfied: charset-normalizer<4,>=2 in ./.local/lib/python3.9/site-packages (from requests<3.0.0,>=2.25.0->gimme-aws-creds) (2.1.1) Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3/dist-packages (from requests<3.0.0,>=2.25.0->gimme-aws-creds) (3.3) Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests<3.0.0,>=2.25.0->gimme-aws-creds) (2020.6.20) Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in ./.local/lib/python3.9/site-packages (from botocore<1.35.0,>=1.34.34->boto3<2.0.0,>=1.7.70->gimme-aws-creds) (2.8.2) Requirement already satisfied: cffi>=1.12 in ./.local/lib/python3.9/site-packages (from cryptography>=3.4.6->ctap-keyring-device==1.0.6->gimme-aws-creds) (1.15.1) Requirement already satisfied: attrs>=17.3.0 in ./.local/lib/python3.9/site-packages (from aiohttp->okta<3.0.0,>=2.9.0->gimme-aws-creds) (23.1.0) Requirement already satisfied: multidict<7.0,>=4.5 in ./.local/lib/python3.9/site-packages (from aiohttp->okta<3.0.0,>=2.9.0->gimme-aws-creds) (6.0.4) Requirement already satisfied: async-timeout<5.0,>=4.0.0a3 in ./.local/lib/python3.9/site-packages (from aiohttp->okta<3.0.0,>=2.9.0->gimme-aws-creds) (4.0.2) Requirement already satisfied: frozenlist>=1.1.1 in ./.local/lib/python3.9/site-packages (from aiohttp->okta<3.0.0,>=2.9.0->gimme-aws-creds) (1.3.3) Requirement already satisfied: aiosignal>=1.1.2 in ./.local/lib/python3.9/site-packages (from aiohttp->okta<3.0.0,>=2.9.0->gimme-aws-creds) (1.3.1) Requirement already satisfied: typing-extensions>=4.5.0 in ./.local/lib/python3.9/site-packages (from jwcrypto->okta<3.0.0,>=2.9.0->gimme-aws-creds) (4.5.0) Requirement already satisfied: pycparser in ./.local/lib/python3.9/site-packages (from cffi>=1.12->cryptography>=3.4.6->ctap-keyring-device==1.0.6->gimme-aws-creds) (2.21) Downloading gimme_aws_creds-2.8.2-py2.py3-none-any.whl (61 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.6/61.6 kB 5.4 MB/s eta 0:00:00 Downloading html5lib-1.1-py2.py3-none-any.whl (112 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 112.2/112.2 kB 10.4 MB/s eta 0:00:00 Downloading okta-2.9.7-py2.py3-none-any.whl (555 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 555.6/555.6 kB 30.1 MB/s eta 0:00:00 Downloading aenum-3.1.11-py3-none-any.whl (131 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 131.5/131.5 kB 12.3 MB/s eta 0:00:00 Downloading jwcrypto-1.5.6-py3-none-any.whl (92 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 92.5/92.5 kB 5.9 MB/s eta 0:00:00 Downloading pycryptodomex-3.20.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 43.6 MB/s eta 0:00:00 Downloading pydash-8.0.1-py3-none-any.whl (101 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 101.5/101.5 kB 9.6 MB/s eta 0:00:00 Building wheels for collected packages: flatdict Building wheel for flatdict (setup.py) ... done Created wheel for flatdict: filename=flatdict-4.0.1-py3-none-any.whl size=6929 sha256=7844f5e7cc4854838917860023049b35e5885196328c819ccfd3c2174c4ac1b6 Stored in directory: /home/ubuntu/.cache/pip/wheels/1a/f4/4e/e18d5704aab95b3da94c5d8251004b31068e69a144eb42403a Successfully built flatdict Installing collected packages: flatdict, aenum, pydash, pycryptodomex, html5lib, jwcrypto, okta, gimme-aws-creds Attempting uninstall: okta Found existing installation: okta 0.0.4 Uninstalling okta-0.0.4: Successfully uninstalled okta-0.0.4 Attempting uninstall: gimme-aws-creds Found existing installation: gimme-aws-creds 2.7.2 Uninstalling gimme-aws-creds-2.7.2: Successfully uninstalled gimme-aws-creds-2.7.2 Successfully installed aenum-3.1.11 flatdict-4.0.1 gimme-aws-creds-2.8.2 html5lib-1.1 jwcrypto-1.5.6 okta-2.9.7 pycryptodomex-3.20.0 pydash-8.0.1 ❯ gimme --version gimme-aws-creds 2.8.2 ❯ gimme ... ❯ echo $? 0

@sayeedhussain could you try running the same upgrade command?

[sayeedhussain]

@jggatter Tried brew upgrade. Still doesn't work. I have identified that the gimme-aws-creds version is not the problem. Not sure what the problem is though.

[sayeedhussain]

Closing this issue as this seems to be some persmissions issue on my side.

[maxisme-paradime]

@sayeedhussain Did you find out what the permission issue was?