search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.08k stars 563 forks source link

After initial use of saml2aws there is a mandatory 2 minute ( 120 second ) wait (pause) for any interaction #1100

Open alfred-stokespace opened 1 year ago

alfred-stokespace commented 1 year ago

At the beginning of my day I successfully issue the following command ...

profile="some-cool-good-profile"
DISPLAY= SAML2AWS_DISABLE_KEYCHAIN=1 saml2aws login -a "$profile"

That DOES NOT pause. However, if I immediately (or later in the day) do anything so much as basic interaction with saml2aws, like say ask for the version ( saml2aws --version ) ; I'm required to pause 120 seconds before the version is displayed; or if I'm trying to login to another AWS account; same thing I'm required to wait 120 seconds before username prompt.

I decided to see what strace thought was happening, but didn't get much out of that...

Find the pid ps -efww | grep saml2aws ...

ubuntu  12732 12730  0 06:35 pts/3    00:00:00 saml2aws login -a infra-gov
ubuntu  12779 11829  0 06:35 pts/6    00:00:00 grep --color=auto saml2aws

use the pid found with strace

sudo strace -p ... output

strace: Process 12732 attached
futex(0x1388f08, FUTEX_WAIT_PRIVATE, 0, NULL

after the 120 seconds are up the strace continues with...

futex(0x1388f08, FUTEX_WAIT_PRIVATE, 0, NULL) = 0
newfstatat(AT_FDCWD, "/home/ubuntu/.local/bin/pass", 0xc000404108, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/home/ubuntu/.nvm/versions/node/v16.20.0/bin/pass", 0xc0004041d8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/sbin/pass", 0xc0004042a8, 0) = -1 ENOENT (No such file or directory)
...

that strace continues until the process exits.

I do in fact get the version at the end

2.36.10 of if I had asked to login with a different profile, I am able to successfully login. Waiting 2 minutes is a real pain though.

matthew-gladman-oua commented 1 year ago

I've had issues that sounds very similar before and it was because it was waiting on dbus-daemon to respond for the keychain. I don't have a keychain provider installed (I'm using WSL2 which is not a desktop GUI).

My workaround was to append --disable-keychain at the end and it was working lightning quick after that. Hope that helps!

(When I was looking into the issue deeper a year ago, I discovered that there was a known bug with the library that saml2aws uses to facilitate that feature, I don't know if it's fixed and it was sufficiently long ago that I don't remember the library or issue details anymore)