search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.09k stars 563 forks source link

Doesn't work with Okta + Yubikey: "The provided key handle is not present on the device, or was created with a different application parameter." #1213

Open XSchelin opened 9 months ago

XSchelin commented 9 months ago

System: macOS 14.2.1 (Sonoma) saml2aws version: 2.36.13 Issue:

I have Okta, and my only MFA option for Okta is my Yubikey. I attempted to log into saml2aws, and received:

The provided key handle is not present on the device, or was created with a different application parameter.

I ran: saml2aws --verbose login

% saml2aws --verbose login
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/chris.schelin/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/chris.schelin/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/chris.schelin/.aws/credentials pkg=awsconfig
Using IdP Account default to access Okta https://mbo.okta.com/home/amazon_aws/[guid]/272
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://mbo.okta.com/home/amazon_aws/[guid]/272"
DEBU[0000] Get credentials                               helper=osxkeychain user=chris.schelin
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://mbo.okta.com/home/amazon_aws/[guid]/272/sessionCookie"
DEBU[0000] Get credentials                               helper=osxkeychain user=chris.schelin
To use saved password just hit enter.
? Username chris.schelin
? Password 

DEBU[0001] building provider                             command=login idpAccount="account {\n  DisableSessions: false\n  DisableRememberDevice: false\n  URL: https://mbo.okta.com/home/amazon_aws/[guid]/272\n  Username: chris.schelin\n  Provider: Okta\n  MFA: YUBICO TOKEN:HARDWARE\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: default\n  RoleARN: \n  Region: \n}"
DEBU[0001] okta | disableSessions: false                 provider=okta
DEBU[0001] okta | rememberDevice: true                   provider=okta
Authenticating as chris.schelin ...
DEBU[0001] auth with session func called                 provider=okta
DEBU[0001] validate session func called                  provider=okta
DEBU[0001] HTTP Req                                      URL="https://mbo.okta.com/api/v1/sessions/me" http=client method=GET
DEBU[0001] HTTP Req                                      URL="https://mbo.okta.com/api/v1/authn" http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
DEBU[0002] MFA                                           factorID=[factorID] mfaIdentifer="FIDO WEBAUTHN" oktaVerify="https://mbo.okta.com/api/v1/authn/factors/[factorID]/verify?rememberDevice=true" provider=okta
DEBU[0002] HTTP Req                                      URL="https://mbo.okta.com/api/v1/authn/factors/[factorID]/verify?rememberDevice=true" http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
The provided key handle is not present on the device, or was created with a different application parameter.
tried all MFA options
github.com/versent/saml2aws/v2/pkg/provider/okta.fidoWebAuthn
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1367
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1308
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:481
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:300
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:463
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:195
runtime.main
    runtime/proc.go:267
runtime.goexit
    runtime/asm_arm64.s:1197
error verifying MFA
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:483
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:300
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:463
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:195
runtime.main
    runtime/proc.go:267
runtime.goexit
    runtime/asm_arm64.s:1197
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:109
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:195
runtime.main
    runtime/proc.go:267
runtime.goexit
    runtime/asm_arm64.s:1197

My .saml2aws file contents:

[default]
name                    = default
app_id                  = 
url                     = https://mbo.okta.com/home/amazon_aws/[guid]/272
username                = chris.schelin
provider                = Okta
mfa                     = YUBICO TOKEN:HARDWARE
mfa_ip_address          = 
skip_verify             = false
timeout                 = 0
aws_urn                 = urn:amazon:webservices
aws_session_duration    = 3600
aws_profile             = default
resource_id             = 
subdomain               = 
role_arn                = 
region                  = 
http_attempts_count     = 
http_retry_delay        = 
credentials_file        = 
saml_cache              = false
saml_cache_file         = 
target_url              = 
disable_remember_device = false
disable_sessions        = false
download_browser_driver = false
headless                = false
prompter                =

So, uh, what gives?