It keeps asking for the password

[hoegertn]

I have a new issue now.

I configured Okta as provider and if I try to use it with credential_process it keeps asking for the password.

If I then run the command once directly in the command line and enter the password it works on subsequent calls as it uses the cached response.

What is the problem here?

[waderobson]

I run into this if my default profile is set to use awsprocesscreds-saml. The boto client that gets setup to handle the STS assume seems to need any profile with credentials to work properly.

For example

export AWS_DEFAULT_PROFILE=profile-with-existing-creds
aws s3 ls --profile profile-with-awsprocesscreds 

Seems to always work. But

export AWS_DEFAULT_PROFILE=profile-with-awsprocesscreds
aws s3 ls

Will continue to prompt unless there are cached sts creds already. And for me it's prompting after receiving the saml assertion successfully. Must be a bug in the way the boto client is getting setup.

[lingrlongr]

same problem here. i have several profiles set up but rather than adding --profile <profilename> to every call, i tried to set AWS_PROFILE and AWS_DEFAULT_PROFILE to the profile i want to use and i keep getting prompted for the password.

[tylthal]

I am seeing the same issue as well federating with okta. If I run awsprocesscreds-saml with the -v flag. I successfully receive the SAML assertion but then I am reprompted for my password continually in a loop and I don't end up getting temporary credentials to use with the aws cli.

[tylthal]

Does seem to be an issue with using the default profile. If I delete my aws config and re-run everything having just a named profile in the config it works fine.

[JordonPhillips]

That's odd that it's only occurring for the default profile. I'll look into it.

[JordonPhillips]

I'm trying and failing to reproduce this. Is this happening when you're running code using boto3 or just from the CLI?

[git-phu]

I was able to reproduce this issue by removing my access keys for my default profile from ~/.aws/credentials. It seems like when botocore creates a client it expects at least one set of credentials for logging into aws and will try using the default profile as one credential provider. So if the default profile doesn't have access keys (and there are no environment variables setting creds) then the password prompt from botocore shows up.

Here's how I dealt with the issue (#20) though I'm open to a more elegant solution too :)

[patrickdean]

I've experienced the same issue as well. I don't think the issue is with awsprocesscreds, but rather with botocore itself. Like @git-phu said, botocore expects some credentials upon creation. When it can't find them, it instead executes the credential_process found in the config (if credential_process is in the profile being used), thus calling awsprocesscreds again.

[JordonPhillips]

Ah, now I see the problem. It's like @patrickdean is saying. In botocore, when you create a client it will always try to resolve credentials even if you're creating a client with the special UNSIGNED signature version. I created an issue on botocore here: boto/botocore#1472 to track the issue.