search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
537 stars 181 forks source link

aws-google-auth with MFA Google Prompt doesn't work everytime #117

Closed C-Kenny closed 5 years ago

C-Kenny commented 5 years ago

I've been using aws-google-auth with the Google Prompt and found it doesn't always authenticate.

Running aws-google-auth opens the Google Prompt on my phone, and then I click it's me, but then aws-google-auth throws this error:

Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
Open the Google App, and tap 'Yes' on the prompt to sign in ...
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aws_google_auth/google.py", line 279, in parse_saml
    'name': 'SAMLResponse'
AttributeError: 'NoneType' object has no attribute 'get'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/aws-google-auth", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/aws_google_auth/__init__.py", line 225, in main
    cli(cli_args)
  File "/usr/local/lib/python3.7/site-packages/aws_google_auth/__init__.py", line 64, in cli
    process_auth(args, config)
  File "/usr/local/lib/python3.7/site-packages/aws_google_auth/__init__.py", line 186, in process_auth
    saml_xml = google_client.parse_saml()
  File "/usr/local/lib/python3.7/site-packages/aws_google_auth/google.py", line 283, in parse_saml
    'Could not find SAML response, check your credentials')
RuntimeError: Could not find SAML response, check your credentials

I follow the exact same steps but waiting varying amounts of time to click "Yes it's me" in the Google Prompt. After about 4 tries, I finally get the:

Failed to import U2F libraries, U2F login unavailable. Other methods can still continue.
Google Password:
Open the Google App, and tap 'Yes' on the prompt to sign in ..
Assuming arn:aws:iam::xxxxxxxxxx:role/role-name
Credentials Expiration: 2018-11-01 10:52:24+13:00

As expected. I'm using a Nexus 5X if that matters, both devices on same network connection.

I see this was mentioned in #90

I'm running aws-google-auth 0.0.27

In the meantime I've changed my MFA method to use Google Authenticator app which works far better than the Google Prompt.

wcharaka commented 5 years ago

I have not come across this issue, lemme see if I can reproduce.

pauldraper commented 5 years ago

I've seen this. If there first one fails, they all fail for several minutes.

stevemac007 commented 5 years ago

We added the --save-failure-html option. This will record the HTML pages returned by Google so that we can try and debug what is going on.

If this issue occurs, try and re-run the command with that flag and review the HTML saved - If you can share the saved HTML on an issue, that will make troubleshooting much easier.

C-Kenny commented 5 years ago

Thanks @stevemac007 , I'll be sure to update let you know of the results.

thalesvon commented 5 years ago

Any updates on this issue? Should we just avoid using python3?

C-Kenny commented 5 years ago

No longer having this issue using "aws-google-auth 0.0.31". Closing