AssumeRoleWithSAML operation: Principal ARN is invalid

[kirankraleti]

While selecting a role and hitting enter, below error shows up. Any fix?

Type the number (1 - 2) of the role to assume: 2

[manzke]

Hey I can help here. I had the same problem. The issue is the order you have entered the information in the google user profile. Google and AWS don't care, but this command line does. ;)

Doesn't work , arn:aws:iam::xxxx:saml-provider/Google,arn:aws:iam::xxx:role/sso-sysadmin

works , arn:aws:iam::xxx:role/sso-sysadmin,arn:aws:iam::xxxx:saml-provider/Google

[manzke]

issue is here: https://github.com/cevoaustralia/aws-google-auth/blob/master/aws_google_auth/amazon.py#L83

parsing for iam is not enough. it has to check for saml-provider

[demon]

There's actually another reason this can fail -- a space after the comma. I had configured <role_arn>, <provider_arn>.

A simple trim() on the values would avoid this.

[stevemac007]

If you have a sample SAML response that we can write a test against to validate this, I'd be happy to included it in the codebase.

I'm trying to increase the test coverage with real(ish) world examples to increase the resilience.

[stibi]

@demon is right, I have just seen the problem because of a comma. strip() FTW.

[mgab]

Quite annoying issue, specially in large organizations where one does not have direct access to the google profile configuration...

I created a PR to try to fix this. Happy to discuss changes 😀