search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
538 stars 180 forks source link

Not identifying a FQDN user's email address #172

Closed chikoo77 closed 4 years ago

chikoo77 commented 4 years ago

Hello everyone,

I hope you are doing good. I have tried to use this particular package since I'm using G Suite as IDP for AWS and I need access to the AWS CLI as well. As it turns out, I have set up aws-google-auth on a virtual env in order to test it, I use the correct arguments including the username and then it ask me for my password, I enter the password (which is correct) no MFA has been activated for this account but it throws an error saying invalid username or password.

After enabling the --log debug flag, it seems that it can't find the username that I pass in the arguments. Here is the resulting log (I'm not including my IDP nor my SP ID): DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/saml2/initsso?idpid%%26spid%%26forceauthn%3Dfalse%26from_login%3D1%26as%3D0SWBfI9xyj4lOIR_5vVJ3Q&followup=https://accounts.google.com/o/saml2/initsso?idpid%%26spid%%26forceauthn%3Dfalse%26from_login%3D1%26as%3D0SWBfI9xyj4lOIR_5vVJ3Q&ltmpl=popup&oauth=1&faa=1&sarp=1&scc=1 HTTP/1.1" 200 None DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /signin/v1/lookup HTTP/1.1" 200 None DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "POST /signin/v1/lookup HTTP/1.1" 200 None Since the /signin/v1/lookup is the first step in the process, it seems that it can't find my username (I have made sure that I'm using the correct G Suite account and using FQDN i.e first@domain.com)

Things I have tried to far: -Change my user's password -Disable login challenge in G Suite. -Make sure my login credentials works which they are. -I created a profile inside the ~/.aws/config with all parameters including my username but it doesn't recognize it. -I have tried with 2 different G Suite account and same behavior. -I've installed AWS CLI V2 and V1 but neither works. -For testing, I just included the username part only i.e. frank and this time I receive a 302 status code for /signin/v1/lookup but obviouly fails since that's not the correct account so I believe there must be something changing or parsing incorrectly after the '@' sign

Current Setup: -Windows 10 x64 -AWS CLI v1 -Python 3.8.2

Any help will be highly appreciated, thank you.

stevemac007 commented 4 years ago

In summary your password is right, the tool is showing the wrong error message.

We've seen this across a number of users - there looks to be an update to the captcha challenge page as well as the login page that was fixed in 0.0.34.

Like usual, we need to be able to replicate this to resolve it. I've got a sample file from a colleague, will see if there is something I can put together. As I'm not experiencing the issue is a bit like shooting in the dark.

chikoo77 commented 4 years ago

Thank you so much for the reply. Also I was reading that the Google SSO page may vary depending of the country where the request is comming from, it seems that I might be affected by that. Anyway, thank you for releasing an awesome tool. Regards

stevemac007 commented 4 years ago

I believe this was resolved with release 0.0.34 - please reopen if you continue to have the issue.

Basouley commented 4 years ago

You can use this command should help pip install --upgrade aws-google-auth