Cannot open a browser session for profile because it does not assume a role

common-fate / granted

The easiest way to access your cloud.

https://granted.dev

MIT License

1.04k stars 93 forks source link

Cannot open a browser session for profile because it does not assume a role #48

Closed avishayil closed 2 years ago

avishayil commented 2 years ago

Hi, Thanks for this initiative, nice work.

I'm using Okta with AWS federation and saml2aws CLI tool in order to get temporary credentials for AWS CLI. After setting up the profile with granted and trying to use the browser session functionality, I'm getting the following error message

Attempting to open using active role...

Cannot open a browser session for profile: xxxx because it does not assume a role

I have credentials and aws profile configured correctly, and when running aws sts get-caller-identity I'm getting my identity correctly:

{
    "UserId": "AROXXXXXXXXXXXXX:xxx@xxx.xxx.xxx",
    "Account": "123456789123",
    "Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/Admin/xxx@xxx.xxx.xxx"
}

Output from running assume:

§ assume
? Please select the profile you would like to assume: xxxxxx
[xxxxxx](us-east-1) session credentials ready

chrnorm commented 2 years ago

Thanks for the issue @avishayil! To help us replicate the issue, is it possible to share a redacted version of your ~/.aws/config file? (excluding any account IDs or SSO start URLs).

I think the problem here is due to Granted not supporting the SAML2.0 web federation login flow that you’re using with Okta (which should be fixable to add support) but taking a quick look at your config will help confirm.

avishayil commented 2 years ago

Thanks @chrnorm , my ~/.aws/config file is just a list of profiles with configured regions:


[default]
region=us-east-1

[profile xxxx]
region=eu-west-1

[profile yyyy]
region=eu-west-1

[profile zzzz]
region=eu-west-1

adedommelin-ducksify commented 2 years ago

Hello @chrnorm,

Thanks for the good work !

I can confirm the same issue as @avishayil, not using Okta (simple IAM users), running on MacOS, granted v0.1.5, with Chrome as a default browser.

meyerjrr commented 2 years ago

Hey @avishayil and @adedommelin-ducksify! We just rolled out Granted v0.1.7 which included support for different SSO credential proxy's. Would you be able to test whether you are still running into issue's using Granted with your configurations?

avishayil commented 2 years ago

Thanks @meyerjrr I'm now having the following issue:

? Please select the profile you would like to assume: *******
operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: 81ac02d7-fa67-4b50-8af2-9d9c0c80a675, api error AccessDenied: Cannot call GetFederationToken with session credentials

Because i'm already assuming a role session in my workflow. Is there any possibility to use the current credentials instead of requesting new credentials using GetFederationToken?

meyerjrr commented 2 years ago

Closing this issue and will be tracking it under #89