Closed avishayil closed 2 years ago
Thanks for the issue @avishayil! To help us replicate the issue, is it possible to share a redacted version of your ~/.aws/config
file? (excluding any account IDs or SSO start URLs).
I think the problem here is due to Granted not supporting the SAML2.0 web federation login flow that you’re using with Okta (which should be fixable to add support) but taking a quick look at your config will help confirm.
Thanks @chrnorm , my ~/.aws/config
file is just a list of profiles with configured regions:
[default]
region=us-east-1
[profile xxxx]
region=eu-west-1
[profile yyyy]
region=eu-west-1
[profile zzzz]
region=eu-west-1
Hello @chrnorm,
Thanks for the good work !
I can confirm the same issue as @avishayil, not using Okta (simple IAM users), running on MacOS, granted v0.1.5, with Chrome as a default browser.
Hey @avishayil and @adedommelin-ducksify! We just rolled out Granted v0.1.7 which included support for different SSO credential proxy's. Would you be able to test whether you are still running into issue's using Granted with your configurations?
Thanks @meyerjrr I'm now having the following issue:
? Please select the profile you would like to assume: *******
operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: 81ac02d7-fa67-4b50-8af2-9d9c0c80a675, api error AccessDenied: Cannot call GetFederationToken with session credentials
Because i'm already assuming a role session in my workflow. Is there any possibility to use the current credentials instead of requesting new credentials using GetFederationToken
?
Closing this issue and will be tracking it under #89
Hi, Thanks for this initiative, nice work.
I'm using Okta with AWS federation and
saml2aws
CLI tool in order to get temporary credentials for AWS CLI. After setting up the profile withgranted
and trying to use the browser session functionality, I'm getting the following error messageI have credentials and aws profile configured correctly, and when running
aws sts get-caller-identity
I'm getting my identity correctly:Output from running
assume
: