mmmorris1975
commented
1 year ago Unfortunately, I don't have access to an Azure environment to debug this, and I did not write the browser provider code (and it was contributed after I left the company which used Azure). About the best I can do is offer some generic troubleshooting guidance.
The first thing I would do is run aws-runas -vD prod to see if that raises any concerns with the detected configuration. Something else to try is to run aws-runas -l, which should return the roles you are authorized to access. This may reveal a misconfiguration in your role_arn attribute(s). Another thing to try would be running aws-runas -v prod to see if more verbose output provides any clues. For this final suggestion, I would pay attention to two lines of output in particular. The first is DEBUG CLIENT CONFIG, which contains the configuration information aws-runas will use. The other is DEBUG SAML Role Details, which shows some details of the SAMLResponse returned by Microsoft.
Although it shouldn't be contributing to any issues, there is some duplication in your configuration. If you have saml_auth_url and saml_username set in the default profile, there isn't a need to also have them in the specific profile configurations (unless there are different values for those attributes you need for each profile).
Hopefully that helps, and if there's any output you would like me to look over from the suggested troubleshooting commands, please add them to the reply.
Hi,
I was trying to use the latest version and getting this below error, any suggestions?
aws-runas idam 2023/01/24 23:27:05 failed to refresh cached credentials, operation error STS: AssumeRoleWithSAML, https response error StatusCode: 400, RequestID: aeaee250-50c2-4ace-ba0c-e80a1adea020, api error ValidationError: 4 validation errors detected: Value '' at 'roleArn' failed to satisfy constraint: Member must satisfy regular expression pattern: [\u0009\u000A\u000D\u0020-\u007E\u0085\u00A0-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]+; Value '' at 'roleArn' failed to satisfy constraint: Member must have length greater than or equal to 20; Value '' at 'principalArn' failed to satisfy constraint: Member must satisfy regular expression pattern: [\u0009\u000A\u000D\u0020-\u007E\u0085\u00A0-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]+; Value '' at 'principalArn' failed to satisfy constraint: Member must have length greater than or equal to 20Below is my config file
`[default] region = us-east-1 output = json saml_auth_url = https://myapps.microsoft.com/signin/IDD?tenantId=TIDD saml_username = email.com.com saml_provider = browser
[profile nonprod] saml_auth_url = https://myapps.microsoft.com/signin/IDD?tenantId=TIDD saml_username = email.com.com role_arn = arn:aws:iam::123456789:role/PowerUser source_profile = default
[profile prod] saml_auth_url = https://myapps.microsoft.com/signin/IDD?tenantId=TIDD saml_username = email.com.com role_arn = arn:aws:iam::12345678:role/PowerUser source_profile = default
[profile US] saml_auth_url = https://myapps.microsoft.com/signin/IDD?tenantId=TIDD saml_username = email.com.com region = us-east-1 role_arn = arn:aws:iam::12345678:role/PowerUser source_profile = default
[profile AP] saml_auth_url = https://myapps.microsoft.com/signin/IDD?tenantId=TIDD saml_username = email.com.com region = ap-southeast-1 role_arn = arn:aws:iam::123456789:role/PowerUser source_profile = default
[profile EU] saml_auth_url = https://myapps.microsoft.com/signin/IDD?tenantId=TIDD saml_username = email.com.com region = eu-west-1 role_arn = arn:aws:iam::123456789:role/PowerUser source_profile = default`
As soon as I start aws-runas prod, I get prompted for authentication with the browser but after that I hit this error.
Please suggest what could be missing here.