search

oktadev / okta-aws-cli-assume-role

Okta AWS CLI Assume Role Tool
Apache License 2.0
337 stars 177 forks source link

STS Validation Error getting 400 - Issuer Not Present #307

Open rstuberg-ib opened 5 years ago

rstuberg-ib commented 5 years ago

Describe the bug A clear and concise description of what the bug is. Run: okta-aws test sts get-caller-identity or okta-aws OUTPUT: Auto select role as only one is available : arn:aws:iam::account:saml-provider/okta-poc WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/Users/me/.okta/okta-aws-cli-2.0.0.jar) to constructor com.sun.org.apache.xpath.internal.XPathContext() WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Request ARN is invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: fcd99041-88b7-11e9-958d-f9bd86177fa2) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630) at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54) at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135) at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102) at com.okta.tools.WithOkta.main(WithOkta.java:30) To Reproduce Have Okta Tile working with okta already for AWS access. Set the URL and ORG properties and OKTA_BROWSER_AUTH=true.

Okta authenticates and the tile asks to select which login I want (two roles are present to assume)

^^^ After I had already failed with the undesired behavior I am cached (is there a reference to clear it). Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen. I should be able to get a token etc. from the aws call.

Screenshots If applicable, add screenshots to help explain your problem. Screen Shot 2019-06-07 at 10 16 58 AM

Additional context Add any other context about the problem here. After the authentication was cached from OKTA_BROWSER_AUTH=true. I was CLI output.

I would just like to know if it's the AWS configuration, cli or my configuration that caused this.

Machine details: javac -version javac 12.0.1 Mac: 16.7.0 Darwin Kernel Version 16.7.0

laperi commented 5 years ago

Hey i am facing similar error when i run the command: okta-aws test sts get-caller-identity

PS C:\Users\xxxx.okta> okta-aws test sts get-caller-identity Username: xxx.xxxx@gmail.com Password:

Output: Auto select role as only one is available : arn:aws:iam::988858594754:saml-provider/Okta_Athena WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/C:/Users/xxxx/.okta/okta-aws-cli.jar) to method com.sun.org.apache.xpath.internal.XPathContext.getDTMManager() WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Request ARN is invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 642506d4-8c19-11e9-8922-2991a66b83eb) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630)
    at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)
oavdonin commented 5 years ago

Hi Guys! I faced the same issue after upgrading to 2.0.2, ver 2.0.0 still works fine for me.

rstuberg-ib commented 5 years ago

So even though my original .jar says 2.0.0 it was really 2.0.2. I also forgot to mention I am using Mac 16.7.0 Darwin Kernel.

I tried with the 2.0.0 jar and it gives me that ability to select which role I would like to assume although I get the same error:


Please choose the role you would like to assume:
Account: something (ACCOUNT_NUMBER)
    [ 1 ]: okta-1
    [ 2 ]: okta-2
Selection: 2
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/Users/me/.okta/okta-aws-cli-2.0.0.jar) to constructor com.sun.org.apache.xpath.internal.XPathContext()
WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Exception in thread "main" com.amazonaws.services.securitytoken.model.InvalidIdentityTokenException: Issuer not present in specified provider (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: 143cc0b1-8c87-11e9-8026-e94aa508b675) (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: 14103275-8c87-11e9-998b-3722eb98db1d)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630)
    at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)```
rstuberg-ib commented 5 years ago

Hey i am facing similar error when i run the command: okta-aws test sts get-caller-identity

PS C:\Users\xxxx.okta> okta-aws test sts get-caller-identity Username: xxx.xxxx@gmail.com Password:

Output: Auto select role as only one is available : arn:aws:iam::988858594754:saml-provider/Okta_Athena WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/C:/Users/xxxx/.okta/okta-aws-cli.jar) to method com.sun.org.apache.xpath.internal.XPathContext.getDTMManager() WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Request ARN is invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 642506d4-8c19-11e9-8922-2991a66b83eb) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)

    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630)
    at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)

I am actually having that same problem for 2.0.2 as well.

This should be mapped to a new issue. I think that: https://github.com/oktadeveloper/okta-aws-cli-assume-role/blob/60c21b453ea8e1b1e19162fb05df8d4a200d4997/src/main/java/com/okta/tools/saml/AwsSamlRoleUtils.java#L49

            roles.put(roleArn, principalArn);
            roles.put(principalArn, roleArn);

Which was merged in #303 is causing this. Because it's referencing the saml-provider and not the roles.

Here is my go at it with a fresh install for 2.0.2:

Auto select role as only one is available : arn:aws:iam::account:saml-provider/okta-poc
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.amazonaws.util.XpathUtils (file:/Users/me/.okta/okta-aws-cli-2.0.2.jar) to constructor com.sun.org.apache.xpath.internal.XPathContext()
WARNING: Please consider reporting this to the maintainers of com.amazonaws.util.XpathUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Request ARN is invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 76b154dd-8c86-11e9-b9dd-6d97c7eb77da)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:658)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:630)
    at com.okta.tools.helpers.RoleHelper.assumeChosenAwsRole(RoleHelper.java:54)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:135)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)
rstuberg-ib commented 5 years ago

So I solved my issue. Apparently the metadata document was changed so that the issuer was malformed.

Should have add this to a FAQ or README linking to this https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html#troubleshoot_saml_invalid-metadata it was very helpful.

dillonharlessNHRMC commented 5 years ago

I'm experiencing this issue. I don't think it's related to metadata as that is a different ErrorCode, and my coworker can log in. I'm trying to do this off-prem. Any ideas?

rstuberg-ib commented 5 years ago

So my issue was: Error: Response Signature Invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)

This error can occur when federation metadata of the identity provider does not match the metadata of the IAM identity provider. For example, the metadata file for the identity service provider might have changed to update an expired certificate. Download the updated SAML metadata file from your identity service provider. Then update it in the AWS identity provider entity that you define in IAM with the aws iam update-saml-provider cross-platform CLI command or the Update-IAMSAMLProvider PowerShell cmdlet.

Due to this: Exception in thread "main" com.amazonaws.services.securitytoken.model.InvalidIdentityTokenException: Issuer not present in specified provider (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: 143cc0b1-8c87-11e9-8026-e94aa508b675) (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: 14103275-8c87-11e9-998b-3722eb98db1d)

For the other problem: Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Request ARN is invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 76b154dd-8c86-11e9-b9dd-6d97c7eb77da)

Use the 2.0.0 release or use the 2.0.2 release and swap the 2 parameters I pointed out in okta-aws-cli-assume-role/src/main/java/com/okta/tools/saml/AwsSamlRoleUtils.java at line 49.

I just ended up using the 2.0.0 release.

rstuberg-ib commented 5 years ago

My exact problem was that someone from IT had changed the tile I was working on. When I went to the Okta tile and clicked on it; it gave me the 400 response as well.

So I went and made my own dev Okta account and set it up so the tile worked. I had messed up the SAML document in the process which gave me this exact error. If you copy and paste the link https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html#troubleshoot_saml_invalid-metadata (sorry I had messed it up). This should show you at least some direction if you messed up the process (which I did).

dillonharlessNHRMC commented 5 years ago

@rstuberg-ib forgive me, but how does one use the older version?

I was given this Set-ExecutionPolicy -Scope Process -ExecutionPolicy unrestricted -Force; Invoke-Expression ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/oktadeveloper/okta-aws-cli-assume-role/master/bin/Install-OktaA wsCli.ps1')); .$profile

to install the aws-okta-tools.

dillonharlessNHRMC commented 5 years ago

No worries, i ended up just copying and pasting the url text and it got me there, but my error code is this, and i can't find anything related to that page which is why i deleted my original comment:

Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Request ARN is invalid (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 229c57f8-9cf6-11e9-9e06-f14050d9203a)

rstuberg-ib commented 5 years ago

@dillonharlessNHRMC so you just want to verify that the aws ARN is legit. See if you can assume it from your AWS account to ensure you have the same problem as I did.

Ahh it looks like you are using windows; I was using Mac so I can't give you specific details.

Here is the release page: https://github.com/oktadeveloper/okta-aws-cli-assume-role/releases

Here is the 2.0.0 tag https://github.com/oktadeveloper/okta-aws-cli-assume-role/releases/tag/v2.0.0

I just downloaded the zip and used maven to build it from source. You can also install the jar to use that specifically. :/ took me a while to do it but I somehow got it working.

I found out the problem with the scripted downloads is that it always downloaded the latest set of jars and you couldn't specifically select a release.

dillonharlessNHRMC commented 5 years ago

@rstuberg-ib I would imagine this has something to do with my error. The ARN is legit because I can RDP to my desktop where i installed this months ago and it works just fine. Tried installing today on my laptop off-prem and I'm having issues... I appreciate it, and I'll see if building from source solves it. Thanks!

gabrieltorrens commented 5 years ago

Confirming that I have the same issue on fresh installs, on both Ubuntu and MacOS. A workstation running 2.0.0 works fine. Same APP URL across all devices.