mhenniges
commented
4 years ago Hi @ruimarinho , thanks for GSTS!. Can you take a look and let me know if anything needs changing?
Closed mhenniges closed 4 years ago
mhenniges
commented
4 years ago Hi @ruimarinho , thanks for GSTS!. Can you take a look and let me know if anything needs changing?
ruimarinho
commented
4 years ago @mhenniges thanks for the feedback! I really need to add some tests because this is precisely the type of environment configuration that may change in the future.
Do you mind sharing what the Parsed SAML assertion object looks like in your situation, masking any private information?
ruimarinho
commented
4 years ago Landed in https://github.com/ruimarinho/gsts/releases/tag/v2.1.0 with some new tests. Hopefully I captured this correctly.
Thanks for your PR! Let me know how it goes.
mhenniges
commented
4 years ago So far so good - thank you very much!
For users that have multiple entries in the https://aws.amazon.com/SAML/Attributes/Role element of the saml assertion, login will fail if --aws-role-arn is specified to a value that is not the first element in the attribute, because the principalArn is always taken from the first element. This result in a "ValidationError: Principal exists outside the account of the Role being assumed.." error if the principalArn does not happen to be the same across the multiple entries.
This PR changes that logic to use the principalArn from the same entry where the role is found.