UnhandledPromiseRejectionWarning Error

[limewxr]

Ran into this error:

(node:88139) UnhandledPromiseRejectionWarning: Error
    at Parser.parseSamlResponse (/usr/local/lib/node_modules/gsts/parser.js:36:13)
    at CredentialsManager.assumeRoleWithSAML (/usr/local/lib/node_modules/gsts/credentials-manager.js:30:89)
    at Page.<anonymous> (/usr/local/lib/node_modules/gsts/index.js:184:34)
    at Page.emit (events.js:315:20)
    at Page.EventEmitter.emit (domain.js:485:12)
    at NetworkManager.<anonymous> (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/Page.js:110:68)
    at NetworkManager.emit (events.js:315:20)
    at NetworkManager.EventEmitter.emit (domain.js:485:12)
    at NetworkManager._onRequest (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/NetworkManager.js:234:10)
    at NetworkManager._onRequestPaused (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/NetworkManager.js:210:12)
(node:88139) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)

(node:88139) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

At the same time, Chromium shows this page:

It's stuck in this status, even if I use Ctrl+C to kill the process, and run another gsts command with the --clean flag.

I'm using a newly installed v2.2.0

Please let me know if you need more information to troubleshoot. Thanks!

[ruimarinho]

Hi @limewxr!

Can you add a logging line on https://github.com/ruimarinho/gsts/blob/master/parser.js#L29:

console.log(require('util').inspect(saml.parsedSaml, { depth: null }));

And remove any sensitive information? The role attribute is not being found so there's probably something new coming from the XML response.

The message "This site can't be reached" is expected and ultimately should be a successful message. I'm not loading that page to conserve bandwidth, but it means your login worked.

[limewxr]

Thanks @ruimarinho for your prompt reply!

Here's the log (sensitive information masked):

{
  attributes: [
    {
      name: 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
      value: [ 'xxxxxxxxxx@xxxxxxxxxx.com' ]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/Role',
      value: [
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx'
      ]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/SessionDuration',
      value: [ '43200' ]
    }
  ]
}

[limewxr]

OK, I think I know why this happens and how to reproduce:

This happens when I try to assume an IAM role that's not granted to me, i.e. not in the Role list.

So, the question becomes if we can handle this error in a more elegant way, e.g. tell the user that the username and password are valid, but the role specified by the user does not exist or is not granted to the user?

Appreciate your thoughts on this, thanks!

[limewxr]

By the way, an issue with the aws-google-auth project is that its "Invalid username or password" error message is misleading.

It took our users a long time to retry the correct password quite a few times and on different computers, when the actual error was not a username or password issue at all, but the JavaScript requirement that Google is rolling out.

So I really would appreciate it if you can help make sure that gsts gives the accurate error message to users to avoid unnecessary frustration. Thanks!

[saada]

I'm running into this issue for a role that I have access to. It works fine from the console but not with gsts.

[saada]

If I omit the role arn flag, it works against one of the roles. But I can't figure out how to switch to other roles

[ruimarinho]

@limewxr thank you for the sample response. I already had a test for multiple roles but the issue was in capturing the 'role not found' error. I took the opportunity to make the result more descriptive as per @saada suggestion.

I have fixed one tiny bug related to the principal associated with the role ARN (not observed in your case) just in case you are assigned a profile with a different identity provider (unlikely).

@saada could you please open a new issue if it still persists after upgrading to 2.2.1? The Invalid username or password issue does not apply to gsts because the UI is used for authentication. There is no parsing or scraping done so you see what you get.

[ruimarinho]

@limewxr @saada in case you're interested, I've published a new version with a revamped UI as gsts@2.3.0-beta.0. Would be great to have your feedback!

[saada]

🎉 it worked! Listing the available roles showed me that my arn was not written properly. Thank you so much!

[limewxr]

@ruimarinho thank you! it's working great!