search

tilfinltd / aws-extend-switch-roles

Extend your AWS IAM switching roles by Chrome extension, Firefox add-on, or Edge add-on
https://chromewebstore.google.com/detail/aws-extend-switch-roles/jpmkfafbacpgapdghgdpembnojdlgkdl?utm_source=github
MIT License
1.32k stars 141 forks source link

Switching role sometimes results in a 400 or 404 #175

Closed phr3nzii closed 3 years ago

phr3nzii commented 3 years ago

Hi,

Firstly, thank you for such a great extension and for fixing the issues with the new AWS UI so quickly!

Perhaps this should be raised as two separate issues but they are very similar so I think they're related. I've noticed that sometimes when switching role I get a 400 Bad Request or a 404 Not Found.

This was happening before the recent switch to v2, I've only just looked further into why it was happening.

400 Example

In this example, I am on the S3 console page (https://s3.console.aws.amazon.com/s3/home?region=us-east-1) and I am switching to a role that has the region set to eu-central-1.

I compared a broken and working request to https://signin.aws.amazon.com/switchrole and noticed that in the form data on the broken request the redirect_uri was different

Broken: https%3A%2F%2Feu-central-1.s3.console.aws.amazon.com%2Fs3%2Fhome%3Fregion%3Deu-central-1 Working: https%3A%2F%2Fs3.console.aws.amazon.com%2Fs3%2Fhome%3Fregion%3Dus-east-1%23

The region hasn't changed as the normal AWS console doesn't take the region switching into account, however I tested using curl with changed the request_uri and I got a working 302 response

Working with Region change: https%253A%252F%252Fs3.console.aws.amazon.com%252Fs3%252Fhome%253Fregion%253Deu-central-1

404 Example

In this example, I am on the IAM Roles page (https://console.aws.amazon.com/iam/home?region=eu-central-1#/roles) using the role that has the region set to eu-central-1 and I am switching to the role that has the region set to us-east-1. This results in a 404 on https://aws.amazon.com/iam/home/?region=us-east-1#/roles

In this scenario the /switchrole endpoint returns a 302, which sends me to https://aws.amazon.com/iam/home?region=us-east-1 which returns a 301 which then sends me on to the 404 URI above.

Again, comparing the broken and working requests to the /switchrole endpoint the redirect_uri was different

Broken: https%3A%2F%2Faws.amazon.com%2Fiam%2Fhome%3Fregion%3Dus-east-1%23%2Froles Working: https%3A%2F%2Fconsole.aws.amazon.com%2Fiam%2Fhome%3Fregion%3Dus-east-1%23

Testing again with curl but adjusting the request_uri to add the region change I got a 200 response after following the redirects as above.

Working with Region change: https%3A%2F%2Fconsole.aws.amazon.com%2Fiam%2Fhome%3Fregion%3Dus-east-1%2523%252Froles

Unfortunately, I wouldn't know where to start with fixing this change myself 😞 But hopefully the above gives you enough information. However, if you need more information or have any questions let me know 👍

Thanks again!

phr3nzii commented 3 years ago

Realised that I didn't say which browser I'm using 🤦 I'm using Brave Version 1.14.84 Chromium: 85.0.4183.121 (Official Build) (64-bit), however, I see the same behaviour in Chrome Version 85.0.4183.121 (Official Build) (64-bit)

tilfin commented 3 years ago

This issue occurs when viewing some AWS global services (ex: S3, IAM, CloudFront).

th3noname commented 3 years ago

I'm still getting the 400 error while switching roles from the CodeArtifact service (region eu-central-1).

I'm on Firefox 81.0.1

llange commented 3 years ago

Hello @th3noname , @tilfin, @phr3nzii : I discovered that one reason (certainly one out of many) for the 404 can be caused by the length of the "DisplayName" parameter for the account (in the switchrole HTTP call).

In my case, I had not checked the "Hide Account Id" checkbox. Thus, the DisplayName is constructed by the concatenation of the name of the profile + " | " + account_id (the later part adds 17 characters to the display name).

My profile names are "quite long".

If the whole string length is > 64 characters, then I always have a 404 page.

As soon as I reduce the size of the profile name, so that the whole DisplayName is <= 64 characters, the 404 page disappears. (Of course another solution is to check the "Hide Account Id" checkbox)

(And when using aws web console, there is a forced truncation by the interface so that DisplayName is not > 64 chars)

Could it be that you are also impacted by this ?

phr3nzii commented 3 years ago

The display names I have are < 64 characters. 2.0.5 resolved this issue for me, I haven't had any 400 or 404 errors since

nhinds commented 3 years ago

I get 400 when the redirect_uri parameter is complicated, such as the CodePipeline "Pipelines" page which has URIs like https://ap-southeast-2.console.aws.amazon.com/codesuite/codepipeline/pipelines?region=ap-southeast-2&pipelines-meta=<long URI-encoded JSON>. When that happens, navigating to a page with a simpler URI (like the CodePipeline "Getting started" page) allows me to switch the role.

It's not clear whether it's the encoded JSON {/"/} characters that's causing the issue or the URI length, but it seems possible to switch roles using the AWS console's builtin role history on those pages.