search

venth / aws-adfs

Command line tool to ease aws cli authentication against ADFS (multi factor authentication with active directory)
MIT License
286 stars 101 forks source link

Cannot log in to certain regions #175

Open cira-jonathan opened 4 years ago

cira-jonathan commented 4 years ago

I'm trying to use my AD credentials to log into our AWS account and there are 4 regions I can't log into using aws-adfs via the command line.

This is the command I use to log in: aws-adfs login --adfs-host= --provider-id urn:amazon:webservices --region --profile --no-ssl-verification --no-sspi

This is the error message I get when I try to authenticate: Traceback (most recent call last): File "/usr/local/bin/aws-adfs", line 11, in load_entry_point('aws-adfs==1.24.4', 'console_scripts', 'aws-adfs')() File "/usr/lib/python3/dist-packages/click/core.py", line 722, in call return self.main(args, kwargs) File "/usr/lib/python3/dist-packages/click/core.py", line 697, in main rv = self.invoke(ctx) File "/usr/lib/python3/dist-packages/click/core.py", line 1066, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/lib/python3/dist-packages/click/core.py", line 895, in invoke return ctx.invoke(self.callback, ctx.params) File "/usr/lib/python3/dist-packages/click/core.py", line 535, in invoke return callback(args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/aws_adfs/login.py", line 222, in login DurationSeconds=int(config.session_duration), File "/usr/local/lib/python3.6/dist-packages/botocore/client.py", line 316, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python3.6/dist-packages/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: 93edccae-0153-4dad-8d9c-92a5c99f2e7e; Proxy: null)

As I mentioned above, this only occurs with the 4 regions. Those regions are:

Those regions were previously disabled but have since been enabled and the error still occurs. Is there another configuration settings I have to set before this works?

Any help in this matter would be much appreciated.

pdecat commented 3 years ago

Hi @cira-jonathan,

Are you using Duo? If so, have you seen this?

How do I resolve a "Specified provider doesn't exist" error when protecting AWS with Duo Access Gateway?

ISSUE

After successfully passing primary authentication and approving secondary authentication, the user is redirected to an AWS error page that says: "Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException)"

RESOLUTION

Make sure the provider information is configured correctly in AWS as described in the documentation. The provider name should be "dag"; it is case-sensitive and cannot be customized.

CAUSE

The provider information was configured in correctly in AWS.

See https://help.duo.com/s/article/3717?language=en_US And https://duo.com/docs/aws#enable-aws-sso

trav-c commented 1 year ago

I believe have encountered this also, if it is the same issue (I don't recall if it's the exact same error/stack trace), it is caused by certain regions only supporting regional STS endpoints, while boto3 always defaults to legacy endpoints, it can be worked around by setting the environment variable AWS_STS_REGIONAL_ENDPOINTS=regional, eg

exportAWS_STS_REGIONAL_ENDPOINTS=regional
aws-adfs login .....

See https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

According to the AWS docs it should also be fixable by setting the default in ~/.aws/config but that didn't seem to work for me with aws-adfs