Doesn't seem to work if MFA is configured on Okta

Question

Doesn't seem to work if MFA is configured on Okta

pcolmer opened this issue 7 years ago · comments

If my Okta account has an MFA then authenticating fails with:

Traceback (most recent call last):
  File "/usr/local/bin/awsprocesscreds-saml", line 11, in <module>
    sys.exit(saml())
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 348, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "/home/philip/.local/lib/python2.7/site-packages/botocore/credentials.py", line 507, in fetch_credentials
    return self._get_cached_credentials()
  File "/home/philip/.local/lib/python2.7/site-packages/botocore/credentials.py", line 517, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 357, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 393, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 238, in retrieve_saml_assertion
    session_token = parsed['sessionToken']
KeyError: 'sessionToken'

If I unset the MFA in Okta, authentication succeeds.

Please add support for MFA as this is going to be a requirement if we adopt this authentication model.

Thanks.

Ménahem commented 6 years ago

+1

Philip Colmer · Answer 1 · Tue Jan 09 2018 18:29:07 GMT+0800 (China Standard Time)

Copy of the comment I just posted on the pull request:

Just a note that although this code does work on its own, it doesn't work with AWS CLI because the latter consumes all output received from the running authentication process. If you try to use this enhancement with AWS CLI, it appears to stall but it is actually waiting for the user to specify which MFA action to take.

My initial thought was to use sys.stderr to output the prompts but the existing awsprocesscreds code uses getpass.getpass to get the user's password and that works - apparently by writing to sys.stdout.

Also, it looks like botocore might not allow stderr to be used either: aws/aws-cli#3057

So ... not sure how to proceed. I don't know if this is something that needs to be altered in awsprocesscreds or if aws-cli needs a cleaner way of getting the results back from awsprocesscreds so that the user can be allowed to interact with awsprocesscreds?

Philip Colmer · Answer 2 · Wed Jan 17 2018 20:55:53 GMT+0800 (China Standard Time)

I've updated my code with a separate branch (revised_prompting) to use getpass instead of having botocore swallow the output and then confuse awsprocesscreds.

Waiting on a decision from the repo maintainers as to what is going to be done to close out this issue ...

Loren Gordon · Answer 3 · Fri Nov 09 2018 19:45:48 GMT+0800 (China Standard Time)

Running into this exact same issue. MFA is not optional for us. Any progress on getting support in this tool?

Putinas Piliponis · Answer 4 · Mon Sep 30 2019 21:14:25 GMT+0800 (China Standard Time)

I got exactly same issue. Any update on this?