It keeps asking for the password

Question

It keeps asking for the password

hoegertn opened this issue 6 years ago · comments

I have a new issue now.

I configured Okta as provider and if I try to use it with credential_process it keeps asking for the password.

If I then run the command once directly in the command line and enter the password it works on subsequent calls as it uses the cached response.

What is the problem here?

Wade Robson · Answer 1 · Tue Jan 16 2018 03:46:06 GMT+0800 (China Standard Time)

I run into this if my default profile is set to use awsprocesscreds-saml. The boto client that gets setup to handle the STS assume seems to need any profile with credentials to work properly.

For example

export AWS_DEFAULT_PROFILE=profile-with-existing-creds
aws s3 ls --profile profile-with-awsprocesscreds

Seems to always work. But

export AWS_DEFAULT_PROFILE=profile-with-awsprocesscreds
aws s3 ls

Will continue to prompt unless there are cached sts creds already. And for me it's prompting after receiving the saml assertion successfully.
Must be a bug in the way the boto client is getting setup.

lingrlongr · Answer 2 · Sat Feb 03 2018 00:44:40 GMT+0800 (China Standard Time)

same problem here. i have several profiles set up but rather than adding --profile <profilename> to every call, i tried to set AWS_PROFILE and AWS_DEFAULT_PROFILE to the profile i want to use and i keep getting prompted for the password.

Tyler Thalman · Answer 3 · Wed Mar 14 2018 00:53:15 GMT+0800 (China Standard Time)

I am seeing the same issue as well federating with okta. If I run awsprocesscreds-saml with the -v flag. I successfully receive the SAML assertion but then I am reprompted for my password continually in a loop and I don't end up getting temporary credentials to use with the aws cli.

Tyler Thalman · Answer 4 · Wed Mar 14 2018 02:49:28 GMT+0800 (China Standard Time)

Does seem to be an issue with using the default profile. If I delete my aws config and re-run everything having just a named profile in the config it works fine.

Jordon Phillips · Answer 5 · Sat Apr 07 2018 04:29:25 GMT+0800 (China Standard Time)

That's odd that it's only occurring for the default profile. I'll look into it.

Jordon Phillips · Answer 6 · Sat Apr 07 2018 06:21:36 GMT+0800 (China Standard Time)

I'm trying and failing to reproduce this. Is this happening when you're running code using boto3 or just from the CLI?

Peter Hu · Answer 7 · Fri Apr 13 2018 07:28:40 GMT+0800 (China Standard Time)

I was able to reproduce this issue by removing my access keys for my default profile from ~/.aws/credentials. It seems like when botocore creates a client it expects at least one set of credentials for logging into aws and will try using the default profile as one credential provider. So if the default profile doesn't have access keys (and there are no environment variables setting creds) then the password prompt from botocore shows up.

Here's how I dealt with the issue (#20) though I'm open to a more elegant solution too :)

Patrick · Answer 8 · Fri Apr 27 2018 06:05:30 GMT+0800 (China Standard Time)

I've experienced the same issue as well. I don't think the issue is with awsprocesscreds, but rather with botocore itself. Like @git-phu said, botocore expects some credentials upon creation. When it can't find them, it instead executes the credential_process found in the config (if credential_process is in the profile being used), thus calling awsprocesscreds again.

Jordon Phillips · Answer 9 · Tue Jun 05 2018 07:52:21 GMT+0800 (China Standard Time)

Ah, now I see the problem. It's like @patrickdean is saying. In botocore, when you create a client it will always try to resolve credentials even if you're creating a client with the special UNSIGNED signature version. I created an issue on botocore here: boto/botocore#1472 to track the issue.