Okta broken
lapkritinis opened this issue · comments
Hello,
It seems that okta login no longer works. I am putting error log (I replaced there sensitive information)
username@MAC ~ % awsprocesscreds-saml --verbose -e https://organization.okta.com/app/amazon_aws/randomstringg/sso/saml -u '123456@domain.com' -p okta -a arn:aws:iam::1234567890:role/my-role
Password:
Sending HTTP POST with username (123456@domain.com) and password to Okta API endpoint: https://organization.okta.com/api/v1/authn
Traceback (most recent call last):
File "/Users/username/.pyenv/versions/3.8.0/bin/awsprocesscreds-saml", line 8, in <module>
sys.exit(saml())
File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/cli.py", line 81, in saml
creds = fetcher.fetch_credentials()
File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 353, in fetch_credentials
creds = super(SAMLCredentialFetcher, self).fetch_credentials()
File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 643, in fetch_credentials
return self._get_cached_credentials()
File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 653, in _get_cached_credentials
response = self._get_credentials()
File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 362, in _get_credentials
kwargs = self._get_assume_role_kwargs()
File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 403, in _get_assume_role_kwargs
assertion = self._authenticator.retrieve_saml_assertion(config)
File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 240, in retrieve_saml_assertion
session_token = parsed['sessionToken']
KeyError: 'sessionToken'
Having a similar problem. I get a different response on / off VPN.
Off VPN I match the above.
On VPN I get:
awsprocesscreds-saml -e https://organization.okta.com/login/default -u 'name@organization.com' -p okta -a arn:aws:iam::1234567890123:role/AWS_Role_Name --verbose
Password:
Sending HTTP POST with username (name@organization.com) and password to Okta API endpoint: https://organization.okta.com/api/v1/authn
Received HTTP response of status code: 200
Traceback (most recent call last):
File "/usr/local/bin/awsprocesscreds-saml", line 8, in <module>
sys.exit(saml())
File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/cli.py", line 81, in saml
creds = fetcher.fetch_credentials()
File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 353, in fetch_credentials
creds = super(SAMLCredentialFetcher, self).fetch_credentials()
File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 566, in fetch_credentials
return self._get_cached_credentials()
File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 576, in _get_cached_credentials
response = self._get_credentials()
File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 362, in _get_credentials
kwargs = self._get_assume_role_kwargs()
File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 403, in _get_assume_role_kwargs
assertion = self._authenticator.retrieve_saml_assertion(config)
File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 245, in retrieve_saml_assertion
r = self._extract_saml_assertion_from_response(response.text)
File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 210, in _extract_saml_assertion_from_response
raise SAMLError(self._ERROR_LOGIN_FAILED)
awsprocesscreds.saml.SAMLError: Login failed, could not retrieve SAML assertion. Double check you have entered your password correctly.
Hello,
It seems that okta login no longer works. I am putting error log (I replaced there sensitive information)
username@MAC ~ % awsprocesscreds-saml --verbose -e https://organization.okta.com/app/amazon_aws/randomstringg/sso/saml -u '123456@domain.com' -p okta -a arn:aws:iam::1234567890:role/my-role Password: Sending HTTP POST with username (123456@domain.com) and password to Okta API endpoint: https://organization.okta.com/api/v1/authn Traceback (most recent call last): File "/Users/username/.pyenv/versions/3.8.0/bin/awsprocesscreds-saml", line 8, in <module> sys.exit(saml()) File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/cli.py", line 81, in saml creds = fetcher.fetch_credentials() File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 353, in fetch_credentials creds = super(SAMLCredentialFetcher, self).fetch_credentials() File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 643, in fetch_credentials return self._get_cached_credentials() File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 653, in _get_cached_credentials response = self._get_credentials() File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 362, in _get_credentials kwargs = self._get_assume_role_kwargs() File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 403, in _get_assume_role_kwargs assertion = self._authenticator.retrieve_saml_assertion(config) File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 240, in retrieve_saml_assertion session_token = parsed['sessionToken'] KeyError: 'sessionToken'
I tried the same what you did and got the same exception. Can you please help me out to get it resolve
For me the biggest issue I had was the config file had these comments in it and python was not ignoring them. I removed all the # statements.
Hello, Same results for the VPN on/VPN Off cases.
With VPN :
File "c:\users\XXXl\appdata\local\programs\python\python39\lib\site-packages\awsprocesscreds\saml.py", line 210, in _extract_saml_assertion_from_response
raise SAMLError(self._ERROR_LOGIN_FAILED)
awsprocesscreds.saml.SAMLError: Login failed, could not retrieve SAML assertion. Double check you have entered your password correctly.
OS : W10, on Powershell,.
SOLVED
In order to use AWS CLI, in our ORG, we need to be members of a special Okta Group. So maybe check with your Org Cloud Admins.