Skip to content
This repository has been archived by the owner on Jul 1, 2024. It is now read-only.

Doesn't seem to work if MFA is configured on Okta #13

Open
pcolmer opened this issue Dec 14, 2017 · 5 comments
Open

Doesn't seem to work if MFA is configured on Okta #13

pcolmer opened this issue Dec 14, 2017 · 5 comments
Labels
enhancement okta

Comments

@pcolmer
Copy link

pcolmer commented Dec 14, 2017

If my Okta account has an MFA then authenticating fails with:

Traceback (most recent call last):
  File "/usr/local/bin/awsprocesscreds-saml", line 11, in <module>
    sys.exit(saml())
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 348, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "/home/philip/.local/lib/python2.7/site-packages/botocore/credentials.py", line 507, in fetch_credentials
    return self._get_cached_credentials()
  File "/home/philip/.local/lib/python2.7/site-packages/botocore/credentials.py", line 517, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 357, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 393, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "/usr/local/lib/python2.7/dist-packages/awsprocesscreds/saml.py", line 238, in retrieve_saml_assertion
    session_token = parsed['sessionToken']
KeyError: 'sessionToken'

If I unset the MFA in Okta, authentication succeeds.

Please add support for MFA as this is going to be a requirement if we adopt this authentication model.

Thanks.
@pcolmer pcolmer mentioned this issue Dec 22, 2017
Open
@Menahem1
Copy link

+1

@pcolmer
Copy link
Author

pcolmer commented Jan 9, 2018
edited
Loading

Copy of the comment I just posted on the pull request:

Just a note that although this code does work on its own, it doesn't work with AWS CLI because the latter consumes all output received from the running authentication process. If you try to use this enhancement with AWS CLI, it appears to stall but it is actually waiting for the user to specify which MFA action to take.

My initial thought was to use sys.stderr to output the prompts but the existing awsprocesscreds code uses getpass.getpass to get the user's password and that works - apparently by writing to sys.stdout.

Also, it looks like botocore might not allow stderr to be used either: aws/aws-cli#3057

So ... not sure how to proceed. I don't know if this is something that needs to be altered in awsprocesscreds or if aws-cli needs a cleaner way of getting the results back from awsprocesscreds so that the user can be allowed to interact with awsprocesscreds?

@andylockran andylockran mentioned this issue Jan 17, 2018
Closed
@pcolmer
Copy link
Author

pcolmer commented Jan 17, 2018

I've updated my code with a separate branch (revised_prompting) to use getpass instead of having botocore swallow the output and then confuse awsprocesscreds.

Waiting on a decision from the repo maintainers as to what is going to be done to close out this issue ...

@lorengordon
Copy link

Running into this exact same issue. MFA is not optional for us. Any progress on getting support in this tool?

@lapkritinis
Copy link

I got exactly same issue. Any update on this?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement okta
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Menahem1 @pcolmer @JordonPhillips @lorengordon @lapkritinis