Skip to content
This repository has been archived by the owner on Jul 1, 2024. It is now read-only.

Okta broken #42

Open
lapkritinis opened this issue Dec 20, 2019 · 5 comments
Open

Okta broken #42

lapkritinis opened this issue Dec 20, 2019 · 5 comments

Comments

@lapkritinis
Copy link

Hello,

It seems that okta login no longer works. I am putting error log (I replaced there sensitive information)

username@MAC ~ % awsprocesscreds-saml --verbose -e https://organization.okta.com/app/amazon_aws/randomstringg/sso/saml -u '[email protected]' -p okta -a arn:aws:iam::1234567890:role/my-role

Password: 
Sending HTTP POST with username ([email protected]) and password to Okta API endpoint: https://organization.okta.com/api/v1/authn
Traceback (most recent call last):
  File "/Users/username/.pyenv/versions/3.8.0/bin/awsprocesscreds-saml", line 8, in <module>
    sys.exit(saml())
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 353, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 643, in fetch_credentials
    return self._get_cached_credentials()
  File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 653, in _get_cached_credentials
    response = self._get_credentials()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 362, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 403, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 240, in retrieve_saml_assertion
    session_token = parsed['sessionToken']
KeyError: 'sessionToken'
@cybercussion
Copy link

Having a similar problem. I get a different response on / off VPN.

Off VPN I match the above.

On VPN I get:

awsprocesscreds-saml -e https://organization.okta.com/login/default -u '[email protected]' -p okta -a arn:aws:iam::1234567890123:role/AWS_Role_Name --verbose
Password:
Sending HTTP POST with username ([email protected]) and password to Okta API endpoint: https://organization.okta.com/api/v1/authn
Received HTTP response of status code: 200
Traceback (most recent call last):
  File "/usr/local/bin/awsprocesscreds-saml", line 8, in <module>
    sys.exit(saml())
  File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 353, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 566, in fetch_credentials
    return self._get_cached_credentials()
  File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 362, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 403, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 245, in retrieve_saml_assertion
    r = self._extract_saml_assertion_from_response(response.text)
  File "/usr/local/lib/python3.7/site-packages/awsprocesscreds/saml.py", line 210, in _extract_saml_assertion_from_response
    raise SAMLError(self._ERROR_LOGIN_FAILED)
awsprocesscreds.saml.SAMLError: Login failed, could not retrieve SAML assertion. Double check you have entered your password correctly.

@sureshselvam01
Copy link

Hello,

It seems that okta login no longer works. I am putting error log (I replaced there sensitive information)

username@MAC ~ % awsprocesscreds-saml --verbose -e https://organization.okta.com/app/amazon_aws/randomstringg/sso/saml -u '[email protected]' -p okta -a arn:aws:iam::1234567890:role/my-role

Password: 
Sending HTTP POST with username ([email protected]) and password to Okta API endpoint: https://organization.okta.com/api/v1/authn
Traceback (most recent call last):
  File "/Users/username/.pyenv/versions/3.8.0/bin/awsprocesscreds-saml", line 8, in <module>
    sys.exit(saml())
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 353, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 643, in fetch_credentials
    return self._get_cached_credentials()
  File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 653, in _get_cached_credentials
    response = self._get_credentials()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 362, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 403, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 240, in retrieve_saml_assertion
    session_token = parsed['sessionToken']
KeyError: 'sessionToken'

I tried the same what you did and got the same exception. Can you please help me out to get it resolve

@cybercussion
Copy link

For me the biggest issue I had was the config file had these comments in it and python was not ignoring them. I removed all the # statements.

@LarsLarsLars
Copy link

LarsLarsLars commented Apr 21, 2021

Hello, Same results for the VPN on/VPN Off cases.

With VPN :
File "c:\users\XXXl\appdata\local\programs\python\python39\lib\site-packages\awsprocesscreds\saml.py", line 210, in _extract_saml_assertion_from_response
raise SAMLError(self._ERROR_LOGIN_FAILED)
awsprocesscreds.saml.SAMLError: Login failed, could not retrieve SAML assertion. Double check you have entered your password correctly.

My Config file :
image

OS : W10, on Powershell,.

SOLVED
In order to use AWS CLI, in our ORG, we need to be members of a special Okta Group. So maybe check with your Org Cloud Admins.

@lowtianwei
Copy link

Hello,
It seems that okta login no longer works. I am putting error log (I replaced there sensitive information)

username@MAC ~ % awsprocesscreds-saml --verbose -e https://organization.okta.com/app/amazon_aws/randomstringg/sso/saml -u '[email protected]' -p okta -a arn:aws:iam::1234567890:role/my-role

Password: 
Sending HTTP POST with username ([email protected]) and password to Okta API endpoint: https://organization.okta.com/api/v1/authn
Traceback (most recent call last):
  File "/Users/username/.pyenv/versions/3.8.0/bin/awsprocesscreds-saml", line 8, in <module>
    sys.exit(saml())
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 353, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 643, in fetch_credentials
    return self._get_cached_credentials()
  File "/Users/username/.local/lib/python3.8/site-packages/botocore/credentials.py", line 653, in _get_cached_credentials
    response = self._get_credentials()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 362, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 403, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "/Users/username/.pyenv/versions/3.8.0/lib/python3.8/site-packages/awsprocesscreds/saml.py", line 240, in retrieve_saml_assertion
    session_token = parsed['sessionToken']
KeyError: 'sessionToken'

I tried the same what you did and got the same exception. Can you please help me out to get it resolve

I have the same issue as you. This is because https:///api/v1/authn response does not have "sessionToken". I fix this after reset okta password. You have to use the new password to login to console first before test again.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants