godaddy / aws-okta-processor Goto Github PK

View Code? Open in Web Editor NEW

83.0 83.0 25.0 217 KB

Okta credential processor for AWS CLI

License: MIT License

Makefile 0.47% Python 99.53%

authentication aws cli okta

aws-okta-processor's People

Contributors

Stargazers

Watchers

aws-okta-processor's Issues

Updated signin page breaks sign in

The UI changed and soup needs to be updated with the correct elements

  File "/opt/homebrew/bin/aws-okta-processor", line 8, in <module>
    sys.exit(main())
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/cli.py", line 37, in main
    command.run()
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/commands/authenticate.py", line 104, in run
    credentials = self.authenticate()
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/commands/authenticate.py", line 98, in authenticate
    credentials = saml_fetcher.fetch_credentials()
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/core/fetcher.py", line 39, in fetch_credentials
    credentials = super(SAMLFetcher, self).fetch_credentials()
  File "/opt/homebrew/lib/python3.10/site-packages/botocore/credentials.py", line 657, in fetch_credentials
    return self._get_cached_credentials()
  File "/opt/homebrew/lib/python3.10/site-packages/botocore/credentials.py", line 667, in _get_cached_credentials
    response = self._get_credentials()
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/core/fetcher.py", line 136, in _get_credentials
    aws_roles, saml_assertion, _application_url, user, _organization = self._get_app_roles()
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/core/fetcher.py", line 106, in _get_app_roles
    aws_roles = saml.get_aws_roles(
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/core/saml.py", line 68, in get_aws_roles
    account_roles = get_account_roles(
  File "/opt/homebrew/lib/python3.10/site-packages/aws_okta_processor/core/saml.py", line 107, in get_account_roles
    accounts = soup.find('fieldset').find_all(
AttributeError: 'NoneType' object has no attribute 'find_all'```

Support for MFA hardware token

Given that we are moving to deployment of YubiKeys for our internal use, and given that third parties may also leverage such tokens, we should look at adding support for --factor to specify a hardware token.

New Feature to Store Okta Credentials in macOS or OS-Native Keystore

Hello! I have been using this tool for a few weeks now. It's pretty solid and is a nice replacement for aws-okta (an older/deprecated tool). One of the features it had was that the Okta credentials could be retrieved from the macOS keychain (for macOS) or on Linux the keychain there or whatever OS was being used I guess.

This is more of a feature request, but it would be nice to have this option in this tool. Whenever the SAML session expires, one has to enter their password for the credential_process to move forward. This is great security and in most cases, fine. However, sometimes automated tooling may not be so smart and understand credential_process is prompting for input and can sometimes hang. I know this is that app's implementation fault; nevertheless, it might be useful and convenient to allow users to store the Okta credentials securely in their keystore and only be bothered with Okta 2FA requires a re-validation.

Prompt for user name

Currently if I try to authenticate without passing a username, aws-okta-processor will just pass None as the user name to get_okta_single_use_token.

I'd prefer it prompt me for input (just as it does for password). Is this a feature that people would be interested in?

Broken for python3.10

It fails to execute on python3.10

❯ aws-okta-processor --help
Traceback (most recent call last):
  File "/Users/dacha204/.local/bin/aws-okta-processor", line 5, in <module>
    from aws_okta_processor.cli import main
  File "/Users/dacha204/.local/pipx/venvs/aws-okta-processor/lib/python3.10/site-packages/aws_okta_processor/cli.py", line 25, in <module>
    from . import commands
  File "/Users/dacha204/.local/pipx/venvs/aws-okta-processor/lib/python3.10/site-packages/aws_okta_processor/commands/__init__.py", line 1, in <module>
    from . import authenticate # noqa
  File "/Users/dacha204/.local/pipx/venvs/aws-okta-processor/lib/python3.10/site-packages/aws_okta_processor/commands/authenticate.py", line 30, in <module>
    from aws_okta_processor.core.fetcher import SAMLFetcher
  File "/Users/dacha204/.local/pipx/venvs/aws-okta-processor/lib/python3.10/site-packages/aws_okta_processor/core/fetcher.py", line 5, in <module>
    import aws_okta_processor.core.prompt as prompt
  File "/Users/dacha204/.local/pipx/venvs/aws-okta-processor/lib/python3.10/site-packages/aws_okta_processor/core/prompt.py", line 4, in <module>
    from collections import Mapping
ImportError: cannot import name 'Mapping' from 'collections' (/usr/local/Cellar/[email protected]/3.10.0_2/Frameworks/Python.framework/Versions/3.10/lib/python3.10/collections/__init__.py)

It works fine on python3.9.

Steps to reproduce:

brew install [email protected]
pipx install --python /usr/local/opt/[email protected]/bin/python3.10 aws-okta-processor
aws-okta-processor --help

`--environment` flag output appears to conflict with AWS CLI `credential_process` expected output

Hi there 👋 . Thanks for making this tool, it's great.

I might be off-base, but when I try to use the --environment flag in my authenticate command from ~/.aws/credentials, I get the following error:

~/.aws/credentials

[my-profile]
credential_process = aws-okta-processor authenticate --organization *** --user *** --environment

$ aws s3 ls
...
Expecting value: line 1 column 1 (char 0)

This profile works fine:
~/.aws/credentials

[my-profile]
credential_process = aws-okta-processor authenticate --organization *** --user ***

I think that might be because credential_process expects JSON output on STDOUT?
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

The AWS CLI runs the command as specified in the profile and then reads data from STDOUT. The command you specify must generate JSON output on STDOUT that matches the following syntax.

Is that the case? Any workaround to get the --environment flag working when calling from an AWS named profile?

EOFError instead of Token prompt when used with amazon-ecr-credential-helper

We are using amazon-ecr-credential-helper to pull Docker images from AWS ECR. It works fine when the session is already established, but initial authentication fails.

So this works fine:

# Remove any cached sessions
rm -rf ~/.aws/boto/cache ~/.aws-okta-processor/cache

# Run any AWS command (also works with Ansible, Terraform, etc)
AWS_PROFILE=my-profile aws sts get-caller-identity

# Enter Okta password

# Enter Okta token

# Pull image from ECR
AWS_SDK_LOAD_CONFIG=true AWS_PROFILE=my-profile docker pull ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${REPOSITORY_NAME}:${IMAGE_TAG}

But this does not:

# Remove any cached sessions
rm -rf ~/.aws/boto/cache ~/.aws-okta-processor/cache

# Pull image from ECR
AWS_SDK_LOAD_CONFIG=true AWS_PROFILE=my-profile docker pull ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${REPOSITORY_NAME}:${IMAGE_TAG}

# Enter Okta password

After entering Okta password we get the following error:

Password:
Info: Calling https://company-name.okta.com/api/v1/authn
Token: Traceback (most recent call last):
  File "/usr/local/bin/aws-okta-processor", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/cli.py", line 74, in main
    command.run()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/commands/authenticate.py", line 74, in run
    credentials = self.authenticate()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/commands/authenticate.py", line 68, in authenticate
    credentials = saml_fetcher.fetch_credentials()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/fetcher.py", line 38, in fetch_credentials
    credentials = super(SAMLFetcher, self).fetch_credentials()
  File "/Users/dizeee/Library/Python/3.7/lib/python/site-packages/botocore/credentials.py", line 629, in fetch_credentials
    return self._get_cached_credentials()
  File "/Users/dizeee/Library/Python/3.7/lib/python/site-packages/botocore/credentials.py", line 639, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/fetcher.py", line 62, in _get_credentials
    no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"]
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 76, in __init__
    user_pass=user_pass
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 146, in get_okta_single_use_token
    return self.handle_factor(response_json=response_json)
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 162, in handle_factor
    return self.verify_factor(factor=factor, state_token=state_token)
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 171, in verify_factor
    json_payload = factor.payload()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 409, in payload
    return {"passCode": input()}
EOFError: EOF when reading a line
Password:

It prompts the password again and after entering it for the second time it throws the same error and dies:

Info: Calling https://company-name.okta.com/api/v1/authn
Token: Traceback (most recent call last):
  File "/usr/local/bin/aws-okta-processor", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/cli.py", line 74, in main
    command.run()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/commands/authenticate.py", line 74, in run
    credentials = self.authenticate()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/commands/authenticate.py", line 68, in authenticate
    credentials = saml_fetcher.fetch_credentials()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/fetcher.py", line 38, in fetch_credentials
    credentials = super(SAMLFetcher, self).fetch_credentials()
  File "/Users/dizeee/Library/Python/3.7/lib/python/site-packages/botocore/credentials.py", line 629, in fetch_credentials
    return self._get_cached_credentials()
  File "/Users/dizeee/Library/Python/3.7/lib/python/site-packages/botocore/credentials.py", line 639, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/fetcher.py", line 62, in _get_credentials
    no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"]
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 76, in __init__
    user_pass=user_pass
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 146, in get_okta_single_use_token
    return self.handle_factor(response_json=response_json)
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 162, in handle_factor
    return self.verify_factor(factor=factor, state_token=state_token)
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 171, in verify_factor
    json_payload = factor.payload()
  File "/usr/local/lib/python3.7/site-packages/aws_okta_processor/core/okta.py", line 409, in payload
    return {"passCode": input()}
EOFError: EOF when reading a line
Error response from daemon: Get https://912850810755.dkr.ecr.eu-central-1.amazonaws.com/v2/php/manifests/7.4-dev-latest: no basic auth credentials

Support Govcloud Sign In URL

aws-okta-processor/aws_okta_processor/core/saml.py

Line 17 in 7c5d98e

AWS_SIGN_IN_URL = "https://signin.aws.amazon.com/saml"

is hardcoded for the commercial AWS sign in page.

This prevents the processor from working when assigned multiple roles in govcloud with the error

% AWS_PROFILE=dev-gov aws s3 ls
Error when retrieving credentials from custom-process: Traceback (most recent call last):
  File "/usr/local/bin/aws-okta-processor", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/cli.py", line 75, in main
    command.run()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/commands/authenticate.py", line 76, in run
    credentials = self.authenticate()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/commands/authenticate.py", line 70, in authenticate
    credentials = saml_fetcher.fetch_credentials()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/core/fetcher.py", line 38, in fetch_credentials
    credentials = super(SAMLFetcher, self).fetch_credentials()
  File "/usr/local/lib/python3.8/site-packages/botocore/credentials.py", line 670, in fetch_credentials
    return self._get_cached_credentials()
  File "/usr/local/lib/python3.8/site-packages/botocore/credentials.py", line 680, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/core/fetcher.py", line 88, in _get_credentials
    aws_roles = saml.get_aws_roles(
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/core/saml.py", line 55, in get_aws_roles
    account_roles = get_account_roles(saml_assertion=saml_assertion)
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/core/saml.py", line 91, in get_account_roles
    accounts = soup.find('fieldset').find_all(
AttributeError: 'NoneType' object has no attribute 'find_all'

The govcloud url is https://signin.amazonaws-us-gov.com/saml

no default region is exported

aws-okta-processor authenticate --environment --user XXX --organization XXX -R us-east-1 --no-okta-cache --no-aws-cache

but only AWS key is exported to environment variable, not the AWS_DEFAULT_REGION

What is the use of -R?

Not compatible with alternative AWS account types, e.g. Gov Cloud

When using with roles in govcloud regions:

  File "/usr/local/bin/aws-okta-processor", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/cli.py", line 74, in main
    command.run()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/commands/authenticate.py", line 76, in run
    credentials = self.authenticate()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/commands/authenticate.py", line 70, in authenticate
    credentials = saml_fetcher.fetch_credentials()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/core/fetcher.py", line 35, in fetch_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python3.8/site-packages/aws_okta_processor/core/fetcher.py", line 110, in _get_credentials
    response = client.assume_role_with_saml(
  File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 337, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 656, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: eecadabf-e743-4d91-951a-84d992dbb6ba; Proxy: null)```

The cause seems to be the boto3 default STS endpoint, which doesn't work with roles in other AWS partitions. The fix would be to provide the ability to optionally specify the boto3 client region.

feat: Implement WebAuthN factor for MFA

See example of implementation here: Nike-Inc/gimme-aws-creds#237

We could have analogical approach. User would set up with an additional enroll command, and then would be able to use biometrics for authentication.

The only issue I see is that we are using an API, and enrolling requires another authentication with actual Okta Web API. I couldn't find the way to enroll additional 2 factor in Okta API for a particular user, only for admin

Multiple requests to auth to okta - Parallel tools

Hi,

Not sure if this is even fixable, but we use tools such as Helmsman which can run helm commands in parallel. When using such tools it will spawn the helm CLI several times, when this occurs we have to enter our Okta password/MFA prompt per thread.

Not too sure how you could if at all resolve this.

ERROR: No Factors were found!

get-roles command can fail if account has no alias

The regex used to get account information makes the assumption that the account has an alias. Accounts with aliases show up like this:

Account: {ACCOUNT_ID} ({ALIAS})

But accounts without aliases show up like this:

Account: {ACCOUNT_ID}

At the very least, the regex needs not to cause aws-okta-processor to fail on encountering an account without an alias, but because the alias is baked in to so many other things, the simplest fix might also be to fall back on using the account id as the alias in the event that the account has no alias.

ERROR: No Factors were found!

Trying to set up this tool but the cli exists with the following error

Info: Calling https://<org>.okta.com/api/v1/authn
ERROR: No Factors were found!

SAML not working with MFA in Okta Identity Engine

Using the new Okta identity engine, I set my ~/.aws/config file with a profile

[profile trial]
region             = us-gov-west-1
credential_process = aws-okta-processor authenticate --user [email protected] --organization trial-1234567.okta.com --application https://trial-1234567.okta.com/home/amazon_aws/StringyBits/272 --region us-gov-west-1 --duration 43200

then I ran

aws-okta-processor authenticate --user [email protected] --organization trial-1234567.okta.com --application https://trial-1234567.okta.com/home/amazon_aws/StringyBits/272 --region us-gov-west-1 --duration 43200

which resulted in

Password: 
Info: Calling https://trial-1234567.okta.com/api/v1/authn
Info: Calling https://trial-1234567.okta.com/api/v1/sessions
Info: Calling https://trial-1234567.okta.com/home/amazon_aws/StringyBits/272
SAMLResponse tag not found due to MFA challenge.
Creating new Okta session.
Password: 
Info: Calling https://trial-1234567.okta.com/api/v1/authn
Info: Calling https://trial-1234567.okta.com/api/v1/sessions
Info: Calling https://trial-1234567.okta.com/home/amazon_aws/StringyBits/272
SAMLResponse tag not found due to MFA challenge.
ERROR: SAMLResponse tag was not found!

Also ran the above command appending --factor push:okta and --factor token:software:totp:okta which yielded the same error.

It seems aws-okta-processor may not function properly with the Okta Identity Engine. Can this be fixed for a future release?
Thank you.

(customer sensitive info removed)

processor should not just hang if it's out of date.

spent a good deal of time debugging why the processor was hanging. tiurns out i was on 0.11 or something like that. would be better if the processor told you that it was out of date instead of just hanging.

feature: Option to skip the cache(s)

Finding myself manually purging the caches rather frequently (certainly while developing features). Would be convenient to expose some functionality on the cli that just skipped the caches entirely. Can think of a few ways to get there...

Options:

--no-cache: Skip all caches
--no-cache CACHES: Skip listed caches
--cache CACHES: Enable listed caches (default enable both okta and aws)

Any preference? Other ideas?

feature: Support for Okta TOTP factor

Was interested in using this utility, but noticed it does not currently support the TOTP factor (only push notifications). Our users would need TOTP support to start, maybe other factors also later.

I have a very naive implementation ready, will open a PR shortly. Happy to discuss either here or in the PR, depending on your preferences.

godaddy / aws-okta-processor Goto Github PK

aws-okta-processor's People

Contributors

Stargazers

Watchers

Forkers

aws-okta-processor's Issues

Steps to reproduce:

Recommend Projects

Recommend Topics

Recommend Org