moritzheiber / crowbar Goto Github PK

Running the following in a docker container with Centos 7

$ crowbar --version
crowbar 0.4.5

$ crowbar profiles add test --username email --provider okta --url 'https://myorg.okta.com'
Profile test added successfully!

$ env AWS_PROFILE=test aws s3 ls
Password for email at https://myorg.okta.com: [hidden]
Authentication successful!
Platform secure storage failure: zbus error: I/O error: No such file or directory (os error 2)
Error when retrieving credentials from custom-process:
$

to install crowbar:

1. installed cargo and installed crowbar through cargo
2. ran install -y libdbus-1-dev gnome-keyring libssl-dev dbus-x11 curl

At my org, I have a few roles that are in various AWS accounts. Each of these AWS accounts represents a different environment within our CICD process: dev/stage/prod.

If I create multiple aws profiles so I can switch between multiple accounts/roles quickly like this:

$ crowbar profiles add my-org-dev -u paul.baker -p okta --url https://my-org.okta.com/home/amazon_aws/....
$ crowbar profiles add my-org-stage -u paul.baker -p okta --url https://my-org.okta.com/home/amazon_aws/....
$ crowbar profiles add my-org-prod -u paul.baker -p okta --url https://my-org.okta.com/home/amazon_aws/....

It gets a little difficult to manage, because when the token expires it'll ask you to select which factor to use (I have multiple options, but I only ever want push) and it'll ask me which role I wish to assume. I can't swap roles until the token expires so if my intent was to target a development environment but I specify production by accident, I can't fix it until the token expires and I re-select the correct account.

Is there a way to tell crowbar which factor method and role I want to assume by default within the credential_process command?

The only substantive change that I see in the transition from 0.4.6 -> 0.4.7 seems to be in the AWS library versions from 0.11.0 to 0.15.0, and something within that broke it. The behavior is that you get prompted for an Okta push or TOTP, you select either and confirm, crowbar responds and says Authentication Successful, and then it asks you once again for Okta push or TOTP, in an endless loop.

I had crowbar working from my Mac for several AWS accounts, but then it stopped working one day with the following error and I cannot figure out the issue. Can someone help? From looking at the code I think there's something it doesn't like about the response from Okta, but I don't know specifically what and even with -ltrace it doesn't show me enough to know what's wrong. I will say that if my credentials are wrong, I get an authentication error as expected, but with correct credentials, I can see that Okta gives a 200 response but then parsing it fails.

Unable to login
Caused by: 
 2: error decoding response body: invalid type: null, expected a string at line 1 column 1403
 1: invalid type: null, expected a string at line 1 column 1403

I'm trying to use crowbar within a docker container. Long story short, we have individuals on our team who's machines are super locked down. I can run crowbar on my host machine and profiles are added as expected, but within docker the error is strange and unclear.

FROM ubuntu:latest
RUN apt-get update -y && apt-get install -y \
  curl \
  wget \
  unzip
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && unzip awscliv2.zip && ./aws/install
RUN wget https://github.com/moritzheiber/crowbar/releases/download/v0.3.7/crowbar-x86_64-linux -o /bin/crowbar && chmod +x /bin/crowbar

$ docker build --tag general-terminal:latest .
$ docker run --rm -ti general-terminal:latest bash
$ crowbar profiles add my-profile -u paul.baker -p okta --url "https://redacted.okta.com/home/amazon_aws/redacted"

> /usr/bin/crowbar: line 1: --2020-09-08: command not found
> /usr/bin/crowbar: line 2: syntax error near unexpected token `('
> /usr/bin/crowbar: line 2: `Resolving github.com (github.com)... 140.82.114.4'

I'm not sure what this error means, but it seems like any profiles command triggers it.

$ crowbar profiles list
> /usr/bin/crowbar: line 1: --2020-09-08: command not found
> /usr/bin/crowbar: line 2: syntax error near unexpected token `('
> /usr/bin/crowbar: line 2: `Resolving github.com (github.com)... 140.82.114.4'

Authentication successful!
Could not find SAML element in HTML response

I always get this, when trying to use crowbar. It also only asked me for my password, never one of my MFA options.

I am trying to use an already configured profile with crowbar, which I remember was working earlier.
It fails before prompting for login credentials.

$ crowbar exec myprofile -- aws s3 ls
Unable to login
Caused by:
 1: HTTP status client error (401 Unauthorized) for url (https://<subdomain>.okta.com/api/v1/authn)

Using crowbar v0.3.7