prolane / samltoawsstskeys Goto Github PK
View Code? Open in Web Editor NEWGoogle Chrome Extension which converts a SAML 2.0 assertion to AWS STS Keys.
License: MIT License
Google Chrome Extension which converts a SAML 2.0 assertion to AWS STS Keys.
License: MIT License
I am not having any success with the latest version of Chrome. Do I have to run Chrome as Admin or allow the extension some level of access?
Once I change the session duration to Yes it stops prompting for saving the credential file and my AWS CLI session keeps expiring in 30 mins.
No longer downloads any credentials file after logging in to AWS. Our setup is via Okta Single Sign On.
Could you add support for the Gov-Cloud signing site: https://signin.amazonaws-us-gov.com/?
When the [OPTIONAL] setting (Apply the SessionDuration requested by the SAML provider) is set to YES, I was unable to get the credential file.
Since this is an optional setting, it shouldn't block the user from downloading the credential file.
Kindly fix this.
Debug LOG:
INFO: AWSAssumeRoleWithSAMLCommand client.send will now be executed
script.js:292 ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
at Te (aws-js-sdk-bundle.js:2:57065)
at aws-js-sdk-bundle.js:2:70787
at async aws-js-sdk-bundle.js:2:38494
at async On.retry (aws-js-sdk-bundle.js:2:89037)
at async aws-js-sdk-bundle.js:2:116397
at async assumeRoleWithSAML (script.js:278:22)
at async onBeforeRequestEvent (script.js:197:12)
script.js:203 ERROR: Error when trying to assume the IAM Role with the SAML Assertion.
script.js:204 TypeError: Cannot read properties of undefined (reading 'access_key_id')
at onBeforeRequestEvent (script.js:199:72) "TypeError: Cannot read properties of undefined (reading 'access_key_id')\n at onBeforeRequestEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:199:72)"
I've got the v.3.1 update. With v3.0 I was getting the same error as was reported for #58, but now I am getting this error. Unless I am missing something, I don't think this has been resolved.
Originally posted by @DavidRHoffman in #59 (comment)
I'm seeing a different error for all the non-Default profiles:
INFO: assumeRole client.send will now be executed script.js:345 MalformedInput: UnknownError at Re (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:57065) at chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:68463 at async chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:38494 at async chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:50282 at async On.retry (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:89037) at async chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:116397 at async assumeRole (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:331:22) at async onBeforeRequestEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:216:22) script.js:223 ERROR: Error when trying to assume additional IAM Role. script.js:224 TypeError: Cannot read properties of undefined (reading 'access_key_id') at onBeforeRequestEvent (script.js:219:83) "TypeError: Cannot read properties of undefined (reading 'access_key_id')\n at onBeforeRequestEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:219:83)"
AWS-CLI has troubles with:
aws_.......... = value
It has no troubles with:
aws_..........=value
Is it possible to remove the spaces around the equal-sign?
Thanks in advance.
In Chrome 62, the extension no longer downloads a credentials file. Worked in Chrome 61 just fine.
(sorry for dupe, posted this previously under the wrong account (service account)).
Download option of credentials stopped working with new versions - v3.0, v3.1, and v3.2
Is there any solution for this?
We are setting the SessionDuration
via Google CustomSchema for users logging into AWS via SAML. For some, when they login, the credentials file does not download. To resolve it, they change Apply the SessionDuration requested by the SAML provider.
to No
and the file downloads. For others, including myself, it works as expected with that option set to Yes
. We are running the same version of the plugin (2.3) and the same version of Chrome.
When using the extension in incognito mode it doesn't create and download the credentials file. When checking the regular (non-incognito) window again it shows some weird file which was tried to download, but failed. It has a kind of uuid name.
Is this supported/maintained for Firefox? If so, what is the extension link, and can it be placed in the README? I can see some in the Firefox extensions that might be this extension, but I want to be certain I'm installing the official one for security purposes.
I am trying to use S3 browser with the credential file but it does not support LF as new line.
The original credentials file using aws configure has CRLF as the new line.
Can this be changed to CRLF?
Hello,
It looks like if a user only has a single SAML role, the extension fails to download the credentials file.
I've done a little digging and it appears that the Chrome Extension is being canceled due to the SAML https://signin.aws.amazon.com/saml response being a Redirect 302.
I've tried to add "<all_urls>" to the manifest file, but I think the response doesn't have the payload that the plugin is expecting to pull the role information, so its not a simple permission issue.
Steps to reproduce
If the https://signin.aws.amazon.com/saml screen asks you to select the Role, then the extension will work.
If anyone else has this issue a simple workaround is to add a second SAML role to the account. It doesn't need to work (I've set my to DONOTUSE), and get users to select their normal role. The extension seems to work fine.
Since the new version, 2.3, I no longer see all the profiles I setup on the plugin on my credentials file. It seems to always ignore the first profile I setup.
If for example I add one profile then I only see the default. When I add a new one then I will see default + the second profile I add
Hi,
Not sure what the problem is. I installed the plugin and logged in to the AWS console with my Google G-suite SAML, but nothing happens. Is something supposed to pop up?
I also tried this i Incognito mode, but that also does not work.
I also installed it in firefox, but with the same negative results.
Any suggestions?
As of this morning, I am no longer able to download the credentials
file using the extension. Instead of the file, I now get a failed download with a GUID as a filename.
Debug log below:
script.js:59 DEBUG: onBeforeRequest event hit!
script.js:79 DEBUG: samlXmlDoc:
script.js:80 [redacted]
script.js:120 ApplySessionDuration: false
script.js:121 SessionDuration: null
script.js:122 hasRoleIndex: true
script.js:123 roleIndex: arn:aws:iam::[redacted]
script.js:161 RoleArn: arn:aws:iam::[redacted]
script.js:162 PrincipalArn: arn:aws:iam::[redacted]:saml-provider/[redacted]
script.js:187 DEBUG: Successfully assumed default profile
script.js:188 docContent:
script.js:189 [default]
aws_access_key_id = [redacted]
aws_secret_access_key = [redacted]
aws_session_token = [redacted]
script.js:195 Generate AWS tokens file.
script.js:261 DEBUG: Now going to download credentials file. Document content:
script.js:262 [default]
aws_access_key_id = [redacted]
aws_secret_access_key = [redacted]
aws_session_token = [redacted]
script.js:266 DEBUG: Blob URL:blob:chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/b7e150af-9f7a-4bf4-88b7-e8a5859511d7
Attempting to visit the above URL results in a 404.
Settings:
Filename: credentials
Apply SessionDuration: no
Debug logging: yes
ARN list: none
Running on Chrome version 72.0.3626.81 (updates are disabled by group policy)
Extension version: 2.7
When connecting to AWS:
credentials may be dangerous, so Chrome has blocked it.
Worked yesterday, it appears Google has made a change, perhaps enforcing a change in their extension policies?
plugin dont prompt the file to download if session duration is less than 12 hours
Is there a workaround for mac symlink restictions with Big Sur OS system files?
Our standard company roles work great with this plugin.
We have a custom IAM role that is meant to provide access to a few select resources in the production account.
When we use this role, the plugin does not download the credentials file. We have tried adding "sts:TagSession", but are unsure what else it might need.
I am using Chrome Version 72.0.3626.81 (Official Build) (64-bit) and immediately after the upgrade the credentials download stopped working. I attempted to pull logs from the extension console using instructions listed in previous issues of this kind but there is not any output.
After logging in to AWS, the app provided a credential file to download.
However, the credentials do not work. When using aws s3 ls
, I got this error:
An error occurred (InvalidAccessKeyId) when calling the ListObjectsV2 operation: The AWS Access Key Id you provided does not exist in our records.
I tried twice, got the same.
Maybe I configured something wrong, but I don't know what. Any ideas?
I installed from the chrome web store just now. It is unclear which version it is.
In Chrome 62, the extension no longer downloads a credentials file. Worked in Chrome 61 just fine.
Hi
Extension works great, however the file name I specify in the options is ignored and instead a random name is generated for the file in the downloads folder from chrome.
Anybody else with this issue?
Thanks
The credentials file that gets output by the extension has 3 different key/value pairs:
aws_access_key_id
aws_secret_access_key
aws_session_token
However, whenever the Ansbile EC2 module runs, it needs an additional value - aws_secret_key
- or it will crash. My org has written a script to change the aws_session_token
key to aws_secret_key
(because they're the same value) to get this working for Ansible, but that inadvertently broken Terraform ๐คฆโโ๏ธ
Since aws_session_token
and aws_security_token
are actually the same value, changing background/script.js:141
and background/script.js:177
to include aws_security_token = data.Credentials.SessionToken
would fix the issue.
Hello, we've recently rolled out SAML integration with Google Apps for our developer AWS account. We also use this account to authorize users in our production account. Is it possible to extend the features of samltoawsstskeys to generate temporary credentials when switching roles to the different production accounts?
The current process is to use the credentials generated with the dev account and assume-role to the new account, but it would be cleaner/nicer if your plugin was to allow a user to pull the credentials from the production accounts as required.
Summary:
Testing with some of my coworkers has shown that at least some additional named roles are not populating in the downloaded Credentials file for us.
Steps to Reproduce:
Expected behavior:
Actual behavior:
Other notes:
Looking at locations in the source code where changes occurred, I suspect this might have started happening around 35e4917.
After the update to Chrome 68, the extension no longer downloads the credentials file when doing SAML auth. I had a colleague report a problem, and I couldn't reproduce until I updated Chrome, and then I got the same behavior.
Each line in the credentials-file, has a space inserted before the LF. Please trim before inserting the headers and values into the file. Otherwise, you need to cleanup these spaces, when trying to read the file as an "ini-file".
Our AWS has a default of 1 hour session but allows up to 12 hours. The current SessionDuration doesn't seem to collect this maximum of 12 hours, goes to null, and AWS defaults to all generated credentials to one hour.
https://github.com/prolane/samltoawsstskeys/blob/master/background/script.js#L109
It would be nice if when we set Apply the SessionDuration requested
to no
, an input box could pop up to set an override value or is there a better way to dynamically get the maximum SessionDuration
allowed by AWS?
This isn't working 100% of the time now. The credentials file is not getting generated intermittently.
Using google chrome: Version 66.0.3359.139 (Official Build) (64-bit)
It would be great if there was an option to not automatically pop up the save dialog once you log in, and instead save it until the user clicks the extension and chooses "save credentials" from the menu.
After the December update it is no longer generating the credentials file.
This occurs in Chrome or Edge.
Is there any configuration that needs to be done after the upgrade ?
Thank you
It violates some policy and has been removed. Which is annoying because it is very useful.
At the company I work for we have many different accounts we manage and our operations and support teams have to jump between accounts frequently. AWS role history only allows saving of 5 roles, as it saves it in a cookie.
We have made some crude patches to a forked version of your plugin (https://github.com/TheSkorm/samltoawsstskeys/blob/extraRoles/extra_roles/roles.js) that re-initializes the nav user menu with roles from the STS plugin and colours them by hashing the account id. This allows all roles from the STS plugin to appear in the nav menu bar.
If this feature sounds like something you'd like to see merged into your plugin I would be happy to clean up some of the code and add a toggle option for it on the settings page.
We have Okta MFA disabled currently in our dev environment. And now I am not getting the credentials download again. Is anyone else experiencing issues? I even tried incognito so not many extensions are loaded.
Chrome Version 69.0.3497.100 (Official Build) (64-bit)
Not sure if the firefox extension is maintained by you guys, but Firefox version is on 2.5
It would be nice to keep it up to date.
Thanks,
It recently stopped renaming the credentials file and now it just saves it as download.txt.
Can someone to let me know if there a way to use this plugin for China accounts? I tried to use it on both Chrome and FireFox but couldn't make it work. Your help is highly appreciated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.