nike-inc / gimme-aws-creds Goto Github PK
View Code? Open in Web Editor NEWA CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
License: Apache License 2.0
A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
License: Apache License 2.0
Hi Team,
I am getting the following error when approving from okta
Okta Verify push sent...
Traceback (most recent call last):
File "gimme-aws-creds.py", line 17, in
GimmeAWSCreds().run()
File "c:\MyProgs\myvenv\lib\site-packages\gimme_aws_creds\main.py", line 432, in run
scopes=['openid']
File "c:\MyProgs\myvenv\lib\site-packages\gimme_aws_creds\okta.py", line 220, in auth_oauth
url_parse_results = urlparse(response.headers['Location'])
File "c:\MyProgs\myvenv\lib\site-packages\requests\structures.py", line 52, in getitem
return self._store[key.lower()][1]
KeyError: 'location'
Add support of environment variables and/or command line arguments to set all configuration options so that the tool can be used in an automated environment.
Have the script look for the below variables and have it auto-generate the configuration section in ~/.okta_aws_login_config
if not there yet and if it has everything it needs to do so. Then also have it generate the AWS credentials with these arguments in the same run.
This should allow for a much higher level of automation.
export AWS_APPNAME="..."
export AWS_ROLENAME="arn:aws:iam::..."
export CLIENT_ID="..."
export CRED_PROFILE="..."
export GIMME_CREDS_SERVER="https://..."
export OKTA_AUTH_SERVER="..."
export OKTA_ORG_URL="https://..."
export OKTA_USERNAME="..."
export WRITE_AWS_CREDS="True|False"
have installed latest version of gimme-aws-creds.
using python version - Python 3.5.0
not seeing credentials being generated in .aws/credentials. In config file I have "write_aws_creds = True"
If I set it to false I don't see credentials on stdout
So there is an option to write to your disk, but I would rather these creds be as ephemeral as possible. The tool is already nice enough to print them with export
so that you can copy/paste them, but it would be even easier if we could
gimme-aws-creds | sh
And have it work. The issue is that currently the questions are printed to stdout
, which screws with the pipe. If they were printed to stderr
instead, the above command would work.
In DSM we are using up to 5 different AWS accounts, and some Terraform configurations access multiple accounts; currently this means we have to run gimme-aws-creds once for each profile.
Would it be possible to add support for a single Okta auth to populate multiple profiles?
AWS China and AWS GovCloud use separate API endpoints from the rest of AWS, including the STS endpoint for requesting temporary credentials. boto3.client
defaults to the standard endpoints, but can accept a region parameter to switch to one of the alternatives.
There needs to be a way to define the region on a per-account basis - you may have a user with access to accounts in China and other AWS regions.
Would like to submit a Pull Request to add the AWS session timeout to the parameters so we can extend the session to the 12 hour value now allowed by AWS.
Currently if you grab creds for any of the aws china accounts using a profile you've configured, the creds get stored in your .aws/credentials file as an arn instead of just the profile name.
This is because the name is set by removing the first portion of the role but is only hardcoded for "arn:aws:..." where aws china roles look like "arn:aws-cn:..."
Note: I already fixed this issue and am in the process of submitting a PR, currently going through the contributing guidelines
APFJGTF18C63AD:gimme-aws-creds asaran$ gimme-aws-creds
Okta username must be an email address.
We are expected to see the prompt for email address, but instead of asking for the email, it is giving me the errorin okta.py . line #510.
In an effort to make the workflow as quick and simple as possible, we should allow the user to store their username, and multi-factor of choice as part of the configuration. This will allow really painless refreshing/changing of credentials.
For example:
$ gimme-aws-creds.py --profile lab
Using password from keyring for <user>
Authentication Success! Calling Gimme-Creds Server...
Multi-factor Authentication required.
Okta Verify push sent...
writing role <role> to <credfile>
The only interaction here would be with the MFA factor.
Users want to be able to create configuration profiles for gimme-creds so they can quickly switch between role and account configurations to update their credentials.
gimme-aws-creds --profile <ProfileName>
[DEFAULT]
cerberus_url = https://cerberus.example.com
cred_profile = role
write_aws_creds = True
idp_entry_url = https://example.idp.com
aws_appname = App1
aws_rolename = Role1
[ProfileName]
cerberus_url = https://cerberus.example.com
cred_profile = role
write_aws_creds = True
idp_entry_url = https://example.idp.com
aws_appname = App2
aws_rolename = Role2
At one point gimme-aws-creds | sh
worked, but now because Selection: 1
appears before the export
statements, this pipe produces an error.
Error while executing "gimme-aws-creds"
Traceback (most recent call last):
File "/root/gimme-aws-creds-1.0.13/bin/gimme-aws-creds", line 13, in
from gimme_aws_creds.main import GimmeAWSCreds
ModuleNotFoundError: No module named 'gimme_aws_creds'
Currently, it's possible to insert any negative integer or non-integer values and bomb out the script. Further, the script also crashes if no apps or roles are available to the user.
Work is being done in the no-role-handling branch.
I'm having trouble getting this to run in my Windows 7 environment with Python 3.6. I'm following guidelines from our organisation, which say to do
python gimme-aws-creds --configure
to set it up. This seems to work ok. I can see a file called .okta_aws_login_config has been created with the details I entered.
However when I try to run it (again as per our guidelines):
python gimme-aws-creds --profile STS
(where STS is the name I gave the profile) then I get the following error:
No device token in configuration. Try running --register_device again.
I have no idea what to do next.
The process freezes entirely without any console output.
I am on Windows 10 in a conda environment. Same configuration works for my colleagues on a Mac.
Any ideas?
I there any way to approach this without opening the code?
Thanks
This would be a handy alternative to adding it via an env var or cli flag.
Hi folks!
I'm getting this error when renewing keys.
$ gimme-aws-creds
Password for (ommited):
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 7, in <module>
exec(compile(f.read(), __file__, 'exec'))
File "/opt/gimme-aws-creds/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/opt/gimme-aws-creds/gimme_aws_creds/main.py", line 401, in run
auth_result = okta.auth_session()
File "/opt/gimme-aws-creds/gimme_aws_creds/okta.py", line 155, in auth_session
return {"username": login_response['_embedded']['user']['profile']['login'], "session": response.cookies['sid'], "device_token": self._http_client.cookies['DT']}
File "/usr/local/lib/python3.7/site-packages/requests-2.19.1-py3.7.egg/requests/cookies.py", line 328, in __getitem__
return self._find_no_duplicates(name)
File "/usr/local/lib/python3.7/site-packages/requests-2.19.1-py3.7.egg/requests/cookies.py", line 394, in _find_no_duplicates
raise CookieConflictError('There are multiple cookies with name, %r' % (name))
requests.cookies.CookieConflictError: There are multiple cookies with name, 'DT'
The method self._http_client.cookies['DT']
is failing to correctly return the value. As a simple test I tried accessing the cookie directly from the response and the expected value was actually there and without any duplicates.
So instead of:
return {
"username": login_response['_embedded']['user']['profile']['login'],
"session": response.cookies['sid'],
"device_token": self._http_client.cookies['DT']
}
I've changed to:
return {
"username": login_response['_embedded']['user']['profile']['login'],
"session": response.cookies['sid'],
"device_token": response.cookies['DT']
}
The only difference here is that instead of using the CookieJar from self._http_client.cookies = jar
(gimme_aws_creds/okta.py:72) I've used the cookies references directly from the response.
I'm not sure why this error appears only when using the cookiejar from self._http_client.cookies = jar
but I think it's safe to say using the response cookies is somewhat ok in this case. Tests are passing.
Run the Docker container (as in the docs), punch the password and this error (sometimes) will arise. For me it only happens when you have already the device token set in your ~/.okta_aws_login_config
.
--entrypoint sh
$ pip install -r requirements_dev.txt
$ python setup.py develop
$ gimme-aws-creds
Seen this problem before?
Email address: [email protected]
Using password from keyring for [email protected]
Password for [email protected]:
Do you want to save this password in the keyring? (y/n)n
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in
GimmeAWSCreds().run()
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 375, in run
auth_result = okta.auth_session()
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/okta.py", line 138, in auth_session
return {"username": login_response['_embedded']['user']['profile']['login'], "session": response.cookies['sid']}
File "/usr/local/lib/python3.6/site-packages/requests/cookies.py", line 329, in getitem
return self._find_no_duplicates(name)
File "/usr/local/lib/python3.6/site-packages/requests/cookies.py", line 400, in _find_no_duplicates
raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path))
KeyError: "name='sid', domain=None, path=None"
After use the gimme-aws-creds as first time,
complete the verification with Okta:
Multi-factor Authentication required.
Okta Verify App: SmartPhone_Android: Moto E (4) Plus selected
Okta Verify push sent...
done
And pick a role:
Pick a role any role:
[0] arn:aws:iam::<ID>:role/<ROLE_NAME>
[1] arn:aws:iam::<ID>:role/<ROLE_NAME>
Selection: 1
returns this error:
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.7/site-packages/gimme_aws_creds/main.py", line 453, in run
aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role, config.aws_default_duration)
File "/usr/local/lib/python3.7/site-packages/gimme_aws_creds/main.py", line 135, in _get_sts_creds
client = boto3.client('sts')
File "/usr/local/lib/python3.7/site-packages/boto3/__init__.py", line 91, in client
return _get_default_session().client(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/boto3/__init__.py", line 80, in _get_default_session
setup_default_session()
File "/usr/local/lib/python3.7/site-packages/boto3/__init__.py", line 34, in setup_default_session
DEFAULT_SESSION = Session(**kwargs)
File "/usr/local/lib/python3.7/site-packages/boto3/session.py", line 80, in __init__
self._setup_loader()
File "/usr/local/lib/python3.7/site-packages/boto3/session.py", line 120, in _setup_loader
self._loader = self._session.get_component('data_loader')
File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 679, in get_component
return self._components.get_component(name)
File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 902, in get_component
self._components[name] = factory()
File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 150, in <lambda>
lambda: create_loader(self.get_config_variable('data_path')))
File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 233, in get_config_variable
logical_name)
File "/usr/local/lib/python3.7/site-packages/botocore/configprovider.py", line 226, in get_config_variable
return provider.provide()
File "/usr/local/lib/python3.7/site-packages/botocore/configprovider.py", line 323, in provide
value = provider.provide()
File "/usr/local/lib/python3.7/site-packages/botocore/configprovider.py", line 382, in provide
config = self._session.get_scoped_config()
File "/usr/local/lib/python3.7/site-packages/botocore/session.py", line 334, in get_scoped_config
raise ProfileNotFound(profile=profile_name)
botocore.exceptions.ProfileNotFound: The config profile (<PROFILE_NAME>) could not be found
My solution was just create in
~/.aws/credentials
a new PROFILE_NAME (empty ) like:
[default]
aws_access_key_id = blabla
aws_secret_access_key = blabla
[PROFILE_NAME]
And works! ๐ But I think should be something that gimme-aws-creds should do or returns a better exception. ๐
Its retaliated with #93
The Okta setup documentation now has guidance on how to configure a single Okta application to refer to multiple downstream AWS accounts (http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service#scenarioB). This breaks the cli / api assumptions made in gimme-aws-creds in 2 key areas - the role name and the identityProviderArn. I am trying to work out how to best implement a fix.
First a quick example -
[root@fe1728b00c12 okta-src]# gimme-aws-creds -u [email protected]
Password for [email protected]:
Authentication Success! Getting AWS Accountsdone
Pick an app:
[ 0 ] FOOBAR AWS Accounts
Selection: 0
Pick a role:
[ 0 ] [foobarcontractors] -- okta-xonk-admin
[ 1 ] [foobar-it] -- okta-it-admin
Selection: 0
Traceback (most recent call last):
<snip>
File "/usr/lib/python3.4/site-packages/botocore/client.py", line 599, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: Request ARN is invalid
Note that [foobarcontractors] and [foobar-it] are independent aws accounts with separate account ids. These are not 2 roles within a single AWS account, rather they are 2 accounts with 1 saml role each.
I added a quick debug print to see what we are getting during the _get_sts_creds
function -
print("Attempting STS with Role={}, Principal={}, Duration={}".format(self.role_arn,self.idp_arn,duration))
yields
Attempting STS with Role=arn:aws:iam::130894992587:role/[foobarcontractors] -- okta-xonk-admin, Principal=arn:aws:iam::123456789012:saml-provider/Okta, Duration=3600
Clearly this is broken due to the account string prefix. So a quick and dirty fix would be a simple re.sub
to kill the [foobarcontractors] --
prefix before calling the role. This leads to the next issue -
This one is a bit more thorny and will require some more digging. In _get_aws_account_info
we enumerate the API call - {{url}}/api/v1/apps?filter=user.id+eq+"##USERID##"&expand=user/##USERID##
. Inside the returned json, there is a single value for final_result[0]['settings']['app']['identityProviderArn']
= arn:aws:iam::123456789012:saml-provider/[Userdefinedstring]
. Sadly this is AWS account id specific. As such, even if we correctly regex sub the role-name above, the identityProviderArn will have the incorrect account id and the derived role arn account number will be incorrect and the SAML assertion will fail. So we need to find some other way to infer aws account id.
If we just use the Okta website we can see the AWS account ids (note I had to censor the details of account numbers, hopefully doesn't affect clarity) -
However, these account ID values don't exist in any of the datastructures we have in gimme-aws-creds currently.
So, for the AWS Account ids I have a range of options:
To prefix this, I hate this idea, but through documentation you could require that users provide the target AWS account ID somewhere within the role name string. i.e. [foobar-it] -- okta-it-admin
becomes [foobar-it] -- 123456789012-okta-it-admin
. We could use this hint to locate aws account id if found.
I am actually kind of ok on this, but it is a bit unsatisfying. It is a similar amount of work to create a new Okta application as it is to tie multiple AWS accounts under a single application. As such we could just document the limitation and require single AWS accounts under each Okta application, with as many roles for that account as you like. We then will have the correct identity provider in the final_result
for each application.
So for this, we would need to go digging. I don't know where to find the account number information displayed on the graphical saml page - but it has to be somewhere. I think based on the successful auth we should be able to curl and parse the saml page to get the roles and account ids for example.
Any thoughts on the above, and relative interest in making the script work vs just documenting lack of support for multi-account setups?
Hi,
I am trying to use your tool
and getting the following error:
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 4, in
import('pkg_resources').run_script('gimme-aws-creds==0.1.3', 'gimme-aws-creds')
File "/usr/local/lib/python3.6/site-packages/pkg_resources/init.py", line 739, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/local/lib/python3.6/site-packages/pkg_resources/init.py", line 1501, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds-0.1.3-py3.6.egg/EGG-INFO/scripts/gimme-aws-creds", line 175, in
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds-0.1.3-py3.6.egg/EGG-INFO/scripts/gimme-aws-creds", line 107, in run
KeyError: 'idp_entry_url'
Is this tool a wrapper for the Okta aws cli tool (which I found very problematic) which means I need the cli tool working first, or replaces it completely?
Thanks,
Tal
We need a friendly message when an appname is not returned from _get_app_by_name.
OKTA_USERNAME is already available as ENV variable. It would be helpful to allow each variable to be defined in ENV as well as in the config file.
Cannot get it work on Ubuntu 16.04 LTS neither on cygwin
But works fine from Windows 10 cmd.
Error :
me@my-ubu1604lts:~/gimme-aws-creds/bin$ ./gimme-aws-creds
Traceback (most recent call last):
File "./gimme-aws-creds", line 13, in
from gimme_aws_creds.main import GimmeAWSCreds
ImportError: No module named 'gimme_aws_creds'
~ $ gimme-aws-creds
Using password from keyring for [email protected]
Multi-factor Authentication required.
Pick a factor:
[ 0 ] token:software:totp( GOOGLE ) : [email protected]
[ 1 ] sms: +1 XXX-XXX-0000
Selection: 0
Enter verification code: 382471
Authentication Success! Calling Gimme-Creds Server...
Pick an app:
[0] CDT-NPlus-Prod (*redacted*)
[1] CDT-NPlus-Test (*redacted*)
Selection: 0
Pick a role:
[0] arn:aws:iam::*redacted*:role/OktaPoweruserRole
[1] arn:aws:iam::*redacted*:role/OktaReadonlyRole
Selection: 1
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 453, in run
aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role, config.aws_default_duration)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 135, in _get_sts_creds
client = boto3.client('sts')
File "/usr/local/lib/python3.6/site-packages/boto3/__init__.py", line 91, in client
return _get_default_session().client(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/boto3/__init__.py", line 80, in _get_default_session
setup_default_session()
File "/usr/local/lib/python3.6/site-packages/boto3/__init__.py", line 34, in setup_default_session
DEFAULT_SESSION = Session(**kwargs)
File "/usr/local/lib/python3.6/site-packages/boto3/session.py", line 80, in __init__
self._setup_loader()
File "/usr/local/lib/python3.6/site-packages/boto3/session.py", line 120, in _setup_loader
self._loader = self._session.get_component('data_loader')
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 729, in get_component
return self._components.get_component(name)
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 946, in get_component
self._components[name] = factory()
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 186, in <lambda>
lambda: create_loader(self.get_config_variable('data_path')))
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 281, in get_config_variable
elif self._found_in_config_file(methods, var_config):
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 308, in _found_in_config_file
return var_config[0] in self.get_scoped_config()
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 385, in get_scoped_config
raise ProfileNotFound(profile=profile_name)
botocore.exceptions.ProfileNotFound: The config profile (DEFAULT) could not be found
.okta_aws_login_config:
[DEFAULT]
okta_org_url = https://nike.okta.com
okta_auth_server = *redacted*
client_id = *redacted*
gimme_creds_server = https://api.sec.nikecloud.com/gimmecreds/accounts
aws_appname =
aws_rolename =
write_aws_creds = True
cred_profile = default
okta_username = [email protected]
app_url =
resolve_aws_alias = False
preferred_mfa_type =
aws_default_duration = 3600
device_token = *redacted*
.aws/
hasn't been created yet
When using both Okta and conventional TOTP for MFA, there becomes two instances of token:software:totp
:
Pick a factor:
[ 0 ] token:software:totp( GOOGLE ) : [email protected]
[ 1 ] token:software:totp( OKTA ) : [email protected]
You can eliminate the Okta Verify / push by using preferred_mfa_type = token:software:totp
, but you cannot specify the instance of TOTP. Could selection of a specific TOTP instance be added to avoid this prompt each time when running for a given profile?
When I do gimme-aws-creds --configure --profile Environment1
that works fine. if I repeat the command with Environment2
, the old Enviroment1
entry is now gone from the .okta_aws_login_config file.
Am I doing something wrong or is this a bug? The same happens when you do --register_device --profile Environment1
. I tried editing the file by hand, and it works for logging into each environment, after I concatenated the two separate files I saved to the side. But again if I do any register or config commands it wipes the file.
I am using the appurl mode if this matters.
Thank you.
Hi There,
I was informed that aws keys will expire after 12 hours of creation. I tried different options: 1. use default value, 2. add "aws_default_duration = 43200" in .okta_aws_login_config.
My aws keys are expiring every hour. Can you please help me what configuration do I have to change to make sure keys are active for 12 hours from the time of creation.
Thanks,
Gaurav
Hi,
If a user has only 1 role assigned in okta integration gimme-aws-creds successfully authenticate with PW and MFA and then exits with code 0 without writing to creds file.
If the user has at least 2 roles assigned in okta then the selection menu is displayed and everything is working
That is with the fresh installation (pip install git+git://github.com/Nike-Inc/gimme-aws-creds.git)
`
[xxx@gandalf:~]$ gimme-aws-creds
Password for xxx:
Authentication Success! Getting AWS Accounts
Multi-factor Authentication required.
token:software:totp( GOOGLE ) : [email protected] selected
Enter verification code: 610660
[xxx@gandalf:~]$ ls -la .aws/
total 12
drwxrwxr-x. 2 xxx xxx 39 Jun 21 09:16 .
drwx------. 27 xxx xxx 4096 Jun 29 10:29 ..
-rw-------. 1 xxx xxx 43 Jun 21 09:16 config
-rw-------. 1 xxx xxx 56 Jun 21 09:16 credentials
[xxx@gandalf:~]$ more .aws/config
[default]
region = eu-west-1
output = text
[xxx@gandalf:~]$ more .aws/credentials
[default]
aws_access_key_id =
aws_secret_access_key =
[xxx@gandalf:~]$ more .okta_aws_login_config
[DEFAULT]
okta_username = xxx
okta_org_url = https://yyy.okta.com
preferred_mfa_type = token:software:totp
write_aws_creds = True
cred_profile = default
gimme_creds_server = appurl
app_url = https://yyy.okta.com/home/amazon_aws/zzzzzzzzzzzzzzzz/zzz
resolve_aws_alias = True
aws_default_duration = 28800
`
I believe this is not a config issue
kind regards
Sebastian
Good Morning
I already set Maximum CLI/API session duration to 12 hours (43,200 seconds) for the role and after that, I set aws_default_duration to 43200 in my local. But my keys are still expiring after an hour.
Currently, an OKTA api key is need which may not be available to use. Ideally, support to not require an API KEY and just read the SAML response for roles would be fine. There is a drawback where you won't have a resolved AWS account id to alias as that information isn't provided. Some other method to handle that would need to be done.
Once I installed 36, things started working as expected.
Similar to #77 except even more surprising. After updating to version 1.1.0 I received the error No device token in configuration. Try running --register_device again.
After running gimme-aws-creds --register_device
all of my profiles were gone from my config file.
I am using Ubuntu 16.04 with Python3.
After running gimme-aws-creds
, I am prompted for password and after which the verification code is sent to my number but right after that I am getting the following issue.
What could be the problem behind this?
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 4, in <module>
__import__('pkg_resources').run_script('gimme-aws-creds==1.1.1', 'gimme-aws-creds')
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 719, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1511, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python3.5/dist-packages/gimme_aws_creds-1.1.1-py3.5.egg/EGG-INFO/scripts/gimme-aws-creds", line 17, in <module>
File "/usr/local/lib/python3.5/dist-packages/gimme_aws_creds-1.1.1-py3.5.egg/gimme_aws_creds/main.py", line 442, in run
File "/usr/local/lib/python3.5/dist-packages/gimme_aws_creds-1.1.1-py3.5.egg/gimme_aws_creds/okta.py", line 448, in get_saml_response
File "/usr/local/lib/python3.5/dist-packages/gimme_aws_creds-1.1.1-py3.5.egg/gimme_aws_creds/okta.py", line 97, in stepup_auth
AttributeError: 'NoneType' object has no attribute 'get'
Hi guys,
I wanted to know how keen you are to incorporate the recently created Dockerfile (and it's image) to Docker Store.
The benefits of doing this are the fact people won't even have to download the repo and locally build the image in order to use it.
Let me know your thoughts ๐ .
Running gimme-aws-creds --configure -p <profile>
overwrites the entire configuration file. This wipes out the default and other profiles you may have had. I also noticed that when I updated to the latest version, it had wiped out my previous config file.
Seems like the functionality changed with the latest release. Previously, if you ran the --configure
with a different profile name, it would be appended to the existing configuration file. Now that is no longer the case and any run on --configure
wipes out the entire file.
Could we get the old functionality back where the new configuration would be appended instead of the entire file being overwritten?
Provided work is done on issue 26, then the next step would be to have the ability to have an account id->alias mapping so you aren't stuck with . 1234567890:SomeRole . This is incredibly useful if you happen to have the same role across multiple accounts so you aren't necessarily guessing which account you're assuming role into. Mapping could be either part of config and really just needs to be key:value, but ability to specify an external file independent of config would be excellent as well. (I hope to get working on 26 and this one)
add the ability to run --version so people can tell easily what version they are using.
v1.1.1
For multi-role accounts, and possibly for single accounts, when using the profile flag the profile name is not written to the credentials file. Rather the name of the role/namespace for the account is written.
Intended behavior:
Profile name should be written to ~/.aws/credentials in the form of
[aws-sbx-profile1]
aws_access_key_id = BLAHBLAH1
aws_secret_access_key = BLAHBLAH2
aws_session_token = SOMELARGETOKEN
aws_security_token = ANOTHERLARGETOKEN
To reproduce
$ rm ~/.aws/credentials
$ gimme-aws-creds -p aws-sbx-profile1
Using password from keyring for [email protected]
Multi-factor Authentication required.
Okta Verify App: SmartPhone_IPhone: This Guy's iPhone selected
Okta Verify push sent...
Authentication Success! Calling Gimme-Creds Server...
Pick an app:
[0] AWS-Non0 (acct#0)
[1] AWS-PRD1 (acct#1)
[2] AWS-SBX2 (acct#2)
Selection: 2
writing role arn:aws:iam::acct#2:role/role1_from_namespace to /Users/this_guy/.aws/credentials
writing role arn:aws:iam::acct#2:role/role2_from_namespace to /Users/this_guy/.aws/credentials
$cat ~/.aws/credentials
[role1_from_namespace] <-- should be [aws-sbx-profile1]
aws_access_key_id = BLAHBLAH1
aws_secret_access_key = BLAHBLAH2
aws_session_token = SOMELARGETOKEN
aws_security_token = ANOTHERLARGETOKEN
[role2_from_namespace]
aws_access_key_id = BLAHBLAH1
aws_secret_access_key = BLAHBLAH2
aws_session_token = SOMELARGETOKEN
aws_security_token = ANOTHERLARGETOKEN
bin/gimme-aws-creds
needs to be refactored to move the GimmeAWSCreds
class into another file within the gimme_aws_creds package to allow testing of the functions within the GimmeAWSCreds
class. This is due to the fact that the hyphens in bin/gimme-aws-creds
does not allow you to import the module for testing.
This work is being done in the no-role-handling branch.
I am able to get everything to work - install, configuration. But, after running gimme-aws-creds, it gets stuck after the username. It never asks for the password.
There is no command to list all profiles . I couldn't find it in the help section
With the latest release and a fresh install the tool does not provide a list of MFA options but leaves an empty selection despite multiple setup.
Multi-factor Authentication required.
Pick a factor:
Selection: 0
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 441, in run
saml_data = okta.get_saml_response(aws_app['links']['appLink'])
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/okta.py", line 426, in get_saml_response
api_response = self.stepup_auth(url, state_token)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/okta.py", line 85, in stepup_auth
flow_state['stateToken'], flow_state['apiResponse'])
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/okta.py", line 260, in _next_login_step
return self._login_multi_factor(state_token, login_data)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/okta.py", line 361, in _login_multi_factor
factor = self._choose_factor(login_data['_embedded']['factors'])
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/okta.py", line 516, in _choose_factor
return factors[int(selection)]
IndexError: list index out of range
Fresh python3 install via homebrew..
List of Python packages installed.
Package Version
-------------------- ---------
argcomplete 1.8.2
asn1crypto 0.24.0
azure-common 1.1.8
azure-nspkg 2.0.0
azure-storage-blob 0.37.1
azure-storage-common 0.37.1
azure-storage-file 0.37.0
azure-storage-nspkg 3.0.0
beautifulsoup4 4.6.0
bitstring 3.1.5
blobxfer 1.1.0
boto3 1.7.25
botocore 1.10.25
certifi 2018.1.18
cffi 1.11.4
chardet 3.0.4
click 6.7
configparser 3.5.0
cryptography 2.1.4
decorator 4.0.11
docutils 0.14
editor 0.1.0
future 0.16.0
futures 3.1.1
gimme-aws-creds 1.0.13
idna 2.6
jmespath 0.9.3
jsonpath-rw 1.4.0
keyring 10.6.0
okta 0.0.4
pip 10.0.1
ply 3.10
prettytable 0.7.2
pycparser 2.18
python-dateutil 2.6.1
PyYAML 3.12
requests 2.18.4
ruamel.yaml 0.15.35
s3transfer 0.1.13
setuptools 39.0.1
six 1.10.0
urllib3 1.22
wheel 0.31.0
Hi,
I have configured gimme-aws-creds as follows:
[DEFAULT]
okta_username = xxxxxx
okta_org_url = https://xxxxx.okta.com
gimme_creds_server = appurl
app_url = https://xxxxx.okta.com/home/amazon_aws/xxxxxxxxxxxxxxxxxxxx/xxx
when I run the software i get:
Password for xxxxxxxx:
Authentication Success! Getting AWS Accounts
Multi-factor Authentication required.
Pick a factor:
Selection: 0
Traceback (most recent call last):
File "/home/xxxxxxxx/.local/bin/gimme-aws-creds", line 17, in
GimmeAWSCreds().run()
File "/home/xxxxxxxx/.local/lib/python3.5/site-packages/gimme_aws_creds/main.py", line 434, in run
saml_data = okta.get_saml_response(aws_app['links']['appLink'])
File "/home/xxxxxxxx/.local/lib/python3.5/site-packages/gimme_aws_creds/okta.py", line 426, in get_saml_response
api_response = self.stepup_auth(url, state_token)
File "/home/xxxxxxxx/.local/lib/python3.5/site-packages/gimme_aws_creds/okta.py", line 85, in stepup_auth
flow_state['stateToken'], flow_state['apiResponse'])
File "/home/xxxxxxxx/.local/lib/python3.5/site-packages/gimme_aws_creds/okta.py", line 260, in _next_login_step
return self._login_multi_factor(state_token, login_data)
File "/home/xxxxxxxx/.local/lib/python3.5/site-packages/gimme_aws_creds/okta.py", line 361, in _login_multi_factor
factor = self._choose_factor(login_data['_embedded']['factors'])
File "/home/xxxxxxxx/.local/lib/python3.5/site-packages/gimme_aws_creds/okta.py", line 516, in _choose_factor
return factors[int(selection)]
IndexError: list index out of range
It seems it authenticate properly but the factor list is empty but I have DUO properly configured and AWS console access through Okta requires DUO MFA and that works properly (all methods - push, text, call and code)
kind regards
Sebastian
I get the below error while trying to run the script:
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 4, in <module>
__import__('pkg_resources').run_script('gimme-aws-creds==0.1.3', 'gimme-aws-creds')
File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 739, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/local/lib/python3.6/site-packages/pkg_resources/__init__.py", line 1501, in run_script
exec(script_code, namespace, namespace)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds-0.1.3-py3.6.egg/EGG-INFO/scripts/gimme-aws-creds", line 175, in <module>
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds-0.1.3-py3.6.egg/EGG-INFO/scripts/gimme-aws-creds", line 113, in run
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds-0.1.3-py3.6.egg/gimme_aws_creds/config.py", line 97, in get_okta_api_key
File "/usr/local/lib/python3.6/site-packages/cerberus_python_client-0.3-py3.6.egg/cerberus/client.py", line 39, in __init__
File "/usr/local/lib/python3.6/site-packages/cerberus_python_client-0.3-py3.6.egg/cerberus/client.py", line 47, in set_token
File "/usr/local/lib/python3.6/site-packages/cerberus_python_client-0.3-py3.6.egg/cerberus/user_auth.py", line 40, in get_token
File "/usr/local/lib/python3.6/site-packages/cerberus_python_client-0.3-py3.6.egg/cerberus/user_auth.py", line 31, in get_auth
File "/usr/local/lib/python3.6/site-packages/requests-2.14.2-py3.6.egg/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python3.6/site-packages/requests-2.14.2-py3.6.egg/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python3.6/site-packages/requests-2.14.2-py3.6.egg/requests/sessions.py", line 504, in request
prep = self.prepare_request(req)
File "/usr/local/lib/python3.6/site-packages/requests-2.14.2-py3.6.egg/requests/sessions.py", line 436, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File "/usr/local/lib/python3.6/site-packages/requests-2.14.2-py3.6.egg/requests/models.py", line 302, in prepare
self.prepare_url(url, params)
File "/usr/local/lib/python3.6/site-packages/requests-2.14.2-py3.6.egg/requests/models.py", line 382, in prepare_url
raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL '/v2/auth/user': No schema supplied. Perhaps you meant http:///v2/auth/user?
Given below is how my config file looks:
[DEFAULT]
idp_entry_url =
write_aws_creds = True
cred_profile = default
aws_appname = ''
aws_rolename = ''
cerberus_url =
Could you kindly let me know what is going wrong. Thanks.
I have an AWS_PROFILE=one-prod-two, but the gimmie-aws-creds V1.0.13 writes it as one_prod_two in the credentials file. I had to add a one_prod_two entry to my config file, and change my AWS_PROFILE to one_prod_two ino rder to get the CLI to work after running gimmie-aws-creds.
However, if I request credentials for one_prod_two, I get a "not found" message
$ gimme-aws-creds -p one_prod_two Configuration profile not found! Use the --configure flag to generate the profile.
Also, we have one-nonprod-two, and it just works as expected.
as the title says - if write_aws_creds is False, the AWS_PROFILE variable should not be set or printed to screen.
I reinstalled the latest version of gimme-aws-creds and found that there are some odd error conditions that I couldn't get around until I manually added a section to my ~/.aws/credentials that was:
[cloud-admin]
aws_access_key_id =
aws_secret_access_key =
When the section was missing I got this:
RobWeaver:.aws robweaver$ gimme-aws-creds --version
gimme-aws-creds 1.0.13
RobWeaver:.aws robweaver$ gimme-aws-creds
Using password from keyring for robweaver
Multi-factor Authentication required.
Pick a factor:
[ 0 ] token:software:totp( GOOGLE ) : [email protected]
Unknown MFA type: web
[ 2 ] sms: +1 XXX-XXX-4762
Selection: 0
Enter verification code: 618167
Authentication Success! Getting AWS Accounts
Pick a role:
[0] arn:aws:iam::252989011795:role/cloud-admin
Selection: 0
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 433, in run
aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role, config.aws_default_duration)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 133, in _get_sts_creds
client = boto3.client('sts')
File "/usr/local/lib/python3.6/site-packages/boto3/__init__.py", line 83, in client
return _get_default_session().client(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/boto3/session.py", line 263, in client
aws_session_token=aws_session_token, config=config)
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 850, in create_client
credentials = self.get_credentials()
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 474, in get_credentials
'credential_provider').load_credentials()
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1662, in load_credentials
creds = provider.load()
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1213, in load
return self._load_creds_via_assume_role(self._profile_name)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1219, in _load_creds_via_assume_role
role_config = self._get_role_config(profile_name)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1297, in _get_role_config
self._validate_source_profile(profile_name, source_profile)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1328, in _validate_source_profile
source_profile_name, parent_profile_name)
botocore.exceptions.InvalidConfigError: The source_profile "cloud-admin" referenced in the profile "default" does not exist.
When I add the section without the empty values, I get:
RobWeaver:.aws robweaver$ gimme-aws-creds
Using password from keyring for robweaver
Multi-factor Authentication required.
Pick a factor:
[ 0 ] token:software:totp( GOOGLE ) : [email protected]
Unknown MFA type: web
[ 2 ] sms: +1 XXX-XXX-4762
Selection: 0
Enter verification code: 094751
Authentication Success! Getting AWS Accounts
Pick a role:
[0] arn:aws:iam::252989011795:role/cloud-admin
Selection: 0
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 433, in run
aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role, config.aws_default_duration)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 133, in _get_sts_creds
client = boto3.client('sts')
File "/usr/local/lib/python3.6/site-packages/boto3/__init__.py", line 83, in client
return _get_default_session().client(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/boto3/session.py", line 263, in client
aws_session_token=aws_session_token, config=config)
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 850, in create_client
credentials = self.get_credentials()
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 474, in get_credentials
'credential_provider').load_credentials()
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1662, in load_credentials
creds = provider.load()
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1213, in load
return self._load_creds_via_assume_role(self._profile_name)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1219, in _load_creds_via_assume_role
role_config = self._get_role_config(profile_name)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1297, in _get_role_config
self._validate_source_profile(profile_name, source_profile)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1340, in _validate_source_profile
source_profile_name)
botocore.exceptions.InvalidConfigError: The source_profile "cloud-admin" must specify either static credentials or an assume role configuration
And finally when I add the key id part:
RobWeaver:.aws robweaver$ gimme-aws-creds
Using password from keyring for robweaver
Multi-factor Authentication required.
Pick a factor:
[ 0 ] token:software:totp( GOOGLE ) : [email protected]
Unknown MFA type: web
[ 2 ] sms: +1 XXX-XXX-4762
Selection: 0
Enter verification code: 348592
Authentication Success! Getting AWS Accounts
Pick a role:
[0] arn:aws:iam::252989011795:role/cloud-admin
Selection: 0
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1396, in _resolve_static_credentials_from_profile
secret_key=profile['aws_secret_access_key'],
KeyError: 'aws_secret_access_key'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 433, in run
aws_creds = self._get_sts_creds(aws_partition, saml_data['SAMLResponse'], role.idp, role.role, config.aws_default_duration)
File "/usr/local/lib/python3.6/site-packages/gimme_aws_creds/main.py", line 133, in _get_sts_creds
client = boto3.client('sts')
File "/usr/local/lib/python3.6/site-packages/boto3/__init__.py", line 83, in client
return _get_default_session().client(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/boto3/session.py", line 263, in client
aws_session_token=aws_session_token, config=config)
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 850, in create_client
credentials = self.get_credentials()
File "/usr/local/lib/python3.6/site-packages/botocore/session.py", line 474, in get_credentials
'credential_provider').load_credentials()
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1662, in load_credentials
creds = provider.load()
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1213, in load
return self._load_creds_via_assume_role(self._profile_name)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1221, in _load_creds_via_assume_role
role_config, profile_name
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1381, in _resolve_source_credentials
return self._resolve_credentials_from_profile(source_profile)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1388, in _resolve_credentials_from_profile
return self._resolve_static_credentials_from_profile(profile)
File "/usr/local/lib/python3.6/site-packages/botocore/credentials.py", line 1401, in _resolve_static_credentials_from_profile
provider=self.METHOD, cred_var=str(e))
botocore.exceptions.PartialCredentialsError: Partial credentials found in assume-role, missing: 'aws_secret_access_key'
And when I add the last line for the secret:
RobWeaver:.aws robweaver$ gimme-aws-creds
Using password from keyring for robweaver
Multi-factor Authentication required.
Pick a factor:
[ 0 ] token:software:totp( GOOGLE ) : [email protected]
Unknown MFA type: web
[ 2 ] sms: +1 XXX-XXX-4762
Selection: 0
Enter verification code: 004090
Authentication Success! Getting AWS Accounts
Pick a role:
[0] arn:aws:iam::252989011795:role/cloud-admin
Selection: 0
writing role arn:aws:iam::252989011795:role/cloud-admin to /Users/robweaver/.aws/credentials
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.