Comments (7)
Thank you for the quick response.
Although changing the cred_profile
to the profile name as you suggest in the ~./okta_aws_login_config
does update the ~/.aws/credentials
file with [aws-sbx-profile1], the behavior is unchanged.
A subsequent
aws --profile aws-sbx-profile1 s3 ls namespaced-sbx-us-east-1-versioned/bucklet_dir/
returns
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
What happens is that because we have multiple namespaces on a single account during getting creds the last namespace is overwriting the first. Here is an example:
$ gimme-aws-creds --profile aws-sbx-profile1
Using password from keyring for [email protected]
Multi-factor Authentication required.
Okta Verify App: SmartPhone_IPhone: This Guy’s iPhone selected
Okta Verify push sent...
Authentication Success! Calling Gimme-Creds Server...
Pick an app:
[0] AWS-Non0 (Account#0)
[1] AWS-PRD1 (Account#1)
[2] AWS-SBX1 (Account#2)
Selection: 2
Pick a role:
[0] arn:aws:iam::Account#2:role/namespaced_role0
[1] arn:aws:iam::Account#2:role/namespaced_role1
Selection: 0
writing role arn:aws:iam::Account#2:role/namespaced_role0 to /Users/this_guy/.aws/credentials
writing role arn:aws:iam::Account#2:role/namespaced_role1 to /Users/this_guy/.aws/credentials
So if i try to access an s3 bucket with the aws-sbx-profile1 i can see namespaced_role1 but not namespaced_role0 even though I selected the latter.
from gimme-aws-creds.
I just started using this tool and attempted outputting all the roles in one go to the .aws/credentials. I had to set cred_profile = role
but since we use the same role names across our all of our accounts, I'm experiencing this issue of the profile name getting overwritten by subsequent roles.
from gimme-aws-creds.
this may be related to #77
from gimme-aws-creds.
You're seeing the expected behavior for cred_profile = role
in ~/.okta_aws_login_config
.
For your expected outcome, set cred_profile = aws-sbx-profile1
in ~/.okta_aws_login_config
in the [aws-sbx-profile1] section.
from gimme-aws-creds.
I am having the same issue. When using cred_profile = <static_profile_name>
, and have multiple roles, it will ignore either the input of Pick a role:
or the value of aws_rolename = <role_arn>
, and will proceed to overwrite the credentials file with that of the last role (when I did not select it). In other words, the functionality of cred_profile
is broken if it is not set to role
, at least for users who have more than one role available.
You can see from Brandon's example:
writing role arn:aws:iam::Account#2:role/namespaced_role0 to /Users/this_guy/.aws/credentials
writing role arn:aws:iam::Account#2:role/namespaced_role1 to /Users/this_guy/.aws/credentials
The second line overwrites the first, even when not selected. I have verified the credentials that are written are for the last role available (and are valid for that), regardless of which role is picked.
from gimme-aws-creds.
Hi,
I am having a similar issue when Okta is the IDP for a Multi-Account AWS setup.
The roles have the same name, but in different accounts, so it gets overwritten in the profile.
Is there any alternative to have an AccountID as a prefix of each new added piece of profile, for example ?
Thanks.
Jose
from gimme-aws-creds.
It's been some time on this one, can anyone verify that this problem still occurs for them?
from gimme-aws-creds.
Related Issues (20)
- Individual Contributor License Agreement link is broken in CONTRIBUTING.md HOT 1
- [Bug] Okta MFA Verification requirement coming up each time command is run HOT 6
- Unable to use comments in .okta_aws_login_config HOT 4
- Got exception when running on windows 10 HOT 3
- Custom Domains Allowed in okta_org_url But Not app_url HOT 1
- 2 okta push instead of 1 HOT 4
- 400 Client Error: Bad Request for url https://trial-888888.okta.com/oauth2/v1/token HOT 3
- gimme-aws-creds command throw the error HOT 1
- User is forced to select mfa factor if they have setup both Okta Verify and Google Authenticator HOT 1
- Exception when encountering step-up auth with Duo Universal Prompt HOT 3
- open_browser doesn't work from config file HOT 1
- version 2.8 not available through brew on macOS HOT 1
- Does not work with Okta + Kolide HOT 1
- gimme-aws-creds version 2.8.0 fails with OAuth Client ID is required for Okta Identity Engine domains HOT 1
- v2.8.0 not available via Brew HOT 1
- Format of AWS profiles has changed in version 2.8.0 HOT 1
- AWS Format Roles Bug Fix for Homebrew HOT 3
- `force_classic` value is overridden by default when using profile inheritance
- Python error on Okta retrieval for 2.8.2
- 400 Client Error: Bad Request for url: HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gimme-aws-creds.