multi-role account credentials file not updated with --profile flag about gimme-aws-creds HOT 7 OPEN

Thank you for the quick response.

Although changing the cred_profile to the profile name as you suggest in the ~./okta_aws_login_config does update the ~/.aws/credentials file with [aws-sbx-profile1], the behavior is unchanged.

A subsequent

aws --profile aws-sbx-profile1 s3 ls namespaced-sbx-us-east-1-versioned/bucklet_dir/

returns

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

What happens is that because we have multiple namespaces on a single account during getting creds the last namespace is overwriting the first. Here is an example:

$ gimme-aws-creds --profile aws-sbx-profile1
Using password from keyring for [email protected]
Multi-factor Authentication required.
Okta Verify App: SmartPhone_IPhone: This Guy’s iPhone selected
Okta Verify push sent...
Authentication Success! Calling Gimme-Creds Server...
Pick an app:
[0] AWS-Non0 (Account#0)
[1] AWS-PRD1 (Account#1)
[2] AWS-SBX1 (Account#2)
Selection: 2
Pick a role:
[0] arn:aws:iam::Account#2:role/namespaced_role0
[1] arn:aws:iam::Account#2:role/namespaced_role1
Selection: 0
writing role arn:aws:iam::Account#2:role/namespaced_role0 to /Users/this_guy/.aws/credentials
writing role arn:aws:iam::Account#2:role/namespaced_role1 to /Users/this_guy/.aws/credentials

So if i try to access an s3 bucket with the aws-sbx-profile1 i can see namespaced_role1 but not namespaced_role0 even though I selected the latter.

from gimme-aws-creds.

I just started using this tool and attempted outputting all the roles in one go to the .aws/credentials. I had to set cred_profile = role but since we use the same role names across our all of our accounts, I'm experiencing this issue of the profile name getting overwritten by subsequent roles.

from gimme-aws-creds.

this may be related to #77

from gimme-aws-creds.

You're seeing the expected behavior for cred_profile = role in ~/.okta_aws_login_config.

For your expected outcome, set cred_profile = aws-sbx-profile1 in ~/.okta_aws_login_config in the [aws-sbx-profile1] section.

from gimme-aws-creds.

I am having the same issue. When using cred_profile = <static_profile_name>, and have multiple roles, it will ignore either the input of Pick a role: or the value of aws_rolename = <role_arn>, and will proceed to overwrite the credentials file with that of the last role (when I did not select it). In other words, the functionality of cred_profile is broken if it is not set to role, at least for users who have more than one role available.

You can see from Brandon's example:
writing role arn:aws:iam::Account#2:role/namespaced_role0 to /Users/this_guy/.aws/credentials
writing role arn:aws:iam::Account#2:role/namespaced_role1 to /Users/this_guy/.aws/credentials
The second line overwrites the first, even when not selected. I have verified the credentials that are written are for the last role available (and are valid for that), regardless of which role is picked.

from gimme-aws-creds.

Hi,

I am having a similar issue when Okta is the IDP for a Multi-Account AWS setup.

The roles have the same name, but in different accounts, so it gets overwritten in the profile.

Is there any alternative to have an AccountID as a prefix of each new added piece of profile, for example ?

Thanks.

Jose

from gimme-aws-creds.

It's been some time on this one, can anyone verify that this problem still occurs for them?

from gimme-aws-creds.