prolane / samltoawsstskeys Goto Github PK

It violates some policy and has been removed. Which is annoying because it is very useful.

When using the extension in incognito mode it doesn't create and download the credentials file. When checking the regular (non-incognito) window again it shows some weird file which was tried to download, but failed. It has a kind of uuid name.

As of this morning, I am no longer able to download the credentials file using the extension. Instead of the file, I now get a failed download with a GUID as a filename.

Debug log below:

script.js:59 DEBUG: onBeforeRequest event hit!
script.js:79 DEBUG: samlXmlDoc:
script.js:80 [redacted]
script.js:120 ApplySessionDuration: false
script.js:121 SessionDuration: null
script.js:122 hasRoleIndex: true
script.js:123 roleIndex: arn:aws:iam::[redacted]
script.js:161 RoleArn: arn:aws:iam::[redacted]
script.js:162 PrincipalArn: arn:aws:iam::[redacted]:saml-provider/[redacted]
script.js:187 DEBUG: Successfully assumed default profile
script.js:188 docContent:
script.js:189 [default]
aws_access_key_id = [redacted]
aws_secret_access_key = [redacted]
aws_session_token = [redacted]
script.js:195 Generate AWS tokens file.
script.js:261 DEBUG: Now going to download credentials file. Document content:
script.js:262 [default]
aws_access_key_id = [redacted]
aws_secret_access_key = [redacted]
aws_session_token = [redacted]
script.js:266 DEBUG: Blob URL:blob:chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/b7e150af-9f7a-4bf4-88b7-e8a5859511d7

Attempting to visit the above URL results in a 404.

Settings:
Filename: credentials
Apply SessionDuration: no
Debug logging: yes
ARN list: none

Running on Chrome version 72.0.3626.81 (updates are disabled by group policy)
Extension version: 2.7

I am trying to use S3 browser with the credential file but it does not support LF as new line.
The original credentials file using aws configure has CRLF as the new line.
Can this be changed to CRLF?

Is this supported/maintained for Firefox? If so, what is the extension link, and can it be placed in the README? I can see some in the Firefox extensions that might be this extension, but I want to be certain I'm installing the official one for security purposes.

• https://addons.mozilla.org/en-US/firefox/addon/saml-to-aws-sts-keys/

Hi,
Not sure what the problem is. I installed the plugin and logged in to the AWS console with my Google G-suite SAML, but nothing happens. Is something supposed to pop up?

I also tried this i Incognito mode, but that also does not work.

I also installed it in firefox, but with the same negative results.

Any suggestions?

Since the new version, 2.3, I no longer see all the profiles I setup on the plugin on my credentials file. It seems to always ignore the first profile I setup.
If for example I add one profile then I only see the default. When I add a new one then I will see default + the second profile I add

At the company I work for we have many different accounts we manage and our operations and support teams have to jump between accounts frequently. AWS role history only allows saving of 5 roles, as it saves it in a cookie.

We have made some crude patches to a forked version of your plugin (https://github.com/TheSkorm/samltoawsstskeys/blob/extraRoles/extra_roles/roles.js) that re-initializes the nav user menu with roles from the STS plugin and colours them by hashing the account id. This allows all roles from the STS plugin to appear in the nav menu bar.

If this feature sounds like something you'd like to see merged into your plugin I would be happy to clean up some of the code and add a toggle option for it on the settings page.

Hi

Extension works great, however the file name I specify in the options is ignored and instead a random name is generated for the file in the downloads folder from chrome.

Anybody else with this issue?

Thanks

Not sure if the firefox extension is maintained by you guys, but Firefox version is on 2.5
It would be nice to keep it up to date.
Thanks,

The credentials file is not getting downloaded after latest update. Since the logs contain sensitive information, I'm posting masked screenshots. Hope that will help

I am not having any success with the latest version of Chrome. Do I have to run Chrome as Admin or allow the extension some level of access?

After the update to Chrome 68, the extension no longer downloads the credentials file when doing SAML auth. I had a colleague report a problem, and I couldn't reproduce until I updated Chrome, and then I got the same behavior.

Summary:
Testing with some of my coworkers has shown that at least some additional named roles are not populating in the downloaded Credentials file for us.

Steps to Reproduce:

• Configure the extension with named roles.
• Log into AWS via IDP.
• Select a role to be set as the Default role.
• Complete the log-in process.

Expected behavior:

• The role chosen when logging into the AWS page will be set as the default profile.
• All configured roles will be added to the Credentials file.

Actual behavior:

• Only the default and, perhaps one named role will be added to the credentials file.

Other notes:
Looking at locations in the source code where changes occurred, I suspect this might have started happening around 35e4917.

We have Okta MFA disabled currently in our dev environment. And now I am not getting the credentials download again. Is anyone else experiencing issues? I even tried incognito so not many extensions are loaded.

Chrome Version 69.0.3497.100 (Official Build) (64-bit)

When the [OPTIONAL] setting (Apply the SessionDuration requested by the SAML provider) is set to YES, I was unable to get the credential file.
Since this is an optional setting, it shouldn't block the user from downloading the credential file.
Kindly fix this.

Debug LOG:
INFO: AWSAssumeRoleWithSAMLCommand client.send will now be executed
script.js:292 ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
at Te (aws-js-sdk-bundle.js:2:57065)
at aws-js-sdk-bundle.js:2:70787
at async aws-js-sdk-bundle.js:2:38494
at async On.retry (aws-js-sdk-bundle.js:2:89037)
at async aws-js-sdk-bundle.js:2:116397
at async assumeRoleWithSAML (script.js:278:22)
at async onBeforeRequestEvent (script.js:197:12)
script.js:203 ERROR: Error when trying to assume the IAM Role with the SAML Assertion.
script.js:204 TypeError: Cannot read properties of undefined (reading 'access_key_id')
at onBeforeRequestEvent (script.js:199:72) "TypeError: Cannot read properties of undefined (reading 'access_key_id')\n at onBeforeRequestEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:199:72)"

I'm seeing a different error for all the non-Default profiles:
INFO: assumeRole client.send will now be executed script.js:345 MalformedInput: UnknownError at Re (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:57065) at chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:68463 at async chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:38494 at async chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:50282 at async On.retry (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:89037) at async chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk/lib/aws-js-sdk-bundle.js:2:116397 at async assumeRole (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:331:22) at async onBeforeRequestEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:216:22) script.js:223 ERROR: Error when trying to assume additional IAM Role. script.js:224 TypeError: Cannot read properties of undefined (reading 'access_key_id') at onBeforeRequestEvent (script.js:219:83) "TypeError: Cannot read properties of undefined (reading 'access_key_id')\n at onBeforeRequestEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:219:83)"

Hello, we've recently rolled out SAML integration with Google Apps for our developer AWS account. We also use this account to authorize users in our production account. Is it possible to extend the features of samltoawsstskeys to generate temporary credentials when switching roles to the different production accounts?

The current process is to use the credentials generated with the dev account and assume-role to the new account, but it would be cleaner/nicer if your plugin was to allow a user to pull the credentials from the production accounts as required.

Each line in the credentials-file, has a space inserted before the LF. Please trim before inserting the headers and values into the file. Otherwise, you need to cleanup these spaces, when trying to read the file as an "ini-file".

Once I change the session duration to Yes it stops prompting for saving the credential file and my AWS CLI session keeps expiring in 30 mins.

Can someone to let me know if there a way to use this plugin for China accounts? I tried to use it on both Chrome and FireFox but couldn't make it work. Your help is highly appreciated.

No longer downloads any credentials file after logging in to AWS. Our setup is via Okta Single Sign On.

It would be great if there was an option to not automatically pop up the save dialog once you log in, and instead save it until the user clicks the extension and chooses "save credentials" from the menu.

Download option of credentials stopped working with new versions - v3.0, v3.1, and v3.2
Is there any solution for this?

Our AWS has a default of 1 hour session but allows up to 12 hours. The current SessionDuration doesn't seem to collect this maximum of 12 hours, goes to null, and AWS defaults to all generated credentials to one hour.

https://github.com/prolane/samltoawsstskeys/blob/master/background/script.js#L109

It would be nice if when we set Apply the SessionDuration requested to no, an input box could pop up to set an override value or is there a better way to dynamically get the maximum SessionDuration allowed by AWS?

AWS-CLI has troubles with:
aws_.......... = value

It has no troubles with:
aws_..........=value

Is it possible to remove the spaces around the equal-sign?
Thanks in advance.

plugin dont prompt the file to download if session duration is less than 12 hours

In Chrome 62, the extension no longer downloads a credentials file. Worked in Chrome 61 just fine.

After the December update it is no longer generating the credentials file.
This occurs in Chrome or Edge.
Is there any configuration that needs to be done after the upgrade ?
Thank you

Our standard company roles work great with this plugin.
We have a custom IAM role that is meant to provide access to a few select resources in the production account.
When we use this role, the plugin does not download the credentials file. We have tried adding "sts:TagSession", but are unsure what else it might need.

Hello,

It looks like if a user only has a single SAML role, the extension fails to download the credentials file.

I've done a little digging and it appears that the Chrome Extension is being canceled due to the SAML https://signin.aws.amazon.com/saml response being a Redirect 302.

I've tried to add "<all_urls>" to the manifest file, but I think the response doesn't have the payload that the plugin is expecting to pull the role information, so its not a simple permission issue.

Steps to reproduce

• Create a user with only a single SAML role
• Perform the SAML authentication and watch that https://signin.aws.amazon.com/saml performs a Redirect

If the https://signin.aws.amazon.com/saml screen asks you to select the Role, then the extension will work.

If anyone else has this issue a simple workaround is to add a second SAML role to the account. It doesn't need to work (I've set my to DONOTUSE), and get users to select their normal role. The extension seems to work fine.

I've got the v.3.1 update. With v3.0 I was getting the same error as was reported for #58, but now I am getting this error. Unless I am missing something, I don't think this has been resolved.

Originally posted by @DavidRHoffman in #59 (comment)

This isn't working 100% of the time now. The credentials file is not getting generated intermittently.

Using google chrome: Version 66.0.3359.139 (Official Build) (64-bit)

After logging in to AWS, the app provided a credential file to download.
However, the credentials do not work. When using aws s3 ls, I got this error:

An error occurred (InvalidAccessKeyId) when calling the ListObjectsV2 operation: The AWS Access Key Id you provided does not exist in our records.

I tried twice, got the same.

Maybe I configured something wrong, but I don't know what. Any ideas?
I installed from the chrome web store just now. It is unclear which version it is.

There is an issue in latest version 3.1, in script.js file inside onBeforeRequestEvent function sessionduration is not defined because of that it is not working please fix this asap.

let sessionduration = undefined;

I am using Chrome Version 72.0.3626.81 (Official Build) (64-bit) and immediately after the upgrade the credentials download stopped working. I attempted to pull logs from the extension console using instructions listed in previous issues of this kind but there is not any output.

Is there a workaround for mac symlink restictions with Big Sur OS system files?

When connecting to AWS:
credentials may be dangerous, so Chrome has blocked it.

Worked yesterday, it appears Google has made a change, perhaps enforcing a change in their extension policies?

We are setting the SessionDuration via Google CustomSchema for users logging into AWS via SAML. For some, when they login, the credentials file does not download. To resolve it, they change Apply the SessionDuration requested by the SAML provider. to No and the file downloads. For others, including myself, it works as expected with that option set to Yes. We are running the same version of the plugin (2.3) and the same version of Chrome.

In Chrome 62, the extension no longer downloads a credentials file. Worked in Chrome 61 just fine.

(sorry for dupe, posted this previously under the wrong account (service account)).

Could you add support for the Gov-Cloud signing site: https://signin.amazonaws-us-gov.com/?

It recently stopped renaming the credentials file and now it just saves it as download.txt.

• I tried removing the extension and adding it again.
• I checked the config and it still says to name it credentials.
• I deleted the old credentials file incase it was having an issue replacing it

The credentials file that gets output by the extension has 3 different key/value pairs:

• aws_access_key_id
• aws_secret_access_key
• aws_session_token

However, whenever the Ansbile EC2 module runs, it needs an additional value - aws_secret_key - or it will crash. My org has written a script to change the aws_session_token key to aws_secret_key (because they're the same value) to get this working for Ansible, but that inadvertently broken Terraform 🤦‍♂️

Since aws_session_token and aws_security_token are actually the same value, changing background/script.js:141 and background/script.js:177 to include aws_security_token = data.Credentials.SessionToken would fix the issue.