venth / aws-adfs Goto Github PK
View Code? Open in Web Editor NEWCommand line tool to ease aws cli authentication against ADFS (multi factor authentication with active directory)
License: MIT License
aws-adfs's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
holmesjr execpcs keirwhitlock aturetta bwits harkamals roblugton amansukhaniebsco alkyoox wiederhold andrewfarley gprestonebsco paulte pixelworksit irgeek mattfirtion zanettibo d3fault0 donvargax kylejameswalker wruman avoidik coingraham jlambeth leonardo-test stewmi clouduser27 bdwyertech santhubairamcs mendhak matttunny jan-molak emmcardenas ntt-data-cloud-transformation darylrobbins pkccd rbouikila sriharilnx pdecat lemaral wilcosec 0x91 walkerk1980 vardhan0707 tommywo injineers budzejko felipe-lee avinashtgoje andrewlubenets rinrinne hoodielive mjernsell kfattig embrsword mcgarrah cgaete jbeninson michielvermeir aspectcapital rheemskerk gregorydulin thien-vuong-cgc n0rig johan1252 lu-chi mikereinhold awang35 trevenen redipki gpiccinni andrzpg12 geanttechnology t00mm gmartijn magnologan hcsyash npeters smxjrz gregorlarson pvbouwel rsilvareberth gchambert super-kishik erpel shr3ps trav-c lefju draakje111 martinverup ryno75 aikenx shamrocktrading reza sheelng mheiges alencar prvnmali2017aws-adfs's Issues
aws-adfs not working on macOS Sierra - System-installed Python 2.7
I'm having issues getting aws-adfs to work on the system-installed Python 2.7 on macOS Sierra. The tool can be installed using pip, but when running the command "aws-adfs login --adfs-host MYHOST --profile MYPROFILE", I get the following error:
Traceback (most recent call last):
File "/usr/local/bin/aws-adfs", line 11, in <module>
load_entry_point('aws-adfs==0.3.3', 'console_scripts', 'aws-adfs')()
File "/Library/Python/2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Library/Python/2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Library/Python/2.7/site-packages/aws_adfs/login.py", line 76, in login
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config)
File "/Library/Python/2.7/site-packages/aws_adfs/authenticator.py", line 16, in authenticate
password=password,
File "/Library/Python/2.7/site-packages/aws_adfs/html_roles_fetcher.py", line 61, in fetch_html_encoded_roles
'AuthMethod': provider_id
File "/Users/trevash/Library/Python/2.7/lib/python/site-packages/requests/sessions.py", line 511, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/Users/trevash/Library/Python/2.7/lib/python/site-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/Users/trevash/Library/Python/2.7/lib/python/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/Users/trevash/Library/Python/2.7/lib/python/site-packages/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: SysCallError(54, 'Connection reset by peer')",)
Any idea why this would be happening?
Runnable script instruction
Please add to the README file how to install with runnable script in PATH.
You can add a comment that the user can install with:
- virtualenv
- sudo and install in system path
- local path and add it to PATH environment
Introduce git tag based versioning
The inspiration to move versioning to git tags is the project - axion-release-plugin made by Allegro.
The reasons to moving to git tag based versioning are:
- easier release process by moving versioning outside of the codebase,
- keep versioning consistent.
requests.exceptions.SSLError: [Errno 2] - aws-adfs version 0.1.1
Hi there,
We are getting SSL exceptions with the latest version 0.1.1 which running in Mac (However it's continue to work in version 0.0.9).
- OS is Mac OS X EI Capitan Version
10.11.6 - Python
2.7
We get following error when we try to aws-adfs login --adfs-host=your-adfs-hostname
Error is the error,
Traceback (most recent call last):
File "/usr/local/bin/aws-adfs", line 11, in <module>
sys.exit(cli())
File "/Library/Python/2.7/site-packages/click/core.py", line 716, in __call__
return self.main(*args, **kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Library/Python/2.7/site-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/Library/Python/2.7/site-packages/aws_adfs/login.py", line 60, in login
principal_roles, assertion = authenticator.authenticate(config)
File "/Library/Python/2.7/site-packages/aws_adfs/authenticator.py", line 12, in authenticate
password=password,
File "/Library/Python/2.7/site-packages/aws_adfs/html_roles_fetcher.py", line 54, in fetch_html_encoded_roles
'AuthMethod': 'urn:amazon:webservices'
File "/Library/Python/2.7/site-packages/requests/sessions.py", line 522, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/Library/Python/2.7/site-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "/Library/Python/2.7/site-packages/requests/sessions.py", line 596, in send
r = adapter.send(request, **kwargs)
File "/Library/Python/2.7/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 2] No such file or directory
Issues with Centos 7
I am running Centos 7 in a VM on Virtualbox. I am attempting to use aws-adfs to connect to my code commit repo in AWS. My Python version 2.7.12. I installed aws-adfs using pip. The aws-adfs version is 0.3.3
On both aws-adfs --version and aws-adfs --help I get the following error.
aws-adfs --help
Traceback (most recent call last):
File "/usr/bin/aws-adfs", line 5, in
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3007, in
working_set.require(requires)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 728, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 631, in resolve
requirements.extend(dist.requires(req.extras)[::-1])
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2497, in requires
"%s has no such extra feature %r" % (self, ext)
pkg_resources.UnknownExtra: requests 2.6.0 has no such extra feature 'security'
Upgrade from 0.3.6 to 0.3.7 breaking simple authentication
I just upgraded my module from 0.3.6 to 0.3.7 and am now receiving the following error during authentication.
(adfs) thecomputer:~ <myusername>$ aws-adfs login --adfs-host=mydomain.com --region=us-east-1
2017-07-14 12:51:16,509 [authenticator authenticator.py:authenticate] [80410-MainProcess] [140735207329792-MainThread] - ERROR: Cannot extract saml assertion. Second factor authentication failed?
Username: <myusername>@mydomain.com
Password:
Traceback (most recent call last):
File "/Users/<myusername>/adfs/bin/aws-adfs", line 11, in <module>
sys.exit(cli())
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/aws_adfs/login.py", line 91, in login
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, username, password)
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/aws_adfs/authenticator.py", line 38, in authenticate
principal_roles)
File "/Users/<myusername>/adfs/lib/python2.7/site-packages/aws_adfs/authenticator.py", line 57, in _aggregate_roles_by_account_alias
if account_aliases[account_no] not in aggregated_accounts:
KeyError: '214329012423'
(adfs) thecomputer:~ <myusername>$
Python version 2.7.10 on Mac OS X El Capitan 10.11.4
Pip modules installed:
asn1crypto==0.22.0
aws-adfs==0.3.7
awscli==1.11.105
boto3==1.4.4
botocore==1.5.82
certifi==2017.4.17
cffi==1.10.0
chardet==3.0.4
click==6.7
colorama==0.3.7
configparser==3.5.0
cryptography==1.9
docutils==0.13.1
enum34==1.1.6
futures==3.1.1
idna==2.5
ipaddress==1.0.18
jmespath==0.9.3
lxml==3.8.0
pyasn1==0.2.3
pycparser==2.18
pyOpenSSL==17.1.0
python-dateutil==2.6.1
PyYAML==3.12
requests==2.18.1
rsa==3.4.2
s3transfer==0.1.10
six==1.10.0
urllib3==1.21.1
Dependency incompatibility with botocore 1.6.0+
Hello,
I had an issue after updating the awscli to the version (1.11.136).
PS X:\Work\projects> aws-adfs login --adfs-host adfs.Company.com
Traceback (most recent call last):
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 659, in _build_master
ws.require(__requires__)
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 967, in require
needed = self.resolve(parse_requirements(requirements))
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 858, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (botocore 1.6.3 (c:\users\User\appdata\local\programs\python\python36\lib\site-packages), Requirement.parse('botocore<1.6.0,>=1.5.0'), {'boto3'})
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Users\User\AppData\Local\Programs\Python\Python36\Scripts\aws-adfs-script.py", line 6, in <module>
from pkg_resources import load_entry_point
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 3017, in <module>
@_call_aside
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 3003, in _call_aside
f(*args, **kwargs)
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 3030, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 661, in _build_master
return cls._build_from_requirements(__requires__)
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 674, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "c:\users\User\appdata\local\programs\python\python36\lib\site-packages\pkg_resources\__init__.py", line 853, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'botocore<1.6.0,>=1.5.0' distribution was not found and is required by boto3I worked around the problem by downgrading botocore to version 1.5.95.
PS X:\Work\projects> pip install botocore==1.5.95
Collecting botocore==1.5.95
Downloading botocore-1.5.95-py2.py3-none-any.whl (3.6MB)
100% |████████████████████████████████| 3.6MB 316kB/s
Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in c:\users\User\appdata\local\programs\python\python36\lib\site-packages (from botocore==1.5.95)
Requirement already satisfied: docutils>=0.10 in c:\users\User\appdata\local\programs\python\python36\lib\site-packages (from botocore==1.5.95)
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in c:\users\User\appdata\local\programs\python\python36\lib\site-packages (from botocore==1.5.95)
Requirement already satisfied: six>=1.5 in c:\users\User\appdata\local\programs\python\python36\lib\site-packages (from python-dateutil<3.0.0,>=2.1->botocore==1.5.95)
Installing collected packages: botocore
Found existing installation: botocore 1.6.0
Uninstalling botocore-1.6.0:
Successfully uninstalled botocore-1.6.0
Successfully installed botocore-1.5.95But a better solution would to update the dependency requirements for botocore.
Versions
awscli (1.11.136)
boto3 (1.4.4)
botocore (1.5.95)
aws-adfs (0.2.3)
--verbose flag fails when used with login --adfs-host.
--verbose flag doesn't seem to work:
aws-adfs login --verbose --adfs-host "https://XXXXXXXXXXX.XXX.XXX/adfs/ls/IdpInitiatedSignOn.aspx"
Error: no such option: --verbose
aws-adfs login --adfs-host "https://XXXXXXXXXXX.XXX.XXX/adfs/ls/IdpInitiatedSignOn.aspx" --verbose
Error: no such option: --verbose
Role arn passed as parameter to the login method
Hi,
is not possibile to automate the login process to aws if the saml assertion has more than one role arn because of the role_chooser requires user prompt.
As an enachment the login method could have a role_arn input parameter passed to the role_chooser and in case of it is in the principal_roles collection it is returned as the one choosen.
Thanks for the great job !
UnicodeEncodeError: 'ascii' codec can't encode character u'\u017a' in position 705: ordinal not in range(128)
Version: aws-adfs-0.0.3
Uname: Linux mo-01-0187 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:09:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Charset: pl_PL.UTF-8
~/s/o/d/d/s/jenkins (master) $ aws-adfs login --profile=shared-resource-admin --adfs-host=adfs.int.hrs.com --no-ssl-verification
Traceback (most recent call last):
File "/home/tnowodzinski/.local/bin/aws-adfs", line 11, in <module>
sys.exit(cli())
File "/home/tnowodzinski/.local/lib/python2.7/site-packages/click/core.py", line 716, in __call__
return self.main(*args, **kwargs)
File "/home/tnowodzinski/.local/lib/python2.7/site-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/home/tnowodzinski/.local/lib/python2.7/site-packages/click/core.py", line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/tnowodzinski/.local/lib/python2.7/site-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/tnowodzinski/.local/lib/python2.7/site-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/home/tnowodzinski/.local/lib/python2.7/site-packages/aws_adfs/login.py", line 68, in login
principal_roles, assertion = _authenticate(config)
File "/home/tnowodzinski/.local/lib/python2.7/site-packages/aws_adfs/login.py", line 154, in _authenticate
html = ET.fromstring(response.text.decode('utf8'), ET.HTMLParser())
File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeEncodeError: 'ascii' codec can't encode character u'\u017a' in position 705: ordinal not in range(128)
Automate release process
Currently release process is done manually, which already ended up with the released spoiled egg on pypi. In order to prevent releasing spoiled eggs in the future the release process will be performed by travis, when the commit used to build is tagged with a version and build is executed against master branch.
Add an option to change the STS token duration
Now that we can specify an AWS console session duration using SAML 2.0 (see here) it would be nice to have an option to set the STS token duration in aws-adfs.
The idea is that if I can have a 12h session I don't want to re-log every hour because the STS token duration being hardcoded to 3600 seconds.
What do you think ?
botocore VersionConflict issue
It appears that after upgrading from 0.4.4 to 0.4.7 makes aws-adfs no longer work.
Downgrading to 0.4.4 (last working version) doesn't resolve the issue.
Setting up a new python environment doesn't resolve the issue either.
: > aws-adfs login
Traceback (most recent call last):
File "/Users/.pyenv/versions/2.7.14/bin/aws-adfs", line 6, in <module>
from pkg_resources import load_entry_point
File "/Users/.pyenv/versions/2.7.14/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3142, in <module>
@_call_aside
File "/Users/.pyenv/versions/2.7.14/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3126, in _call_aside
f(*args, **kwargs)
File "/Users/.pyenv/versions/2.7.14/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3155, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/Users/.pyenv/versions/2.7.14/lib/python2.7/site-packages/pkg_resources/__init__.py", line 666, in _build_master
return cls._build_from_requirements(__requires__)
File "/Users/.pyenv/versions/2.7.14/lib/python2.7/site-packages/pkg_resources/__init__.py", line 679, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "/Users/.pyenv/versions/2.7.14/lib/python2.7/site-packages/pkg_resources/__init__.py", line 872, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (botocore 1.8.20 (/Users/.pyenv/versions/2.7.14/lib/python2.7/site-packages), Requirement.parse('botocore<1.9.0,>=1.8.22'), set(['boto3']))
> pip freeze
asn1crypto==0.24.0
astroid==1.5.3
aws-adfs==0.4.7
awscli==1.14.16
backports.functools-lru-cache==1.4
blessings==1.6
boto==2.48.0
boto3==1.5.8
botocore==1.8.20
cachetools==2.0.1
certifi==2017.11.5
cffi==1.11.2
chardet==3.0.4
click==6.7
colorama==0.3.7
configparser==3.5.0
cryptography==2.1.4
docutils==0.14
enum34==1.1.6
futures==3.2.0
google-api-python-client==1.6.4
google-auth==1.1.1
google-cloud-bigquery==0.27.0
google-cloud-core==0.27.1
google-resumable-media==0.3.1
googleapis-common-protos==1.5.3
httplib2==0.10.3
idna==2.6
ipaddress==1.0.19
isort==4.2.15
jmespath==0.9.3
lazy-object-proxy==1.3.1
lxml==4.1.1
mccabe==0.6.1
oauth2client==4.1.2
prettytable==0.7.2
protobuf==3.4.0
py==1.4.34
pyasn1==0.4.2
pyasn1-modules==0.1.5
pycparser==2.18
pylint==1.7.4
pyOpenSSL==17.5.0
pytest==3.2.3
python-dateutil==2.6.1
PyYAML==3.12
requests==2.18.4
rsa==3.4.2
s3transfer==0.1.12
singledispatch==3.4.0.3
six==1.11.0
uritemplate==3.0.0
urllib3==1.22
wrapt==1.10.11
Script-ability
Would you consider a pull request that added a way to make the call to aws-adfs non-interactive. I'm thinking a login argument that has it take accept the password from STDIN (like sudo -S) and another that lets you give the username on the command line.
Thought I'd ask to see if you'd be open to a PR before just diving into the code.
Thanks.
If env AWS_PROFILE or AWS_DEFAULT_PROFILE are set, a nonsensical provider_id is used.
Hi,
[user@host ~]$ aws-adfs --version
0.3.14
[user@host ~]$ aws --version
aws-cli/1.11.154 Python/3.6.2 Linux/4.13.12-200.fc26.x86_64 botocore/1.7.12
I have noticed that aws-adfs breaks when env var AWS_PROFILE (or AWS_DEFAULT_PROFILE) are set. --debug shows that the value of AWS_PROFILE replaces provider_id, which is used to construct the _IDP_ENTRY_URL :
Lines 91 to 92 in 8ded19f
I am not sure that boto.session's value profile and provider_id are interchangeable...
Ability to add environment variables
It would be great to be able to populate the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGION with a command line switch. This would make passing creds through to a Docker container easy, for example.
Eager to hear your thoughts.
Errors while attempting to log in from windows 10
I attempted to log in to aws through adfs on windows 10 using this glorious tool but got following error:
Error with verbose:
~ $ aws-adfs -v login --adfs-host=some.adfs.host.com --no-ssl-verification
2018-01-10 10:33:22,544 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [14344-MainProcess] [4696-MainThread] - DEBUG: Attempt to load authentication cookies into session failed. Re-authentication will be performed. The error: [Errno 2] No such file or directory: 'C:\\Users\\ato05/.aws\\adfs_cookies'
2018-01-10 10:33:22,546 [connectionpool connectionpool.py:_new_conn] [14344-MainProcess] [4696-MainThread] - DEBUG: Starting new HTTPS connection (1): some.adfs.host.com
c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
2018-01-10 10:33:22,779 [connectionpool connectionpool.py:_make_request] [14344-MainProcess] [4696-MainThread] - DEBUG: https://some.adfs.host.com:443 "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 302 0
c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
2018-01-10 10:33:22,821 [connectionpool connectionpool.py:_make_request] [14344-MainProcess] [4696-MainThread] - DEBUG: https://some.adfs.host.com:443 "GET /adfs/ls/wia?loginToRp=urn:amazon:webservices HTTP/1.1" 401 0
Traceback (most recent call last):
File "C:\Users\ato05\scoop\apps\python\current\scripts\aws-adfs-script.py", line 11, in <module>
load_entry_point('aws-adfs==0.4.8', 'console_scripts', 'aws-adfs')()
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\click\core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\click\core.py", line 697, in main
rv = self.invoke(ctx)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\click\core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\click\core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\click\core.py", line 535, in invoke
return callback(*args, **kwargs)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\aws_adfs\login.py", line 82, in login
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\aws_adfs\authenticator.py", line 19, in authenticate
password=password,
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\aws_adfs\html_roles_fetcher.py", line 76, in fetch_html_encoded_roles
data=data
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests\sessions.py", line 555, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests\sessions.py", line 508, in request
resp = self.send(prep, **send_kwargs)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests\sessions.py", line 640, in send
history = [resp for resp in gen] if allow_redirects else []
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests\sessions.py", line 640, in <listcomp>
history = [resp for resp in gen] if allow_redirects else []
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests\sessions.py", line 218, in resolve_redirects
**adapter_kwargs
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests\sessions.py", line 625, in send
r = dispatch_hook('response', hooks, r, **kwargs)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests\hooks.py", line 31, in dispatch_hook
_hook_data = hook(hook_data, **kwargs)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests_negotiate_sspi\requests_negotiate_sspi.py", line 190, in _response_hook
return self._retry_using_http_Negotiate_auth(r, scheme, kwargs)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\requests_negotiate_sspi\requests_negotiate_sspi.py", line 73, in _retry_using_http_Negotiate_auth
clientauth = sspi.ClientAuth(scheme, targetspn=targetspn, auth_info=self._auth_info)
File "c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages\win32\lib\sspi.py", line 111, in __init__
None, auth_info)
ValueError: year 30828 is out of range
some info:
~ $ [Environment]::OSVersion
Platform ServicePack Version VersionString
-------- ----------- ------- -------------
Win32NT 10.0.15063.0 Microsoft Windows NT 10.0.15063.0
$ pip --version
pip 9.0.1 from c:\users\ato05\scoop\apps\python\3.6.3\lib\site-packages (python 3.6)
$ python --version
Python 3.6.3
$ aws-adfs --version
0.4.8
$ aws --version
aws-cli/1.14.11 Python/2.7.9 Windows/8 botocore/1.8.15
Python 3 compatible?
In the readme you credit @brandond with Python 3 compatibility, and your 'known issues' section lists python 3.2 as not supported (hinting that python 3.3+ is supported). I'm getting the similar error that was reported in #32 with python3.4. He closed the issue saying he got it working with python 2.7.
Is aws-adfs python-3 compatible?
Parsing error while trying to login to Duo MFA
We have a new integration and continuing our integration of Duo including in our AWS ADFS/SAML solution. For us, our ADFS response page does not have the host: or sig_request: pattern in the javascript in the same way that is programmed in this tool. Error contents pasted below.
I figured I'd throw it here on issues so you have visibility into the error even though I've already debugged and fixed this problem for us.
There's a backwards-compatible pull request coming that fixes this problem for us which will cross-reference to this issue shortly.
$ aws-adfs login --adfs-host=<our-adfs-host-here-removed-for-privacy>
Traceback (most recent call last):
File "/usr/local/bin/aws-adfs", line 11, in <module>
sys.exit(cli())
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/aws_adfs/login.py", line 76, in login
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config)
File "/usr/local/lib/python2.7/site-packages/aws_adfs/authenticator.py", line 21, in authenticate
return extract_strategy()
File "/usr/local/lib/python2.7/site-packages/aws_adfs/authenticator.py", line 35, in extract
return duo_auth.extract(html_response, config.ssl_verification, session)
File "/usr/local/lib/python2.7/site-packages/aws_adfs/_duo_authenticator.py", line 32, in extract
duo_host = _duo_host(html_response)
File "/usr/local/lib/python2.7/site-packages/aws_adfs/_duo_authenticator.py", line 363, in _duo_host
return m.group(1)
AttributeError: 'NoneType' object has no attribute 'group'
PS. Thanks for this awesome tool, hope this makes it work for a few more people that are using (or want to use) Duo MFA.
Error: Issues during redirection to aws roles page. The error response <Response [401]>
aws-adfs version: 0.4.0
python: tried on 2.7,3.4, and 3.6
urllib3 version: (1.10.2)
setup: Duo 2FA, and multi-role account
I get this error after passing the 2FA with successful auth: "Going for aws roles".
Two requests follow: first being a POST to adfs with cookies set, which results in 302. the following request is a GET to adfs which "should" retrieve the aws sign in form, but does not in this case.
when using the --verbose option, I noticed that the redirection (see the logs) points to: ..../wia?loginToRp=urn:amazon:webservices
instead of:
.../IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices
any idea what might be causing this erroneous redirection_location?
2017-10-14 11:28:40,271 [connectionpool connectionpool.py:_make_request] [19156-MainProcess] [139651693283136-MainThread] - DEBUG: https://adfs.xwz.com:443 "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 302 0
2017-10-14 11:28:40,332 [connectionpool connectionpool.py:_make_request] [19156-MainProcess] [139651693283136-MainThread] - DEBUG: https://adfs.xwz.com:443 "GET /adfs/ls/wia?loginToRp=urn:amazon:webservices HTTP/1.1" 401 0
Add option to remove adfs Cookie that stores user account information
Hi,
I was wondering if it would be possible to add an option that removes the adfs user account used so that we have the option to sign in with another user account.
How to use "role-arn" parameter?
There is a new --role-arn TEXT Predefined role arn to select parameter in recent release, but there's no mentions in the code except the login.py and README.md. So it's not clear how to use it and what value (str, pattern, regex, etc) it expects.
automate aws-adfs with expect
Hello,
I'm trying to automate logging in with aws-adfs, using expect. Has anyone managed to do this? I have not; so far I have:
#!/usr/bin/expect -f
spawn aws-adfs login --adfs-host my.host.com
set timeout 30
expect -r "Username: $"
send "$::env(username)\r"
expect -r "Password: $"
send "$::env(password)\r"
(assuming I have the user/pass in env vars) but it appears the password part gets skipped.
Bump awscli to 1.12.2
Both botocore and awscli got bumped, so installing does not work without the older packages.
Support for Duo's "Remember Me" feature
Would it be possible to leverage Duo's "Remember me for x days" feature (I believe it's set via a cookie) to prevent having to continually use MFA on the same machine?
The ability to do so is optional, and controlled by the duo admin for the team, but if the checkbox exists, it would be great to be able to optionally set it, maybe via a run time switch (--duo-remember-me?).
parameter --profile= should have precedence over environment variable
When calling the login method, the --profile used for authentication should have precedence over environment variable.
Bump awscli and botocore versions
- awscli to 1.14.10
- botocore to 1.8.14
Feature request for more authentication methods
Currently, we have to set automatic push for the login to work. I tried using a few different methods to see which ones work (OTP, SMS, and Phone Call) as described on duo's site for other applications that don't support push. None of them work, each have different failures.
OTP (one time passcode) - works by adding the passcode to the existing password like so
eg. password,passcode
Error: This account does not have access to any roles
SMS - should work same as OTP. Same error.
Phone call - this one was interesting, it calls the phone but the application doesn't wait for a response, it fails immediately after the call is initiated even if you approve it.
Duo Authentication fails for users who don't have a preferred Auth method.
While trying to authenticate to an ADFS 3.0 provider using duo auth I get the following error (With --verbose flag to aws-adfs)
2017-04-25 16:40:07,354 [connectionpool connectionpool.py:_make_request] [10680-MainProcess] [140176161351424-MainThread] - DEBUG: https://--sanitized--:443 "POST /frame/prompt HTTP/1.1" 200 61
2017-04-25 16:40:07,360 [_duo_authenticator _duo_authenticator.py:_begin_authentication_transaction] [10680-MainProcess] [140176161351424-MainThread] - DEBUG: Request:
* url: https://--sanitized--/frame/prompt
* headers: {'Content-Length': '152', 'Accept-Language': 'en', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'text/plain, */*; q=0.01', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko', 'Connection': 'keep-alive', 'Cookie': '--sanitized--', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
Response:
* status: 200
* headers: {'Content-Length': '61', 'Content-Security-Policy': "default-src 'self'; img-src 'self' https://notify.bugsnag.com ; connect-src 'self'", 'Strict-Transport-Security': 'max-age=31536000', 'Server': 'Duo/1.0', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'no-store', 'Date': 'Tue, 25 Apr 2017 20:40:07 GMT', 'P3P': 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"', 'Content-Type': 'application/json'}
* body: {"message": "Unknown authentication method.", "stat": "FAIL"}
Error: Cannot begin authentication process. The error response: {"message": "Unknown authentication method.", "stat": "FAIL"}
Once I logged in via browser, clicking 'settings' -> 'My Settings & Devices' and setting an option in 'When I log in:' aws-adfs worked fine.
After a bit of poking and troubleshooting, it looks like /aws-adfs/_duo_authenticator.py looks for a preferred auth method and uses that in the form post back to Duo; if it's not set, the post to Duo contains a blank 'factor:' field and is considered invalid.
TypeError
--- Sorry, it is working with python 2.7
Hey,
I have an issue with the execution of aws-adfs. I think I have all the dependencies installed, but still this error:
Traceback (most recent call last):
File "/usr/local/bin/aws-adfs", line 11, in
sys.exit(cli())
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 722, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 696, in main
with self.make_context(prog_name, args, **extra) as ctx:
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 621, in make_context
self.parse_args(ctx, args)
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 1015, in parse_args
echo(ctx.get_help(), color=ctx.color)
File "/usr/local/lib/python3.5/dist-packages/click/utils.py", line 259, in echo
file.write(message)
File "/usr/lib/python3.5/codecs.py", line 377, in write
self.stream.write(data)
TypeError: write() argument must be str, not bytes
Do I forget something?
Thanks :)
Ability to change the URN in html_roles_fetcher.py
Hi
Is there are a way of overriding the urn url on line 26 of html_roles_fetcher.py, from calling aws-adfs on the command line?
Currently its hard coded to webservices, but we use many different urn names.
Ta,
SSL certificate verify failed even with --no-ssl-verification
Windows 10, python 2.7.14. Get normal SSL warnings, then it bombs at the bottom.
aws-adfs login --adfs-host=login.xxxxxxxxx.com --no-ssl-verification
c:\users\jopittman\python27\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
c:\users\jopittman\python27\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
c:\users\jopittman\python27\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
c:\users\jopittman\python27\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
c:\users\jopittman\python27\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
c:\users\jopittman\python27\lib\site-packages\urllib3\connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
Traceback (most recent call last):
File "C:\Users\jopittman\Python27\Scripts\aws-adfs-script.py", line 11, in
load_entry_point('aws-adfs==0.4.3', 'console_scripts', 'aws-adfs')()
File "c:\users\jopittman\python27\lib\site-packages\click\core.py", line 722, in call
return self.main(*args, **kwargs)
File "c:\users\jopittman\python27\lib\site-packages\click\core.py", line 697, in main
rv = self.invoke(ctx)
File "c:\users\jopittman\python27\lib\site-packages\click\core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "c:\users\jopittman\python27\lib\site-packages\click\core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "c:\users\jopittman\python27\lib\site-packages\click\core.py", line 535, in invoke
return callback(*args, **kwargs)
File "c:\users\jopittman\python27\lib\site-packages\aws_adfs\login.py", line 129, in login
DurationSeconds=3600,
File "c:\users\jopittman\python27\lib\site-packages\botocore\client.py", line 312, in _api_call
return self._make_api_call(operation_name, kwargs)
File "c:\users\jopittman\python27\lib\site-packages\botocore\client.py", line 588, in _make_api_call
operation_model, request_dict)
File "c:\users\jopittman\python27\lib\site-packages\botocore\endpoint.py", line 141, in make_request
return self._send_request(request_dict, operation_model)
File "c:\users\jopittman\python27\lib\site-packages\botocore\endpoint.py", line 170, in _send_request
success_response, exception):
File "c:\users\jopittman\python27\lib\site-packages\botocore\endpoint.py", line 249, in _needs_retry
caught_exception=caught_exception, request_dict=request_dict)
File "c:\users\jopittman\python27\lib\site-packages\botocore\hooks.py", line 227, in emit
return self._emit(event_name, kwargs)
File "c:\users\jopittman\python27\lib\site-packages\botocore\hooks.py", line 210, in _emit
response = handler(**kwargs)
File "c:\users\jopittman\python27\lib\site-packages\botocore\retryhandler.py", line 183, in call
if self._checker(attempts, response, caught_exception):
File "c:\users\jopittman\python27\lib\site-packages\botocore\retryhandler.py", line 251, in call
caught_exception)
File "c:\users\jopittman\python27\lib\site-packages\botocore\retryhandler.py", line 277, in _should_retry
return self._checker(attempt_number, response, caught_exception)
File "c:\users\jopittman\python27\lib\site-packages\botocore\retryhandler.py", line 317, in call
caught_exception)
File "c:\users\jopittman\python27\lib\site-packages\botocore\retryhandler.py", line 223, in call
attempt_number, caught_exception)
File "c:\users\jopittman\python27\lib\site-packages\botocore\retryhandler.py", line 359, in _check_caught_exception
raise caught_exception
botocore.vendored.requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
aws-adfs installs with botocore-1.8.15, but requires botocore-1.8.17? both?
I have a fresh install of Python 3.6.4 on Windows 10 and ran pip install aws-adfs and then tried running aws-adfs from the command line and ran into an error:
C:\WINDOWS\system32>aws-adfs
Traceback (most recent call last):
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 659, in _build_master
ws.require(__requires__)
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 967, in require
needed = self.resolve(parse_requirements(requirements))
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 858, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (botocore 1.8.15 (c:\python36\lib\site-packages), Requirement.parse('botocore<1.9.0,>=1.8.17'), {'boto3'})
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Python36\Scripts\aws-adfs-script.py", line 6, in <module>
from pkg_resources import load_entry_point
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 3017, in <module>
@_call_aside
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 3003, in _call_aside
f(*args, **kwargs)
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 3030, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 661, in _build_master
return cls._build_from_requirements(__requires__)
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 674, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 858, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (botocore 1.8.15 (c:\python36\lib\site-packages), Requirement.parse('botocore<1.9.0,>=1.8.17'), {'boto3'})
Looking back at the installation of aws-adfs I see that it downloads botocore-1.8.15:
C:\WINDOWS\system32>pip install aws-adfs
Collecting aws-adfs
Using cached aws-adfs-0.4.5.tar.gz
Collecting lxml (from aws-adfs)
Downloading lxml-4.1.1-cp36-cp36m-win_amd64.whl (3.5MB)
100% |████████████████████████████████| 3.6MB 355kB/s
Collecting click (from aws-adfs)
Using cached click-6.7-py2.py3-none-any.whl
Collecting botocore==1.8.15 (from aws-adfs)
Using cached botocore-1.8.15-py2.py3-none-any.whl
...
So, thinking I'm looking at a version number mismatch, I ran pip install --upgrade botocore and botocore-1.8.17 was installed while 1.8.15 was uninstalled. However, running aws-adfs this time also leads to a version conflict:
C:\WINDOWS\system32>aws-adfs
Traceback (most recent call last):
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 659, in _build_master
ws.require(__requires__)
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 967, in require
needed = self.resolve(parse_requirements(requirements))
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 858, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (botocore 1.8.17 (c:\python36\lib\site-packages), Requirement.parse('botocore==1.8.15'), {'aws-adfs', 'awscli'})
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Python36\Scripts\aws-adfs-script.py", line 6, in <module>
from pkg_resources import load_entry_point
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 3017, in <module>
@_call_aside
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 3003, in _call_aside
f(*args, **kwargs)
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 3030, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 661, in _build_master
return cls._build_from_requirements(__requires__)
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 674, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "c:\python36\lib\site-packages\pkg_resources\__init__.py", line 853, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'botocore==1.8.15' distribution was not found and is required by aws-adfs, awscli
So, aws-adfs is still looking for botocore-1.8.15? And also awscli is expecting that version too?
I could keep trying to upgrade or downgrade or switch dependencies around, but at this point I think I might be doing something wrong or I've run into an installation bug. What should be my next step?
Version 0.3.4 returns no roles.
I have an existing 0.3.3 setup with python2.7 that works, logging me in with the appropriate role. After I upgrade to 0.3.4 it gives me "This account does not have access to any roles". I ran "pip install -I aws-adfs==0.3.3" to downgrade back to 0.3.3 and it works again.
Is there some configuration setting that I might have changed. I tried moving my .aws folder out of the way and starting from scratch, but that didn't help. When I do that though, I get this error before it prompts me for a usersname. Not sure if it is related or not.
2017-06-20 21:13:16,637 [authenticator authenticator.py:authenticate] [10592-MainProcess] [140651283568384-MainThread] - ERROR: Cannot extract saml assertion. Second factor authentication failed?
Thanks.
Clear IAM role from config
It would be nice to have a CLI option to clear the saved IAM role from the config, so we could swap between roles without having to edit the config file manually. I can send a pull request if you're happy to consider the change.
On login, skipping profile option causes error.
invoking following command results in error.
aws-adfs login --adfs-host=valid.host --no-ssl-verification
Traceback (most recent call last):
File "/usr/local/bin/aws-adfs", line 11, in
load_entry_point('aws-adfs==0.3.2', 'console_scripts', 'aws-adfs')()
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 722, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/aws_adfs/login.py", line 70, in login
s3_signature_version,
File "/usr/local/lib/python2.7/dist-packages/aws_adfs/prepare.py", line 38, in get_prepared_config
_load_adfs_config_from_stored_profile(adfs_config, profile)
File "/usr/local/lib/python2.7/dist-packages/aws_adfs/prepare.py", line 142, in _load_adfs_config_from_stored_profile
load_from_config(adfs_config.aws_config_location, 'profile ' + profile, load_config)
TypeError: cannot concatenate 'str' and 'NoneType' objects
this works fine:
aws-adfs login --adfs-host=valid.host --no-ssl-verification --profile=default
adfs conflicts with default profile
If mfa_serial exist in the default profile then it asks for an mfa_code after role selection [observed with DUO mfa]
If role_arn exist in the default profile then after role selection it tries to authenticate with the role_arn from the existing default profile.
When logging in with aws-adfs and Duo MFA
Hello,
When I login with AWS-ADFS and Duo MFA and the sts session expires it Duo prompts me again. Is there a way to use the ADFS session time and skip the Duo prompt until the ADFS session token expires?
For example, if I logged in and my ADFS session is set for four hours then I shouldn't be prompted to authenticate with Duo again for another four hours even if the AWS session expired.
This change can allow a feature like auto-renew aws cli session (just like the aws cli already does with access keys) for some tasks that could take longer than an hour.
Duo MFA: please add documentation for how to use it.
I would like to use aws-adfs with DUO (MFA), however I could not find any documentation how to use it.
Could you please add some documentation or howto.
ADFS with DUO list account alias instead of account IDs
Currently the list of accounts is given as AWS AccountId. It would be preferable to have them listed as account alias instead.
Current behavior:
[ AccountAdministrator -> 0 ]: arn:aws:iam::################:role/AccountAdministrator
[ DevOps -> 1 ]: arn:aws:iam::################:role/DevOps
[ PowerUser -> 2 ]: arn:aws:iam::################:role/PowerUser
[ ReadOnly -> 3 ]: arn:aws:iam::################:role/ReadOnly
[ AccountAdministrator -> 4 ]: arn:aws:iam::################:role/AccountAdministrator
...
Desired behavior:
[ AccountAdministrator -> 0 ]: my-aws-account-alias AccountAdministrator
[ DevOps -> 1 ]: my-aws-account-alias DevOps
[ PowerUser -> 2 ]: my-aws-account-alias PowerUser
[ ReadOnly -> 3 ]: my-aws-account-alias ReadOnly
[ AccountAdministrator -> 4 ]: yes-another-aws-account-alias AccountAdministrator
...
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4
With default setting by aws-adfs, I can't download files from s3 buckets.
$ aws s3 cp s3://xxx/xxx.yml xxx.yml
download failed: s3://xxx/xxx.yml to xxx.yml An error occurred (InvalidArgument) when calling the GetObject operation: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. You can enable AWS Signature Version 4 by running the command: aws configure set s3.signature_version s3v4
After run aws configure set s3.signature_version s3v4
Below lines are added to ~/.aws/config
s3 =
signature_version = s3v4
So if I aws-adfs reset and aws-adfs login again, I lost the s3 setting in config file.
Request for support for Fortitokken Auth Method
I see you guys have Auth methods for Symantec and DUO, can we get it also for Forti?
When using two roles error: This account does not have access to any roles
As of 0.3.14 it appears that you cannot choose a role if you have more than one assigned.
11:23 AM: MAC: > aws-adfs login
Sending request for authentication
Waiting for additional authentication
Going for aws roles
This account does not have access to any roles
With only one role:
11:14 AM: MAC: > aws-adfs login
Sending request for authentication
Waiting for additional authentication
Going for aws roles
Prepared ADFS configuration as follows:
* AWS CLI profile : 'default'
* AWS region : 'us-east-1'
* Output format : 'json'
* SSL verification of ADFS Server : 'ENABLED'
* Selected role_arn : 'arn:aws:iam::#########:role/ROLE'
* ADFS Server : '#####.com'
* ADFS Session Duration in seconds : '28800'
* Provider ID : 'urn:amazon:webservices'
* S3 Signature Version : 'None'
Version 0.3.3 with roles working:
11:43 AM: MAC: > aws-adfs login --adfs-host ###.com
Sending request for authentication
Waiting for additional authentication
Going for aws roles
Please choose the role you would like to assume:
[ ROLE1 -> 0 ]: arn:aws:iam::#########:role/Role1
[ ROLE2............... -> 1 ]: arn:aws:iam::#########:role/Role2
Version 0.3.9 returns no roles
Hi
ive just installed on a clean debian 9 stretch (vm) install and got the following (some credentials redacted)
$ aws-adfs login --adfs-host myhost.com --profile dev --provider-id urn:amazon:mastersec
2017-08-01 17:17:19,690 [authenticator authenticator.py:authenticate] [16827-MainProcess] [139637160490752-MainThread] - ERROR: Cannot extract saml assertion. Second factor authentication failed?
Username: username
Password:
This account does not have access to any roles
$ aws-adfs --version
0.3.9
$ pip --version
pip 9.0.1 from /usr/lib/python2.7/dist-packages (python 2.7)
$ python --version
Python 2.7.13
So I rolled back with
$ pip install -I aws-adfs==0.3.3
Collecting aws-adfs==0.3.3
...
$ aws-adfs login --adfs-host myhost.com --profile dev --provider-id urn:amazon:mastersec
Please choose the role you would like to assume:
which seemed to fix it. I saw bug #44 I'm guessing its related
thanks
UnicodeEncodeError: 'ascii' codec can't encode character u'\u201c' in position 18498: ordinal not in range(128)
Hello,
I'm getting this issue when I attempt to login.
aws-adfs version: 0.3.0
Mac version: 10.12.4
Python: 2.7.10
2017-03-31 14:20:10,683 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [90962-MainProcess] [140736347890624-MainThread] - DEBUG: Attempt to load authentication cookies into session failed. Re-authentication will be performed. The error:
2017-03-31 14:20:10,730 [connectionpool connectionpool.py:_new_conn] [90962-MainProcess] [140736347890624-MainThread] - DEBUG: Starting new HTTPS connection (1): SITE
2017-03-31 14:20:11,114 [connectionpool connectionpool.py:_make_request] [90962-MainProcess] [140736347890624-MainThread] - DEBUG: https://SITE:443 "POST /adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices HTTP/1.1" 200 19245
Traceback (most recent call last):
File "/usr/local/bin/aws-adfs", line 11, in <module>
load_entry_point('aws-adfs==0.3.0', 'console_scripts', 'aws-adfs')()
File "/Library/Python/2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Library/Python/2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Library/Python/2.7/site-packages/aws_adfs/login.py", line 82, in login
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config)
File "/Library/Python/2.7/site-packages/aws_adfs/authenticator.py", line 16, in authenticate
password=password,
File "/Library/Python/2.7/site-packages/aws_adfs/html_roles_fetcher.py", line 66, in fetch_html_encoded_roles
'''.format(authentication_url, response.request.headers, response.status_code, response.headers, response.text))
UnicodeEncodeError: 'ascii' codec can't encode character u'\u201c' in position 18498: ordinal not in range(128)
list output is too simple
Currently the list output is too simple, I use it to set a default profile, but sometime I need switch to other account, which it doesn't make sense for me, if always list as default.
can we have output with additional information, such as profile name, aws account alias and adfs_config.role_arn?
--region and --output-format flags don't seem to be working
Hello,
It seems a few flags aren't working.
aws-adfs login --region=us-west-2 --adfs-host=SITE --output-format=text
Sending request for authentication
Waiting for additional authentication
Going for aws roles
Prepared ADFS configuration as follows:
* AWS CLI profile : 'default'
* AWS region : 'eu-central-1'
* Output format : 'json'
* Provider ID : 'urn:amazon:webservices'
* S3 Signature Version : 'None'
Failed with DUO MFA enabled.
AWS CLI access is successful with ADFS but fails after DUO MFA is enabled in ADFS.
Bump to botocore==1.8.2
Looks like awscli and botocore got updated.
Allow selection of a device for second authentication factor in duo security integration when the preferred device setting is missing
This enhancement is because of: #30. Currently duo-security users which didn't setup preferred device cannot login via aws-adfs. As a workaround they need to setup preferred device in duo-security settings.
In case an user doesn't setup the preferred device, aws-adfs presents device list and ask the user to choose the device for second factor authentication.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.