GithubHelp home page GithubHelp logo

aws-cli-saml's People

Contributors

browseman avatar pauldraper avatar pmarkert avatar zaro0508 avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar

Forkers

pmarkert zaro0508 browseman heylazysunnykid checkolala

aws-cli-saml's Issues

aws-saml cannot load readline

I get the following error when i run..

Traceback (most recent call last):
  File "/Users/zaro0508/.virtualenvs/test5/bin/aws-saml", line 8, in <module>
    sys.exit(main())
  File "/Users/zaro0508/.virtualenvs/test5/lib/python3.6/site-packages/awscli_saml/main.py", line 32, in main
    import awscli_saml.assume_role as assume_role
  File "/Users/zaro0508/.virtualenvs/test5/lib/python3.6/site-packages/awscli_saml/assume_role.py", line 7, in <module>
    import readline  # needed for terminal raw mode (> 4096 characters)
ImportError: dlopen(/Users/zaro0508/.virtualenvs/test5/lib/python3.6/readline.so, 2): Library not loaded: /usr/local/opt/readline/lib/libreadline.7.dylib
  Referenced from: /Users/zaro0508/.virtualenvs/test5/lib/python3.6/readline.so
  Reason: image not found

My environment:

➜  pip freeze
awscli-saml==1.1.1
boto3==1.13.6
botocore==1.16.6
docutils==0.15.2
jmespath==0.9.5
python-dateutil==2.8.1
s3transfer==0.3.3
six==1.14.0
urllib3==1.25.9

➜ brew info readline
readline: stable 8.0.4 (bottled) [keg-only]
Library for command-line editing
https://tiswww.case.edu/php/chet/readline/rltop.html
/usr/local/Cellar/readline/8.0.1 (48 files, 1.5MB)
  Poured from bottle on 2019-11-13 at 11:18:27
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/readline.rb

I don't have ver 7 on my machine. The latest version of readline is ver 8.0.1 and and there doesn't seem to be a brew formula for ver 7 to install. Maybe the dependency needs to be updated? Do you know of a workaround?

feature request: set profile region

When running aws-saml users are able set the profile name with the --profile parameter. It would be great if users are able to set the region as well.

Legacy clients looking for aws_security_token

AWS standardized on the use of aws_session_token for credentials a long time ago, however, some older legacy clients (notably boto) still do not pickup the proper key: boto/boto#2988

As a result, older applications do not work unless the session token value is stored under aws_security_token.

Hardcoded paths for aws config and credentials files

aws-saml does not follow the environment variables that awscli is supporting (link):

  • AWS_CONFIG_FILE
  • AWS_SHARED_CREDENTIALS_FILE

a simple patch will fix this:

diff --git a/awscli_saml/assume_role.py b/awscli_saml/assume_role.py
index 3d520a8..cb3a47b 100644
--- a/awscli_saml/assume_role.py
+++ b/awscli_saml/assume_role.py
@@ -19,8 +19,8 @@ def run(profile=None, region=None, session_duration=None, idp_arn=None, role_arn
         profile_name if profile_name == "default" else "profile {}".format(profile_name)
     )
 
-    config_path = os.path.expanduser("~/.aws/config")
-    cred_path = os.path.expanduser("~/.aws/credentials")
+    config_path = os.environ.get("AWS_CONFIG_FILE") or os.path.expanduser("~/.aws/config")
+    cred_path = os.environ.get("AWS_SHARED_CREDENTIALS_FILE") or os.path.expanduser("~/.aws/credentials")
 
     config = configparser.RawConfigParser()
     config.read(config_path)

aws-saml fails when missing SESSION_DURATION

The --session-duration parameter should be an optional argument however aws-saml fails when it's not set.

➜ python -V
Python 3.7.7

➜ pip freeze
awscli-saml==2.0.0
boto3==1.13.16
botocore==1.16.16
docutils==0.15.2
jmespath==0.10.0
python-dateutil==2.8.1
s3transfer==0.3.3
six==1.15.0
urllib3==1.25.9

➜ aws-saml --profile central-admin  \
         --idp-arn arn:aws:iam::111111111111:saml-provider/central-admin \
         --role-arn arn:aws:iam::111111111111:role/central-admin
Traceback (most recent call last):
  File "/Users/zaro0508/.virtualenvs/py37-test2/bin/aws-saml", line 8, in <module>
    sys.exit(main())
  File "/Users/zaro0508/.virtualenvs/py37-test2/lib/python3.7/site-packages/awscli_saml/main.py", line 44, in main
    saml=args.saml,
  File "/Users/zaro0508/.virtualenvs/py37-test2/lib/python3.7/site-packages/awscli_saml/assume_role.py", line 28, in run
    section_name, "saml.session_duration"
  File "/usr/local/var/pyenv/versions/3.7.7/lib/python3.7/configparser.py", line 818, in getint
    fallback=fallback, **kwargs)
  File "/usr/local/var/pyenv/versions/3.7.7/lib/python3.7/configparser.py", line 808, in _get_conv
    **kwargs)
  File "/usr/local/var/pyenv/versions/3.7.7/lib/python3.7/configparser.py", line 802, in _get
    return conv(self.get(section, option, **kwargs))
  File "/usr/local/var/pyenv/versions/3.7.7/lib/python3.7/configparser.py", line 780, in get
    d = self._unify_values(section, vars)
  File "/usr/local/var/pyenv/versions/3.7.7/lib/python3.7/configparser.py", line 1146, in _unify_values
    raise NoSectionError(section) from None
configparser.NoSectionError: No section: 'profile central-admin'

fails if no credentials file

i no aws credentials file:

  File "/usr/local/bin/aws-saml", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/awscli_saml/main.py", line 39, in main
    saml=args.saml,
  File "/usr/local/lib/python3.7/site-packages/awscli_saml/assume_role.py", line 28, in run
    section_name, "saml.session_duration"
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/configparser.py", line 818, in getint
    fallback=fallback, **kwargs)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/configparser.py", line 808, in _get_conv
    **kwargs)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/configparser.py", line 802, in _get
    return conv(self.get(section, option, **kwargs))
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/configparser.py", line 780, in get
    d = self._unify_values(section, vars)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/configparser.py", line 1146, in _unify_values
    raise NoSectionError(section) from None
configparser.NoSectionError: No section: 'profile pinpt'```

aws-saml asks for MFA token from invalid resource

I have AWS setup with Jumcloud IDP. I've verified that aws-saml works with our IDP users that do NOT have MFA enabled however it does not seem to work for user that do have MFA enabled. When used with temporary credentials from aws-saml the aws command will request the MFA token from a user in AWS (i.e. Enter MFA code for arn:aws:iam:::11111111111::mfa/[email protected]). This doesn't make sense because we have no users in AWS, all the users are in our IDP. The alternative sts assume-role-with-saml does work without problems. I'm wondering if this is a bug or if I'm missing something?

steps to repro:

use aws-saml to get temp creds:

➜ aws-saml --profile itsandbox-aws-saml --idp-arn arn:aws:iam::1111111111111:saml-provider/itsandbox-admin --role-arn arn:aws:iam::1111111111111:role/itsandbox-admin --saml PD94bWwgdmVyc2lvbj0iMS4wI...
Credentials saved for itsandbox-aws-saml. Expire 2020-05-10 00:26:40+00:00.

➜ cat ~/.aws/credentials
[itsandbox-aws-saml]
aws_access_key_id = ASIA5WNRLVXSN6IFEP4D
aws_secret_access_key = ZOsDzITtSkAqYzHmAAj/bDrx3mU2WS7OPP9m9KJ5
aws_session_token = FwoGZXIvYXdzEMr//////////wEaDMoZmni4c6sRkTQ2VCLWAVYwf4RePfVmAaHXhxHC98R1vPE6vValbVHmL6GXiMCTfd7hBYplrmUf4o/BZeMbL1FoV06NB3+IrB11G5+HYDZFEmBlwgFcI+Ukw27E4hij1x2sXKCWrryPWcUR7AHkrjRXf6H4J7i3XPazwLd9wyiBtnJH4etR7a5KUl6kF/l8Gf8Jf5By0RR6llZKh4Rn/a1o4SsOD9pshfkU7B74IgkDHfifUMEgXR+ZJedHWF1Jntv5/eY9EDhP1rgUyZf1IP4mz0kfQ/LzLtE5tWhoxELvg53y9kMowLPb9QUyMzPGL9mOW8GL3eE1/ND7F84gL+He1NiYB70HSwpkUWsrUkJjxokoc//Dj5RJ66hWfrPqzw==

run AWS CLI:

aws --profile itsandbox-aws-saml s3api list-buckets|grep sceptre-integration-tests-templates
Enter MFA code for arn:aws:iam:::1111111111111::mfa/[email protected]:

The reference arn:aws:iam:::1111111111111::mfa/[email protected] is not valid because that account doesn't exist in AWS. There are no user accounts in AWS at all, users are all in our IDP.

Note: I've verified that the MFA use case works when i use aws sts assume-role-with-saml to get the temporary credentials.

use assume-role-with-saml to get temp creds:

➜ aws sts assume-role-with-saml --role-arn arn:aws:iam::1111111111111:role/itsandbox-admin --principal-arn arn:aws:iam::1111111111111:saml-provider/itsandbox-admin --saml-assertion file://saml_assertion.txt

I take the credentials from the response and save them to ~/.aws/credentials file

➜ cat ~/.aws/credentials
[itsandbox-sts]
aws_access_key_id = ASIA3WNBLVXSAKH42WGW
aws_secret_access_key = vsM+cipnSbiEpwdW52J1uBZo/eWLvaIEH6Z8gMBx
aws_session_token = FwoGZXIvYXdzEMr//////////wEaDIM52A9si1/niysUWSLVAW2meXnZnLo5TQQETQjzlCSze+uNp319ufz9vDEiByZjEM4yOvq/VGJVsBtQ+SseYGviM6Zct9Pukl2nVAtgwmThYCMv3ohqcLXF+NXyaXJTuS73QV5uJMFX6iZRJaf1ueVcsiIM7vTW/QgM7XnX7nxyWSkuNh/GJTeoukkQNEuPPhHvL1d1Zx7H5TM838egFqOtkZgdnUE0xpKodLQNI+QfU4G0E51vk3rJwMOupxEAhjGyRCh3U5TUgHYNzdYYdxG3qj/aNtz0epuj8ci6+T45qBEjCiiHr9v1BTIzxNWJ5149xlhI+mx5ihNFDekXbhDR56D4x/hFLDKPpyvcVyKse8WXQ1vZ3F03HvDsfRIz

run AWS command and it works:

➜ aws --profile itsandbox-sts s3api list-buckets|grep sceptre-integration-tests-templates
{
    "Buckets": [
        {
            "Name": "sceptre-integration-tests-templates-804034162148",
            "CreationDate": "2019-09-24T17:26:54.000Z"
        }
    ],
    "Owner": {
        "DisplayName": "aws.itsandbox",
        "ID": "cfa0d09d7cf9a5efa7a29793ac469c5c648ea008ee0062fc15d4759e0c7d88b2"
    }
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.