Cannot authenticate since version 0.3.5
Musikolo opened this issue · 5 comments
Musikolo commented
Hi,
I'm having issues to authenticate using statauth since version 0.3.5 which is the most recent version that still works for me. I've tried with versions 0.3.7, 0.3.8 and 0.3.9, and all of them fail to show the account selection.
This is what I get with 0.3.5 which works good:
[musikolo@Thinkpad ~]$ stsauth -v DEBUG authenticate -u musikolo -k "mycompany"
Password:
debug: Found 'default' section in '/home/musikolo/.aws/credentials'!
debug: Attribute 'region' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'output' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'idpentryurl' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'domain' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'okta_shared_secret' not set, using value from '/home/musikolo/.aws/credentials'
debug: No response provided. Fetching IDP Entry URL...
debug: No SAML assertion found in response. Attempting to log in...
debug: Adding value for 'UserName' to Login Form payload.
debug: Adding value for 'Password' to Login Form payload.
debug: Adding value for 'Kmsi' to Login Form payload.
debug: Adding value for 'AuthMethod' to Login Form payload.
debug: Adding value for 'AuthMethod' to Login Form payload.
debug: Posting login data to URL: https://adfs.mycompany.com:443/signon.aspx?loginToRp=urn:amazon:webservices&client-request-id=26ab7fa8-8ac4-4f67-1905-0080000400dd
debug: No SAML assertion found in response. Attempting to log in...
debug: Found state_token:
debug: Current Verification Status: success.
debug: Okta portal already authenticated, passing through...
debug: Posting data to url: https://adfs.mycompany.com:443/signon.aspx?loginToRp=urn:amazon:webservices&client-request-id=26ab7fa8-8ac4-4f67-1905-0080000400dd
debug: [('Context', '8zlQPOb0wgZcmKonwtp9o4JyL1lJ1EnqR_oqfXVdAGgAAQAAeN8BhNmuhnl8uPmTWKMjyQp6yjAedXRkm4dyGoxDxxRQOlbASTUJsn13bPNcQF9hmtvtXghhYDSZSBc4SDD71kZKXy9CJoPCzxJQnvAsPC6L1jZjXjz7OIFQk7ZCFZunwCyIj1VUEVaV5LnUW3OfBnyVfe5oJqS-nHHkVPeuXCkfIeDxyluCkFyT_t1yWXj22JQYKO9kYPtlDBOj5h25QTDCTb44A4maEmoLkxULSd1Ce5hcgwQ1qtUTJ2n40eHuNGh_iP-bs6in1yTD8sUSok2lY3jS0RpSldpSsjPX-7udb7F0GC_-aOed_20nAmISfs9HZ_MuVXVOtCICFYeYQuADAAAYnR-gSN3nc-wab5A033f0ZWvqT7dpiu8MqVx-KoBF0hiVFyeey3hwVmNKo47aTcm4JyNn-mmQ9m9KNtnd09NVljPlfo6TeOOyHC6pfrZPc1RGVwIsvxuJ90BzZMIbOuOsBlH1ZUd0EOu437EkSRX6XVg8dJSrnz3KJFIKxF-iYLZXP8nPtCiUSBCDIL0hWeeBSlia1PQ5j3bxaEJ8GtejmhhdjNoYIZXm92JurVMxUxF9lYaJuj4a38M4nkHDqDyYYDT3zujhQJefmrDHVHaNiOKtQhRx_stk3bfloJlIdzPJFRda-AiB3Vo5nsYHHwfSjTxm_-lxi5mW5kz72inL0fSQhnIc-EQGcjeKQ4RKfF03gxa_pP4FYfZ74pS3dclJH_nAF9ZmCyRSqaYsJ8PQ0UAaKMPc05SULemRLN9U7OcfJZpBmDKbkosyfv6c_LU6AKOFs-cojYnoCIz_BQuKDtqtMkRUtrecV0tuCUXRB7N7Zc-1ppkyGsr_zcavLnC6LqWfqsk78OMYEFDknSc-OPGNvI8oebY3yqk07sqU8P6tk6gvZenzQIxJ3Y5_H7i0PKD4xq3izjjqsCcVlZujxo3JcdaDreiLma1PrNx-WgMRy9bokv2cEGm9lMmt6zwxYyQTPeFB9d1uy1RN9ROpSePNxShVqc9xZDZEmADjyV2l3Rw2X3qv7SsGa4yui6KlgooXMS7Yq9Ri8-bcbi6pvlWv_trm-CRm56FfRpK9qRcmzJWLuVNL-FLfXsCkGlmU5LHhT90kqqXmr-na1vl_TH6uxGJSWKgeIlkVzscrD9tRR1c5w7eTT0FHU9c1GDfRe1-lX75HUDVYN_nXegF18z7UdRPymtQKCL_aSCTXjVkEX3H47UUvfNGlZ8ErFdWj_XT0dfCG9MqFSNf58amTtCKJj1IGlAfXr_cbj0g_mNvZ9gotlV0LKNY3vo40EytE6ZniMnfG1ES6bqlzl4IGwZyPVL0yFJV3Qf2CsVzocE-Pj3BNGDMStDVLzQHlMw30bYTMf4knkWyhkASJi9cTg_8fHW98Nl7tCY_rly93ygQg8utXszjDsJ7OORHXlRLsYXip0HwBGrW4J_6THA6dyCWQIa_iEirivzB4PbLa6AY7JVeGL1896_lyUrPlMpAXV4aUTlGL92cegr06iASmkcYgRrisUQ_j2C6xZQQ93_D5I-CFBWUIZeoNcuwoJvDe_x1LKdmzSUfh6gK3-hX7IWpPt1b8i0bnl0PVByVUs5POweiEZZf6V5_9Cpfy5YH7pJrPEf8NHqLSFH55gkFSMtxOAzdJwVcCQKa_dTkr3w.Zq5me9gMlp-vIKDOiDuJgOzJ5oZ-3vvC5qwkCJJ1jeAO1ktMk-0538eDzGlc1BUPqIZ6FN6cu1dAbd5OuAd9AUARQE5alvy5IgujHmMFNwCrJ35zzFjTS8H9izXQ5E3RxQTCoEBQzYNMwxUWX0uF1EC9m17SQUC-C2BFNFZEtr2x6XdMo2zYHdVGGWpUu836ThhE8Ccp5KSTiFvsQKx36wpRnm-jXevw41VrxegBAazSOQDtwUnVBcUd3FVjfbr8XhvyXqDYvjOIyw82WvTKF2Zc0jeA25Xa1IVkce46c_KOOgKeqDFUXDWwARqrJewHEtJdlZrJB-pkNkxBQNVPgw'), ('AuthMethod', 'OktaMfaAdfs'), ('ErrorMessage', None)]
Please choose the role you would like to assume:
Account 123456789001:
[0]: PROD-ReadOnly
Account 123456789002:
[1]: DEV-DEVELOPER
Selection:
This is what I get with 0.3.9 (same as with 0.3.7 and 0.3.8) which doesn't work:
[musikolo@Thinkpad ~]$ stsauth -v DEBUG authenticate -u musikolo -k "mycompany"
Password:
debug: Found 'default' section in '/home/musikolo/.aws/credentials'!
debug: Attribute 'region' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'output' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'idpentryurl' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'domain' not set, using value from '/home/musikolo/.aws/credentials'
debug: Attribute 'okta_shared_secret' not set, using value from '/home/musikolo/.aws/credentials'
debug: No response provided. Fetching IDP Entry URL...
debug: No SAML assertion found in response. Attempting to log in...
debug: Adding value for 'UserName' to Login Form payload.
debug: Adding value for 'Password' to Login Form payload.
debug: Adding value for 'Kmsi' to Login Form payload.
debug: Adding value for 'AuthMethod' to Login Form payload.
debug: Adding value for 'AuthMethod' to Login Form payload.
debug: Posting login data to URL: https://adfs.mycompany.com:443/signon.aspx?loginToRp=urn:amazon:webservices&client-request-id=69c0bbb0-8055-459d-6912-0080000400fb
debug: No SAML assertion found in response. Attempting to log in...
debug: Found state_token:
debug: Current Verification Status: success.
debug: Okta portal already authenticated, passing through...
debug: Posting data to url: https://adfs.mycompany.com:443/signon.aspx?loginToRp=urn:amazon:webservices&client-request-id=69c0bbb0-8055-459d-6912-0080000400fb
debug: [('Context', '8zlQPOb0wgZcmKonwtp9o4JyL1lJ1EnqR_oqfXVdAGgAAQAAWMEwXXsnWX96Xp6m0VyvudJcRqb3aEk-dwtJ6DFqteIp43h0JG6O9WvoMyk3Pje9ioq2h2w0PGjObXcIeoZ3V7Kg2DnELZ3fi5fGQAC3YVIDp-YxQWjqsJisuYR9VUsqaFQUszxjWVPNdKmJE2Cnn5zvQ22rvvd9q28bs8uoeF0uuQEyiEF5Rupju3g5Goe2o0d7drC0cqMsqTi6Bmrp-TbDSEgB51RZ1i67B34iTuBiNtzj_IGmbgvH70c6I7vUB0E4UusqXxvlJ2_D_waVjqM-vOEDILTspIBZG8HI1mMQRzNORoMQrQhge1oOojhRD1dACf8Jt82mT568e814_OADAADLiWeI9POqAbZiucCrsBojk4fZaEIkoEL4kADxau14FfKQFHayjGGkRmwst3rpk3lPT3nu8X_EbWawJ9szc4gsS8miIjmMAkgReKnc5AockSijkdV3cjr40sN2rQmQ86fpBEVqoEE4S6tNCrE3_5IbX5_Vjsc-97R55PbqEvshLLGAs-JPxtw4qm93exlVPgk2KUeR6M5HMQXdmlBzC3MrXrpcgCBU2k83AXeJFNQ4yzGP1NqzfPE6cdXO308Ion2VzCMjCAG4Cbmq4hBTcUJWyAPMRS7yiOlrMzeH2rAl0LEZyUSc8o7Yqd9qejdP1WtXg4SOei-uhEK1cX-u3aEI4UhKmzwi3yDYW7Qe5OocBQZpLlwnPLYqhzOO3TNqIYnkmlyuWYlzbSuGSeaoKu177Scy6On0fhIE0UXi5YElEA_oIDeWi4l16zmSJnldaXNh3Igw7oTqFHYfpLLkBQHN9gK5Ed-6xUVUiUjmzA3PFgjzUoHoK20mCqELSWVHgdRfLD_LBnY0dFVRAiGtNSQVbg5CVEnS9OvB-Q_zuhYyOAwF1wU6XXSjI1HoDMC8U63rlE2gqTgObR3HqFqBYnLIil49f8c_ybixVkI65lkfKyqcwCENFg0vXS3t65xg7ELZOZS-ySC-NceKcNX4UJr_XawRWpNoXmu_31BMKXpfFhoptqfcdbjAQPvXX931nm12JOC3oMVNkOcv8eiSTLMac7axzVPFEtGPI7jS2cURdcG4BiZpc8pYpTlghpBCuO1L5IlNJTbBwL9dLbdMFnj-ryWYvsUkife6plwZTeanGuHG5nJVqvgKcakXFC3qiM8wOIFLJWJW0roD0R21jB40m54rk9r1kM9hAMZH4B0uYf_O3gK3MOLkO57GQGnjTK4uQAEI2DU-RNwlSTvXAvH4Q4gptz1Ifo5lnLzE_lI_RJF-BuyVos7qhszKTgkZqPAP7aqITuefaozFnZRXjCD9SjQ_P58RGd-JqXEoczvYN5OOC9j1SSMWqL2n6sPrNo_lHyBauhFAn7iCeVWLqn257PRqb5zM7B0lB8KGyl04KmQJHhm19uRf0bP4RJx8HpFwowplDOzG9UiEZn63TJGh0mYI0XKxIE8n4SJkF1irL1MAuhtHjhZnaNscEJHMYAmWWIPtLnRkKEso5JBWnc0GQfrKINuBkEhi2irk3neIiVi4rIz-SQ5mIZZxcpdhCLiCneA9oaFrtXrmy3JpsbUF0zcjQNaeptCTlDmvkW6ie20oQ_a5lSmbdEg7NHkzeLfR3CA8kWZZ6kDJUJFdohpYeDQCiqd87rOFYB_6yeJ3mw.hSlJDWvePIBGVfcueqZcxyHvaDrAhNgW2a8_Yx73Wt3unYzXebkuj2zQishogGDNfWdNCmUZvPvP65OW0Ku4HRPsUBLaEWfswpjoYshTYH1ZwjtAetjDYQrRqKSF8wvS4sUEK4IcrbbQS47C9d4ZQt0Q3Mw6wl02Ld1UrkwTPP3Rb62g3TtLTuFCn5Xeg-HMaa0ozr-O68OiQmyEjEaOLuZAi7ssVAEKbrWW-x0n1yaGtnfau0KU3P3lYVgPbWkwrf7nvmMV8egmMveWOYuNB_YdotinwPldIOblmi4lo0_e5UCitb0rRYzO1JK5EtYyyWDMKOsWJ-trsspjRRk1_w'), ('AuthMethod', 'OktaMfaAdfs'), ('ErrorMessage', None)]
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 159, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 80, in create_connection
raise err
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 70, in create_connection
sock.connect(sa)
TimeoutError: [Errno 110] Connection timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 839, in _validate_conn
conn.connect()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 301, in connect
conn = self._new_conn()
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 168, in _new_conn
self, "Failed to establish a new connection: %s" % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f94ff8fbcc0>: Failed to establish a new connection: [Errno 110] Connection timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 638, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.7/site-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='signin.aws.amazon.com', port=443): Max retries exceeded with url: /saml (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f94ff8fbcc0>: Failed to establish a new connection: [Errno 110] Connection timed out'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/stsauth", line 10, in <module>
sys.exit(cli())
File "/usr/lib/python3.7/site-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3.7/site-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3.7/site-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/sts_auth/cli.py", line 75, in authenticate
adfs_response = sts_auth.fetch_aws_account_names(saml_response)
File "/usr/lib/python3.7/site-packages/sts_auth/stsauth.py", line 289, in fetch_aws_account_names
adfs_response = self.session.post(hiddenform.attrs.get('action'), data=data, headers=headers)
File "/usr/lib/python3.7/site-packages/requests/sessions.py", line 581, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.7/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='signin.aws.amazon.com', port=443): Max retries exceeded with url: /saml (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f94ff8fbcc0>: Failed to establish a new connection: [Errno 110] Connection timed out'))
I'm using Arch Linux, and I'm not sure if there a missing requirement or anything wrong on my side. However, it's strange it still works with 0.3.5, but it doesn't with any newer version.
Please, let me know if you need me to do any test or provide additional info.
Thank you!
phillipjf commented
Do you use a proxy? v0.3.6 added a feature which fetches AWS account aliases from the signin.aws.amazon.com/saml page.
Musikolo commented
@phillipjf, I've been doing some more tests and I could find the root cause and a way to solve it.
The most recent versions seem to be connecting to signin.aws.amazon.com while previous versions were not. Since my company's web identity page doesn't work with proxy settings, and connecting to signin.aws.amazon.com requires it, I found myself in catch-22 situation. The solution I found is exporting the following two variables prior to using stsauth:
export https_proxy=https://proxy.mycompany.comexport no_proxy=adfs.mycompany.com
After exporting these two variables, version 0.3.9 works as expected.
Although I found a solution to my issue, would it be possible to add a new switch to use the existing behavior on version 0.3.5? Or would it be possible to automatically fallback to the previous behavior if current one fails?
Thank you!
phillipjf commented
That sounds very normal (using a proxy for external traffic and no_proxy for internal traffic). In fact, that is how we use it. If you use the following, you can pass all "internal" traffic without the proxy:
export no_proxy=localhost,127.0.0.1,.mycompany.com,.othercompanydomain. I'm also working on a release that will fail gracefully and allow stsauth to continue functioning without fetching AWS Account Aliases.
Musikolo commented
@phillipjf, yes new version works as expected. When passing the https_proxy and no_proxy environment variables, it resolves smoothly. However, when those aren't available, it falls back to the behavior available on 0.3.5 (avoiding the use of aliases).
Thank you so much for everything!