I frequently find myself managing multiple AWS accounts or a whole organization and need to query easily via scripts across 5/10/20 accounts.

It would be hugely useful to not have make multiple cli commands to aws_okta_keyman to login to each account and rather have the ability to login and generate a secret/access/token combo for every account that OKTA allows me to. Any scripts could then leverage a profile for each account to create boto sessions, as an example.

There isn't really an alternative outside of multiple cli commands, which can be tedious. I will likely fork so I can rapidly build this out (and b/c this would probably break some existing functionality / need a larger rewrite), but wanted to drop this issue in here to see your thoughts / if others have this problem.

Hello and thank you for this project.

I think I might have an issue with my configuration, but I'm not sure where at.

Configuration:
Linux desktop
AWS with Okta and Duo MFA.

It appears that my username and password is working (output modified), but the duo portion isn't being called. The command isn't launching the browser window.

$ cat /home/username/.config/aws_okta_keyman.yml
accounts:

• appid: abcdefghijklmnopqrst/012
  name: account
  org: example
  reup: 0
  username: username

$ aws_okta_keyman -a abcdefghijklmnopqrst/012 -o example -u username -c /home/username/.config/aws_okta_keyman.yml
14:08:42 (INFO) AWS Okta Keyman v0.4.0
Password:
14:08:55 (INFO) Successfully authed User Name
14:08:55 (INFO) Getting SAML Assertion from example
14:08:55 (ERROR) Could not find any Role in the SAML assertion
14:08:55 (ERROR) {'assertion': b''}
14:08:55 (ERROR) AWS SAML response invalid. Retrying...
14:08:56 (INFO) Getting SAML Assertion from example
14:08:56 (ERROR) Could not find any Role in the SAML assertion
14:08:56 (ERROR) {'assertion': b''}
14:08:56 (ERROR) AWS SAML response invalid. Retrying...
14:08:57 (INFO) Getting SAML Assertion from example
14:08:57 (ERROR) Could not find any Role in the SAML assertion
14:08:57 (ERROR) {'assertion': b''}
14:08:57 (ERROR) AWS SAML response invalid. Retrying...
14:08:58 (CRITICAL) SAML failure. Please reauthenticate.

If you can assist that would be great. Thank you for any input.

Joe

It would be handy to use the "friendly name" instead of the app-id for logging in. Right now I have to do

aws_okta_keyman --appid xxxxxxxxxxxx/yyy

where it would be much nicer to be able to do

aws_okta_keyman --friendlyname staging-env

Describe the bug
When using aws_okta_keyman and Okta SMS as the MFA, we get:
Unhandled exception: 429 Client Error: Too Many Requests for url: https://XXXXX.okta.com/api/v1/authn/factors/smscXXXX/verify

To Reproduce
Steps to reproduce the behavior:

1. run aws_okta_keyman -n PROFILENAME while Okta is configured to use SMS for MFA
2. enter password
3. enter first MFA
4. upon getting application level MFA the error comes up.

Expected behavior
aws_okta_keyman should get the credentials and write them to the credentials file

ERROR Output
14:03:06 (INFO) AWS Okta Keyman 🔐 v0.8.4
14:03:06 (INFO) Using account: aws /123/456
Password:
14:03:17 (WARNING) Okta SMS being requested...
14:03:17 (WARNING) MFA Requirement Detected - Enter your SMS (+1 XXX-XXX-9413) code here
MFA Passcode: 929468
14:03:32 (INFO) Successfully authed John Smith
14:03:32 (INFO) Getting SAML Assertion from xxxxxxx
14:03:32 (WARNING) Application-level MFA present; re-authenticating Okta
14:03:33 (WARNING) Okta SMS being requested...
14:03:33 (CRITICAL) 😬 Unhandled exception: 429 Client Error: Too Many Requests for url: https://XXXXX.okta.com/api/v1/authn/factors/smscXXXX/verify

Host (please complete the following information):

• OS: Windows 10
• Version
• Python version 3.7

Additional context
Is it possible for us to only have a single MFA challenge, instead of two?

Is your feature request related to a problem? Please describe.
I would like to streamline use such that a default role could be set and avoid the role selection menu.

Describe the solution you'd like
Allow --role input parameter. Perhaps since there can be multiple accounts, input could be [Account ID]:[Role Name]. In addition, allow setting this in the configuration. If the arg / config is set, the role will be automatically selected without prompting to select a role.

Describe alternatives you've considered
None

Additional context
None

Describe the bug
Installation via Homebrew doesn't work.

==> Installing aws_okta_keyman from nathan-v/aws-okta-keyman
==> python3.8 -m venv --system-site-packages --without-pip /opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
==> python3.8 -m pip --python=/opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python install /private/tmp/aws_okta_key
Last 15 lines from /Users/alexis/Library/Logs/Homebrew/aws_okta_keyman/14.python3.8:
  × Getting requirements to build wheel did not run successfully.
  │ exit code: 1
  ╰─> See above for output.
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
  full command: /opt/homebrew/Cellar/aws_okta_keyman/0.9.0/libexec/bin/python /opt/homebrew/lib/python3.8/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py get_requires_for_build_wheel /private/tmp/tmpmcsxxddr
  cwd: /private/tmp/aws_okta_keyman--PyYAML-20240613-36917-na2xhm/PyYAML-6.0
  Getting requirements to build wheel: finished with status 'error'
error: subprocess-exited-with-error

× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> See above for output.

note: This error originates from a subprocess, and is likely not a problem with pip.

If reporting this issue please do so at (not Homebrew/brew or Homebrew/homebrew-core):
  https://github.com/nathan-v/homebrew-aws-okta-keyman/issues

To Reproduce
Steps to reproduce the behavior:

1. brew tap nathan-v/aws-okta-keyman
2. brew install aws_okta_keyman

Host:

• OS: macOS
• Version 14.5 Sonoma
• Python version 3.12.3

Describe the bug
Hey @nathan-v, I was looking today into your tool but I'm hitting another issue right now that is related to:

11:25:18 (DEBUG) https://myorganisation.okta.com:443 "GET /app/amazon_aws_sso/application-id/sso/saml HTTP/1.1" 200 None
11:25:18 (INFO) Starting AWS session for us-east-1
11:25:18 (CRITICAL) 😬 Unhandled exception: list index out of range
11:25:18 (DEBUG) Traceback (most recent call last):
  File "/Users/username/opt/anaconda3/lib/python3.8/site-packages/aws_okta_keyman-0.9.0-py3.8.egg/aws_okta_keyman/keyman.py", line 87, in main
    result = self.aws_auth_loop()
  File "/Users/username/opt/anaconda3/lib/python3.8/site-packages/aws_okta_keyman-0.9.0-py3.8.egg/aws_okta_keyman/keyman.py", line 504, in aws_auth_loop
    session = self.start_session()
  File "/Users/username/opt/anaconda3/lib/python3.8/site-packages/aws_okta_keyman-0.9.0-py3.8.egg/aws_okta_keyman/keyman.py", line 474, in start_session
    session = aws.Session(
  File "/Users/username/opt/anaconda3/lib/python3.8/site-packages/aws_okta_keyman-0.9.0-py3.8.egg/aws_okta_keyman/aws.py", line 155, in __init__
    self.available_roles()
  File "/Users/username/opt/anaconda3/lib/python3.8/site-packages/aws_okta_keyman-0.9.0-py3.8.egg/aws_okta_keyman/aws.py", line 191, in available_roles
    for role in self.assertion.roles():
  File "/Users/username/opt/anaconda3/lib/python3.8/site-packages/aws_okta_keyman-0.9.0-py3.8.egg/aws_okta_keyman/aws_saml.py", line 54, in roles
    for x in roles_values[0]
IndexError: list index out of range

Noticed I had to rebuild the package since the AWS SSO integration in Okta has a different name (maybe Okta changed this without telling anyone)

diff --git a/aws_okta_keyman/okta_saml.py b/aws_okta_keyman/okta_saml.py
index b117ab7..7abfc48 100644
--- a/aws_okta_keyman/okta_saml.py
+++ b/aws_okta_keyman/okta_saml.py
@@ -89,7 +89,7 @@ class OktaSaml(okta.Okta):

         Returns: String SAML response
         """
-        path = "{url}/home/amazon_aws/{appid}".format(
+        path = "{url}/home/amazon_aws_sso/{appid}".format(
             url=self.base_url,
             appid=appid,
         )

I'm happy to provide and help to troubleshoot the issue!

To Reproduce
Steps to reproduce the behavior:

1. Download the package
2. Ran the configuration and validate my Okta credentials
3. Error displayed after authenticating (twice)

Expected behavior
Not to crash

Host (please complete the following information):

• OS: MacOs
• Version 0.9.0
• Python version 3.8.8

Describe the bug
After configure the aws_okta_keyman on Windows and execute the command: ./aws_okta_keyman.exe
I only see 2 lines in the command prompt:

13:49:26 (INFO) AWS Okta Keyman \U0001f510 v0.9.0
13:49:26 (INFO) Using account: FET / aaaaik3onbui9H4yzzzz/272

To Reproduce
Steps to reproduce the behavior:

1. After install and configure aws_okta_keyman, execute on Windows through Git Bash the command: ./aws_okta_keyman.exe
2. ...
3. ...
4. ...

Expected behavior
Roles will be found, temporary credential should be created

Prompt
AL123000@ABC-CCE-CLD-107 MINGW64 ~/AppData/Roaming/Python/Python39/Scripts
$ ./aws_okta_keyman.exe
13:49:26 (INFO) AWS Okta Keyman \U0001f510 v0.9.0
13:49:26 (INFO) Using account: FET / aaaaik3onbui9H4yzzzz/272

Host (please complete the following information):

• OS: Windows 10 enterprise

• Python version [e.g. 3.5.0]
  Python 3.9.10 (tags/v3.9.10:f2f3f53, Jan 17 2022, 15:14:21) [MSC v.1929 64 bit (AMD64)] on win32

C:\WINDOWS\system32>pip list
Package Version

aws-okta-keyman 0.9.0
beautifulsoup4 4.12.2
boto3 1.28.78
botocore 1.31.78
certifi 2023.7.22
charset-normalizer 3.3.2
colorama 0.4.6
colorlog 6.7.0
configparser 6.0.0
idna 3.4
importlib-metadata 6.8.0
jaraco.classes 3.3.0
jmespath 1.0.1
keyring 24.2.0
more-itertools 10.1.0
pip 22.0.4
python-dateutil 2.8.2
pywin32-ctypes 0.2.2
PyYAML 6.0.1
requests 2.31.0
s3transfer 0.7.0
setuptools 58.1.0
six 1.16.0
soupsieve 2.5
urllib3 1.26.18
zipp 3.17.0

Describe the bug
When I run aws_okta_keyman on my mac, I see the following error

09:25:30 (INFO) AWS Okta Keyman 🔐 v0.8.1
Traceback (most recent call last):
File "/Users/$HOME.upadhyay/.pyenv/versions/3.7.3/bin/aws_okta_keyman", line 8, in
sys.exit(entry_point())
File "/Users/$HOME.upadhyay/.pyenv/versions/3.7.3/lib/python3.7/site-packages/aws_okta_keyman/main.py", line 28, in entry_point
keyman = Keyman(sys.argv)
File "/Users/$HOME.upadhyay/.pyenv/versions/3.7.3/lib/python3.7/site-packages/aws_okta_keyman/keyman.py", line 57, in init
self.config.get_config()
File "/Users/$HOME.upadhyay/.pyenv/versions/3.7.3/lib/python3.7/site-packages/aws_okta_keyman/config.py", line 119, in get_config
self.parse_config(config_file)
File "/Users/$HOME.upadhyay/.pyenv/versions/3.7.3/lib/python3.7/site-packages/aws_okta_keyman/config.py", line 321, in parse_config
if not getattr(self, key): # Only overwrite None not args
AttributeError: 'Config' object has no attribute 'rolealiases'

I am able to run aws_okta_keyman config and it generates the YAML... something like this:
`
accounts:

• appid: myAppId/123
  name: dev
  console: null
  duo_factor: null
  duration: null
  org: offerup
  password_cache: null
  region: null
  reup: null
  rolealiases:
• alias: prod
  role: 1231424:role/some_name_prod
• alias: dev
  role: 343131:role/some_name_dev
  screen: null
  username: [email protected]
  `

To Reproduce
Steps to reproduce the behavior:
Install v0.8.1 of aws-okta-keyman. Thats the latest at the time of opening this bug. I used the following command
pip3 install --force aws_okta_keyman. I also tried uninstalling and then reinstalling. I get the same error upon running.

Expected behavior
aws_okta_keyman -r must work, asking for credentials etc.
Looks like some dependency is not compatible.

Host (please complete the following information):

• OS: macOS Catalina 10.15.5
• Python version 2.7.18 and also tried with 3.7.3 and 3.7.7

Additional context
Installation log:
pip3 install --force aws_okta_keyman
Collecting aws_okta_keyman
Using cached aws_okta_keyman-0.8.1.tar.gz (60 kB)
Collecting beautifulsoup4>=4.4.0
Using cached beautifulsoup4-4.9.1-py3-none-any.whl (115 kB)
Collecting colorlog>=4.0.0
Using cached colorlog-4.1.0-py2.py3-none-any.whl (14 kB)
Collecting requests>=2.10.0
Using cached requests-2.24.0-py2.py3-none-any.whl (61 kB)
Collecting boto3>=1.4.0
Using cached boto3-1.14.20-py2.py3-none-any.whl (128 kB)
Collecting future>=0.16.0
Using cached future-0.18.2.tar.gz (829 kB)
Collecting configparser>=3.5.0
Using cached configparser-5.0.0-py3-none-any.whl (22 kB)
Collecting PyYAML>=5.0
Using cached PyYAML-5.3.1.tar.gz (269 kB)
Collecting keyring>=18.0.0
Using cached keyring-21.2.1-py3-none-any.whl (31 kB)
Collecting soupsieve>1.2
Using cached soupsieve-2.0.1-py3-none-any.whl (32 kB)
Collecting certifi>=2017.4.17
Using cached certifi-2020.6.20-py2.py3-none-any.whl (156 kB)
Collecting chardet<4,>=3.0.2
Using cached chardet-3.0.4-py2.py3-none-any.whl (133 kB)
Collecting urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1
Using cached urllib3-1.25.9-py2.py3-none-any.whl (126 kB)
Collecting idna<3,>=2.5
Using cached idna-2.10-py2.py3-none-any.whl (58 kB)
Collecting jmespath<1.0.0,>=0.7.1
Using cached jmespath-0.10.0-py2.py3-none-any.whl (24 kB)
Collecting s3transfer<0.4.0,>=0.3.0
Using cached s3transfer-0.3.3-py2.py3-none-any.whl (69 kB)
Collecting botocore<1.18.0,>=1.17.20
Using cached botocore-1.17.20-py2.py3-none-any.whl (6.3 MB)
Collecting importlib-metadata; python_version < "3.8"
Using cached importlib_metadata-1.7.0-py2.py3-none-any.whl (31 kB)
Collecting python-dateutil<3.0.0,>=2.1
Using cached python_dateutil-2.8.1-py2.py3-none-any.whl (227 kB)
Collecting docutils<0.16,>=0.10
Using cached docutils-0.15.2-py3-none-any.whl (547 kB)
Collecting zipp>=0.5
Using cached zipp-3.1.0-py3-none-any.whl (4.9 kB)
Collecting six>=1.5
Using cached six-1.15.0-py2.py3-none-any.whl (10 kB)
Building wheels for collected packages: aws-okta-keyman, future, PyYAML
Building wheel for aws-okta-keyman (setup.py) ... done
Created wheel for aws-okta-keyman: filename=aws_okta_keyman-0.8.1-py3-none-any.whl size=63577 sha256=e583c1c80b4802e05f33369960b27416235ce7e581b781dd28705264b615ccff
Stored in directory: $HOME/Library/Caches/pip/wheels/55/ed/82/8e0b051ccc0c65f00dc57a95f198b70d73057dd70fb55fba53
Building wheel for future (setup.py) ... done
Created wheel for future: filename=future-0.18.2-py3-none-any.whl size=491058 sha256=d8bbcda52cb09c9540d838981fce7b953a22c3d1fd3d416aff7f29ade8a82573
Stored in directory: $HOME/Library/Caches/pip/wheels/56/b0/fe/4410d17b32f1f0c3cf54cdfb2bc04d7b4b8f4ae377e2229ba0
Building wheel for PyYAML (setup.py) ... done
Created wheel for PyYAML: filename=PyYAML-5.3.1-cp37-cp37m-macosx_10_15_x86_64.whl size=44627 sha256=6dd671b07d4ef1e3611e82fe0af7b9655ba482a15a9ef767d65fd91729769d70
Stored in directory: $HOME/Library/Caches/pip/wheels/5e/03/1e/e1e954795d6f35dfc7b637fe2277bff021303bd9570ecea653
Successfully built aws-okta-keyman future PyYAML
Installing collected packages: soupsieve, beautifulsoup4, colorlog, certifi, chardet, urllib3, idna, requests, jmespath, six, python-dateutil, docutils, botocore, s3transfer, boto3, future, configparser, PyYAML, zipp, importlib-metadata, keyring, aws-okta-keyman
Attempting uninstall: soupsieve
Found existing installation: soupsieve 2.0.1
Uninstalling soupsieve-2.0.1:
Successfully uninstalled soupsieve-2.0.1
Attempting uninstall: beautifulsoup4
Found existing installation: beautifulsoup4 4.9.1
Uninstalling beautifulsoup4-4.9.1:
Successfully uninstalled beautifulsoup4-4.9.1
Attempting uninstall: colorlog
Found existing installation: colorlog 4.1.0
Uninstalling colorlog-4.1.0:
Successfully uninstalled colorlog-4.1.0
Attempting uninstall: certifi
Found existing installation: certifi 2020.6.20
Uninstalling certifi-2020.6.20:
Successfully uninstalled certifi-2020.6.20
Attempting uninstall: chardet
Found existing installation: chardet 3.0.4
Uninstalling chardet-3.0.4:
Successfully uninstalled chardet-3.0.4
Attempting uninstall: urllib3
Found existing installation: urllib3 1.25.9
Uninstalling urllib3-1.25.9:
Successfully uninstalled urllib3-1.25.9
Attempting uninstall: idna
Found existing installation: idna 2.10
Uninstalling idna-2.10:
Successfully uninstalled idna-2.10
Attempting uninstall: requests
Found existing installation: requests 2.24.0
Uninstalling requests-2.24.0:
Successfully uninstalled requests-2.24.0
Attempting uninstall: jmespath
Found existing installation: jmespath 0.10.0
Uninstalling jmespath-0.10.0:
Successfully uninstalled jmespath-0.10.0
Attempting uninstall: six
Found existing installation: six 1.15.0
Uninstalling six-1.15.0:
Successfully uninstalled six-1.15.0
Attempting uninstall: python-dateutil
Found existing installation: python-dateutil 2.8.1
Uninstalling python-dateutil-2.8.1:
Successfully uninstalled python-dateutil-2.8.1
Attempting uninstall: docutils
Found existing installation: docutils 0.15.2
Uninstalling docutils-0.15.2:
Successfully uninstalled docutils-0.15.2
Attempting uninstall: botocore
Found existing installation: botocore 1.17.20
Uninstalling botocore-1.17.20:
Successfully uninstalled botocore-1.17.20
Attempting uninstall: s3transfer
Found existing installation: s3transfer 0.3.3
Uninstalling s3transfer-0.3.3:
Successfully uninstalled s3transfer-0.3.3
Attempting uninstall: boto3
Found existing installation: boto3 1.14.20
Uninstalling boto3-1.14.20:
Successfully uninstalled boto3-1.14.20
Attempting uninstall: future
Found existing installation: future 0.18.2
Uninstalling future-0.18.2:
Successfully uninstalled future-0.18.2
Attempting uninstall: configparser
Found existing installation: configparser 5.0.0
Uninstalling configparser-5.0.0:
Successfully uninstalled configparser-5.0.0
Attempting uninstall: PyYAML
Found existing installation: PyYAML 5.3.1
Uninstalling PyYAML-5.3.1:
Successfully uninstalled PyYAML-5.3.1
Attempting uninstall: zipp
Found existing installation: zipp 3.1.0
Uninstalling zipp-3.1.0:
Successfully uninstalled zipp-3.1.0
Attempting uninstall: importlib-metadata
Found existing installation: importlib-metadata 1.7.0
Uninstalling importlib-metadata-1.7.0:
Successfully uninstalled importlib-metadata-1.7.0
Attempting uninstall: keyring
Found existing installation: keyring 21.2.1
Uninstalling keyring-21.2.1:
Successfully uninstalled keyring-21.2.1
Attempting uninstall: aws-okta-keyman
Found existing installation: aws-okta-keyman 0.8.1
Uninstalling aws-okta-keyman-0.8.1:
Successfully uninstalled aws-okta-keyman-0.8.1
Successfully installed PyYAML-5.3.1 aws-okta-keyman-0.8.1 beautifulsoup4-4.9.1 boto3-1.14.20 botocore-1.17.20 certifi-2020.6.20 chardet-3.0.4 colorlog-4.1.0 configparser-5.0.0 docutils-0.15.2 future-0.18.2 idna-2.10 importlib-metadata-1.7.0 jmespath-0.10.0 keyring-21.2.1 python-dateutil-2.8.1 requests-2.24.0 s3transfer-0.3.3 six-1.15.0 soupsieve-2.0.1 urllib3-1.25.9 zipp-3.1.0

Hello,

I note this 'In the case of Duo Auth a web page is opened (served locally) for the user to interact with Duo and select their preferred authentication method. Once Duo is successful the user may close the browser or tab.'

How will this work for end user that just has No X11 support and just a plain linux SSH terminal ?

Would this help ? (I'm by no means a s/w developer but seems this has it working - haven't used it myself though)
https://github.com/segmentio/aws-okta/blob/master/lib/duo.go#L52-L55

Thanks.

Python 2.7 has been dead for over a year yet it's still seeing widespread use including in production services.

How important is ongoing support for Python 2.7 to you / your use case / your org?

More often lately package updates are not compatible with maintaining 2.7 support. If we hit a point where there is a security vulnerability that is a concern for this project that is not available with 2.7 support I expect to drop 2.7 immediately at that point. Until then it can be maintained but I anticipate it won't last long after 1.0 for KeyMan.

If support for 2.7 is critical for you please let me know by commenting below. I would like to know if this is something that I should continue to make happen at the cost of more work and slower development or if it's reasonable to drop 2.7 support at some point soon.

Thank you!

I am getting this error message while running the tool

aws_okta_keyman -c /Users/satish_kumar1/.config/aws_okta_keyman.yml
11:44:02 (INFO) AWS Okta Keyman v0.3.0
11:44:02 (WARNING) No app ID provided; please select from available AWS accounts
[0] Account: nonprod
Select an account from above: 0
11:44:12 (INFO) Using account: nonprod / 0oaiz4jczn***************
Password:
11:44:23 (CRITICAL) Fatal error: MFA_REQUIRED

This is untestable and badly in need of a cleanup.

The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Authenticate to Okta which is configured to assume multiple roles in multiple accounts
2. Use Authy MFA
3. use command:
   aws_okta_keyman -u '[email protected]' -D -a '0oadw4gu5tQ461r5a356' -s -o userjoeorg

Expected behavior
Expect to be presented with a list of account / role pairs which can be assumed.

Screenshots
Output:
22:08:26 (INFO) Successfully authed User Joe
22:08:26 (DEBUG) Long-lived token needed; requesting Okta API token
22:08:27 (DEBUG) https://userjoeorg.okta.com:443 "POST /api/v1/sessions HTTP/1.1" 200 None
22:08:27 (DEBUG) {'id': '102ruak3DEyTrA4Sw5L5yw53Q', 'userId': '00udsa7ad720P5iei356', 'login': '[email protected]', 'createdAt': '2020-06-08T22:08:17.000Z', 'expiresAt': '2020-06-09T00:08:17.000Z', 'status': 'ACTIVE', 'lastPasswordVerification': '2020-06-08T22:08:17.000Z', 'lastFactorVerification': '2020-06-08T22:08:26.000Z', 'amr': ['otp', 'mfa', 'pwd'], 'idp': {'id': '00odaabcdj8ypc7wE356', 'type': 'OKTA'}, 'mfaActive': True, '_links': {'self': {'href': 'https://userjoeorg.okta.com/api/v1/sessions/me', 'hints': {'allow': ['GET', 'DELETE']}}, 'refresh': {'href': 'https://userjoeorg.okta.com/api/v1/sessions/me/lifecycle/refresh', 'hints': {'allow': ['POST']}}, 'user': {'name': 'User Joe', 'href': 'https://userjoeorg.okta.com/api/v1/users/me', 'hints': {'allow': ['GET']}}}}
22:08:27 (INFO) Getting SAML Assertion from userjoeorg
22:08:27 (DEBUG) https://userjoeorg.okta.com:443 "GET /home/amazon_aws/0oadwn0g5tQ461r5a356 HTTP/1.1" 200 None
22:08:27 (CRITICAL) Unknown error
22:08:27 (ERROR) API response invalid. Retrying...
22:08:28 (INFO) Getting SAML Assertion from userjoeorg
22:08:28 (DEBUG) https://userjoeorg.okta.com:443 "GET /home/amazon_aws/0oadw4hj5tQ461r5a356 HTTP/1.1" 200 None
22:08:28 (CRITICAL) Unknown error
22:08:28 (ERROR) API response invalid. Retrying...
22:08:29 (INFO) Getting SAML Assertion from userjoeorg
22:08:29 (DEBUG) https://userjoeorg.okta.com:443 "GET /home/amazon_aws/0oadwn0g5tQ461r5a356 HTTP/1.1" 200 None
22:08:29 (CRITICAL) Unknown error
22:08:29 (ERROR) API response invalid. Retrying...
22:08:30 (CRITICAL) SAML failure. Please reauthenticate.

Host (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 0.5.0]
• Python version [e.g. 3.5.0]

Additional context
Add any other context about the problem here.

Describe the bug
My company is international, the base url for okta is "okta-emea.com" so logins fail.

To Reproduce
Steps to reproduce the behavior:

1. Have an international company that uses Okta based out of emea or a company that uses a custom URL
2. Try to login

Expected behavior
Application should have optional base urls that include okta-emea, custom, etc.

Additional context
Easy Fix: let me pass in the full URL as a configuration option. Would you accept a PR that does this?

Is your feature request related to a problem? Please describe.
the name "keyman" isn't gender inclusive

Describe the solution you'd like
Make the name gender-neutral

Describe alternatives you've considered
Rename the tool something like aws_okta_keyfetch

Duo appears to have made changes that have broken this feature.

It's been a bit of a hack for it to work at all so this wasn't entirely unexpected. I'm looking into solutions now. If someone identifies the issue and is able to submit a fix I'll happily accept a PR.

Is your feature request related to a problem? Please describe.
Is there a roadmap or plan to add the ability to not use the password, but instead use physical token (RSA). I noticed it is stated in the Read me and was curious if you have been working towards this. Thank you !

Describe the solution you'd like
Possibly the use of a parameter that would identify the use of an RSA token.

Planned change: requests should be sent with a unique user agent helping to identify the tool in use and it's version rather than the stock Requests string.

Starting with 0.9.0 user agent will be updated as such: aws_okta_keyman/0.9.0

I've attached the response i've received while choosing a role, the issue in this is it picks the wrong role , in the below output i chooses role 2 which is ideally aws-exp-exp3 but it assumed the different one please check

12:56:37 (INFO) AWS Okta Keyman 🔐 v0.8.3
Password:
12:56:45 (WARNING) Okta Verify Push being sent...
12:56:45 (INFO) Waiting for MFA success...
12:56:48 (INFO) Waiting for MFA success...
12:56:50 (INFO) Successfully authed Rishabh Ag
12:56:51 (INFO) Getting SAML Assertion from example
12:56:51 (WARNING) Application-level MFA present; re-authenticating Okta
12:56:52 (WARNING) Okta Verify Push being sent...
12:56:52 (INFO) Waiting for MFA success...
12:56:55 (INFO) Waiting for MFA success...
12:56:57 (INFO) Getting SAML Assertion from example
12:56:59 (INFO) Starting AWS session for us-east-1
12:56:59 (WARNING) Multiple AWS roles found; please select one

Account       Role

[0] 123456789009 aws-exp-exp1
[1] 123456789009 aws-exp-exp2
[2] 123456789009 aws-exp-exp3
Selection: 2

12:57:02 (INFO) Assuming role: arn:aws:iam::123456789009:role/aws-exp-exp2
12:57:04 (INFO) Wrote profile "default" to C:\Users\Rishabh/.aws\credentials 💾
12:57:04 (INFO) Current time is 2020-07-15 07:27:04.316262
12:57:04 (INFO) Session expires at 2020-07-15 08:27:03+00:00 ⏳
12:57:04 (INFO) All done! 👍

Is your feature request related to a problem? Please describe.
When attempting to use aws_okta_keyman, Okta Verify for Android determines that it is an "unusual" login attempt, and forces an additional layer of verification with the 3-number challenge. Unfortunately, this prevents further use of aws_okta_keyman

Describe the solution you'd like
The CLI tool should be able to integrate with this 3-number challenge verification step, and report back the correct number to select in the Okta Verify mobile app so that users can get past this stage and be able to use aws_okta_keyman successfully when additional verification is required.

Is your feature request related to a problem? Please describe.
Our current okta instance runs in the okta-emea region and the default region is hardcoded to okta.com

Describe the solution you'd like
Make the region location a param

Describe alternatives you've considered
Manually edited the code after install to point to our region

Additional context
The line below needs to be dynamic as to include the region.
https://github.com/nathan-v/aws_okta_keyman/blob/master/aws_okta_keyman/okta.py#L36

I will submit a pull request for this as soon as I can , this ticket is just to make the author and anyone else using the library aware of the limitation.

In ~/.config/aws_okta_keyman.yml I have specified duration: 43200. This value is ignored in aws_okta_keyman v0.8.5. It works if I specify it on the CLI with --duration 43200.

$ cat ~/.config/aws_okta_keyman.yml | grep duration
duration: 43200

$ aws_okta_keyman --appid xxx
12:53:32 (INFO) AWS Okta Keyman 🔐 v0.8.5
12:53:37 (INFO) Successfully authed xxx
12:53:38 (INFO) Getting SAML Assertion from xxx
12:53:39 (INFO) Starting AWS session for us-east-1
12:53:39 (INFO) Assuming role: arn:aws:iam::123:role/xxx
12:53:39 (INFO) Wrote profile "default" to /home/xxx/.aws/credentials 💾
12:53:39 (INFO) Current time is 2020-10-07 19:53:39.483773
12:53:39 (INFO) Session expires at 2020-10-07 20:53:39+00:00 ⏳
12:53:39 (INFO) All done! 👍

$ aws_okta_keyman --appid xxx --duration 43200
12:53:49 (INFO) AWS Okta Keyman 🔐 v0.8.5
12:53:53 (INFO) Successfully authed xxx
12:53:53 (INFO) Getting SAML Assertion from xxx
12:53:54 (INFO) Starting AWS session for us-east-1
12:53:54 (INFO) Assuming role: arn:aws:iam::123:role/xxx
12:53:54 (INFO) Wrote profile "default" to /home/xxx/.aws/credentials 💾
12:53:54 (INFO) Current time is 2020-10-07 19:53:54.977365
12:53:54 (INFO) Session expires at 2020-10-08 07:53:54+00:00 ⏳
12:53:54 (INFO) All done! 👍

Would you be able to add the support of macOS Monterey to this code. Thank you!

Duo web portal is opening but 403 errors after approving a factor. The desired behavior works correctly with Duo push as the provided parameter.

`
aws_okta_keyman -o XXX -u ryan@XXXX -d web -D
10:59:34 (INFO) AWS Okta Keyman 🔐 v0.8.1
Password:
10:59:36 (DEBUG) Base URL Set to: https://XXX.okta.com
10:59:36 (DEBUG) Attempting to authenticate to Okta
10:59:36 (DEBUG) Starting new HTTPS connection (1): XXX.okta.com:443

10:59:36 (DEBUG) https://XXX.okta.com:443 "POST /api/v1/authn HTTP/1.1" 200 None

10:59:36 (DEBUG) {'stateToken': '00-XXX', 'expiresAt': '2020-04-29T18:04:36.000Z', 'status': 'MFA_REQUIRED', '_embedded': {'user': {'id': 'XXX'', 'passwordChanged': '2020-04-29T01:04:15.000Z', 'profile': {'login': 'ryan@XXX', 'firstName': 'Ryan', 'lastName': 'XXX', 'locale': 'en', 'timeZone': 'America/Los_Angeles'}}, 'factors': [{'id': 'XXX', 'factorType': 'web', 'provider': 'DUO', 'vendorName': 'DUO', 'profile': {'credentialId': 'ryan@XXX'}, '_links': {'verify': {'href': 'https://XXX.okta.com/api/v1/authn/factors/XXX/verify', 'hints': {'allow': ['POST']}}}}], 'policy': {'allowRememberDevice': True, 'rememberDeviceLifetimeInMinutes': 15, 'rememberDeviceByDefault': False, 'factorsPolicyInfo': {}}}, '_links': {'cancel': {'href': 'https://XXX.okta.com/api/v1/authn/cancel', 'hints': {'allow': ['POST']}}}}

10:59:36 (DEBUG) Duo Auth factor found
10:59:36 (DEBUG) Duo Auth factor found
10:59:36 (DEBUG) https://XXX.okta.com:443 "POST /api/v1/authn/factors/XXX/verify HTTP/1.1" 200 None

10:59:36 (DEBUG) {'stateToken': 'XXX', 'expiresAt': '2020-04-29T18:04:36.000Z', 'status': 'MFA_CHALLENGE', 'factorResult': 'WAITING', '_embedded': {'user': {'id': 'XXX', 'passwordChanged': '2020-04-29T01:04:15.000Z', 'profile': {'login': 'ryan@XXX', 'firstName': 'Ryan', 'lastName': 'XXX', 'locale': 'en', 'timeZone': 'America/Los_Angeles'}}, 'factor': {'id': 'XXX', 'factorType': 'web', 'provider': 'DUO', 'vendorName': 'DUO', 'profile': {'credentialId': 'ryan@XXXX'}, '_embedded': {'verification': {'host': 'api-XXX.duosecurity.com', 'signature': 'XXX', 'factorResult': 'WAITING', '_links': {'complete': {'href': 'https://XXX.okta.com/api/v1/authn/factors/XXX/lifecycle/duoCallback', 'hints': {'allow': ['POST']}}, 'script': {'href': 'https://XXX.okta.com/js/sections/duo/Duo-Web-v2.6.js', 'type': 'text/javascript; charset=utf-8'}}}}}, 'policy': {'allowRememberDevice': True, 'rememberDeviceLifetimeInMinutes': 15, 'rememberDeviceByDefault': False, 'factorsPolicyInfo': {}}}, '_links': {'next': {'name': 'poll', 'href': 'https://XXX.okta.com/api/v1/authn/factors/XXX/verify', 'hints': {'allow': ['POST']}}, 'prev': {'href': 'https://XXX.okta.com/api/v1/authn/previous', 'hints': {'allow': ['POST']}}, 'cancel': {'href': 'https://XXX.okta.com/api/v1/authn/cancel', 'hints': {'allow': ['POST']}}}}

10:59:36 (WARNING) Duo required; opening browser...

10:59:39 (DEBUG) https://XXX.okta.com:443 "GET /api/v1/users/me/appLinks HTTP/1.1" 403 None

10:59:39 (CRITICAL) 😬 Unhandled exception: 403 Client Error: Forbidden for url: https://XXX.okta.com/api/v1/users/me/appLinks

10:59:39 (DEBUG) Traceback (most recent call last):
File "/usr/local/Cellar/aws_okta_keyman/0.8.1/libexec/lib/python3.7/site-packages/aws_okta_keyman/keyman.py", line 83, in main
self.handle_appid_selection(okta_ready=True)
File "/usr/local/Cellar/aws_okta_keyman/0.8.1/libexec/lib/python3.7/site-packages/aws_okta_keyman/keyman.py", line 272, in handle_appid_selection
self.config.accounts = self.okta_client.get_aws_apps()
File "/usr/local/Cellar/aws_okta_keyman/0.8.1/libexec/lib/python3.7/site-packages/aws_okta_keyman/okta.py", line 547, in get_aws_apps
resp.raise_for_status()
File "/usr/local/Cellar/aws_okta_keyman/0.8.1/libexec/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://XXX.okta.com/api/v1/users/me/appLinks
`

Describe the bug
Cannot get proper SAML response

To Reproduce
Steps to reproduce the behavior:

1. aws_okta_keyman config then configured
2. aws_okta_keyman then the error happened

Expected behavior
A clear and concise description of what you expected to happen.
I cannot get temporary credential, there is happening error in the screenshot below. Even I successfully authed, it is not generating credential to the AWS credential file.

Screenshots

Host (please complete the following information):

• OS: [e.g. macOS]
• Version [e.g. 0.9.0]
• Python version [e.g. 3.11.2]

Additional context
Add any other context about the problem here.

I'm currently testing this tool with the upcoming Okta Identity Engine (OIE) and things are working without any modifications to the code.

Please post here if you are testing or using OIE and run into anything that is broken.

Thank you!

-Nathan

Describe the bug
Cannot install 0.7.0 - 0.8.1 via pip. Version 0.6 can be installed

To Reproduce
pip install aws-okta-keyman

Expected behavior
Should install via pip

Screenshots

$pip install aws-okta-keyman
Collecting aws-okta-keyman
  Using cached aws_okta_keyman-0.8.1.tar.gz (60 kB)
    ERROR: Command errored out with exit status 1:
     command: 'C:\Users\mike.crowe\AppData\Local\Continuum\anaconda3\envs\okta\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\MIKE~1.CRO\\AppData\\Local\\Temp\\pip-install-rbqlg2vk\\aws-okta-keyman\\setup.py'"'"'; __file__='"'"'C:\\Use
rs\\MIKE~1.CRO\\AppData\\Local\\Temp\\pip-install-rbqlg2vk\\aws-okta-keyman\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-b
ase 'C:\Users\MIKE~1.CRO\AppData\Local\Temp\pip-install-rbqlg2vk\aws-okta-keyman\pip-egg-info'
         cwd: C:\Users\MIKE~1.CRO\AppData\Local\Temp\pip-install-rbqlg2vk\aws-okta-keyman\
    Complete output (7 lines):
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "C:\Users\MIKE~1.CRO\AppData\Local\Temp\pip-install-rbqlg2vk\aws-okta-keyman\setup.py", line 106, in <module>
        long_description=open("{}/README.md".format(DIR)).read(),
      File "C:\Users\mike.crowe\AppData\Local\Continuum\anaconda3\envs\okta\lib\encodings\cp1252.py", line 23, in decode
        return codecs.charmap_decode(input,self.errors,decoding_table)[0]
    UnicodeDecodeError: 'charmap' codec can't decode byte 0x8f in position 6979: character maps to <undefined>
    ----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.

Host (please complete the following information):

• OS: Window
• Version 10
• Python version 3.7.6

Additional context
Please see this similar error. Fix:

def readme():
    with open('README.md') as f:	    with open('README.md', encoding = "utf-8") as f: 
        return f.read()	        return f.read()

Keyman should support setting a preferred MFA factor in the config file and as a command-line option.