Giter Club home page Giter Club logo

gsts's Introduction

AWS STS credentials via Google Workspace

gsts (short for Google STS) is an AWS CLI credential provider based on browser automation to seamlessly obtain and store AWS STS credentials to interact with Amazon services via Google Workspace SAML federation.

This allows you to configure AWS to rely on Google Workspace as your Identity Provider, moving the responsibility away from Amazon into Google to validate your login credentials (federated identity). This is a wildly popular solution when looking to offer Single-Sign On capabilities inside organizations.

Instead of having to go through a flow tailored for the web browser, this tool enables developer productivity by keeping everything on the command line.

Features:

  • Seamless integration with the aws cli tool for secure, continuous and non-interactive STS session renewals.
  • Only once headful design for interactively entering your Google Workspace credentials.
  • Full support for all 2FA methods as provided by Google, including Security Keys (Yubikeys, etc.).
  • Persistent headless re-authentication system.
  • Offers a quick action to open the AWS console from the command-line.
  • Support for AWS China (aws-cn) and AWS GovCloud (US) (aws-us-gov) ARNs.
  • Compatible with Amazon ECR and EKS.

Installation

macOS

brew tap ruimarinho/tap
brew install gsts

Other Platforms

Install the package via npm:

npm install --global gsts

or via yarn:

yarn global add gsts

Usage

gsts is optimized to run as a credential source provider for the aws cli. This ensures a seamless, automated and secure way of obtaining fresh session tokens without any kind of system interaction.

There are three key options or variables you need know about (you can read more about how to discover them below):

  1. Google's Identity Provider ID, or IdP ID (--idp-id).
  2. Google's Service Provider ID, or SP ID (--sp-id).
  3. The AWS ARN role(s) to authenticate with.

Assuming the following scenario:

  1. You're using the default AWS profile name.
  2. You're using the default ~/.aws/config for configuring the aws cli.
  3. The AWS ARN role you're trying to authenticate with is arn:aws:iam::123456789012:role/role-name and it's the only role you have access to.

You would then proceed to add the following credential_process entry to your ~/.aws/config file under the [default] profile section:

[default]
credential_process = gsts --idp-id=<your_idp_id> --sp-id=<your_sp_id>

The

Note: if you are using a custom profile name other than default (for example, sts), then your configuration would slightly differ (notice the change to the [profile <name>] format):

[profile sts]
credential_process = gsts --idp-id=<your_idp_id> --sp-id=<your_sp_id>

If your user has access to more than one AWS ARN role, you may specify which one to use on each profile by defining --aws-role-arn:

[default]
credential_process = gsts --idp-id=<your_idp_id> --sp-id=<your_sp_id> --aws-role-arn=arn:aws:iam::111111112222222:role/role-name

You can then call any aws cli command and gsts will be spawned automatically:

aws sts get-caller-identity

That's it! With this setup, you're not supposed to call gsts manually ever. The first authentication will be performed directly on a headful browser where all of the authentication challenges generated by Google are natively supported (TOTP, Push, SMS, Security Keys, etc). Subsequent runs use an existing session to obtain fresh STS credentials every time it is executed.

In-memory (Cacheless) Credentials

For increased security, gsts supports passing over credentials to the aws cli without ever storing a copy of the credentials locally on its own cache dir via --no-credentials-cache.

The only downside is that every aws command will require re-authentication via gsts, which in some scenarios could generate too many authentication requests.

Configuration Settings Precedence

To avoid redundancy and potentially inconsistent configuration, such as having gsts obtain credentials for a different region than the one specified on the AWS profile settings, there are a few special aws cli environment variables that are automatically processed if defined.

The gsts configuration settings take precedence in the following order:

  1. gsts command line arguments.
  2. gsts environment variables (GSTS_*).
  3. aws cli configuration settings, in the same order processed by the the AWS CLI:
    1. aws cli environment variables
    2. aws cli configuration file (i.e. those in ~/.aws/config)

AWS CLI Supported Environment Variables

Environment variables supported by aws cli and processed by gsts:

  • AWS_CONFIG_FILE: if defined, this environment variable overrides the behavior of gsts to read the config file from its default path at ~/.aws/config.

  • AWS_PROFILE: if defined, this environment variable overrides the behavior of using the profile named [default] in the configuration and credentials files. You can override this environment variable by using the GSTS_AWS_PROFILE environment variable or the --aws-profile command line parameter.

  • AWS_DEFAULT_REGION: if defined, this environment variable overrides the value for the profile setting region. You can override this environment variable by using the GSTS_AWS_REGION environment variable or the --aws-region command line parameter.

  • AWS_REGION: if defined, this environment variable overrides the values in the environment variable AWS_DEFAULT_REGION and the profile setting region. You can override this environment variable by using the GSTS_AWS_REGION environment variable or the --aws-region command line parameter.

AWS CLI Supported Profile Configuration Settings

Profile configuration settings supported by aws cli and processed by gsts:

  • duration_seconds: the duration, in seconds, of the role session. You can override this profile configuration setting by using the GSTS_AWS_SESSION_DURATION environment variable or the --aws-session-duration command line parameter.

  • region: You can override this profile configuration setting by using the GSTS_AWS_REGION, AWS_REGION or AWS_DEFAULT_REGION environment variables as explained above or the --aws-region command line parameter.

Notably, output is not supported since it could break gsts support for credential_process if its value is not json and setting role_arn makes the aws cli incompatible with credential_process.

Amazon ECR

If you'd like to automatically authenticate your Docker installation before pulling private images from Amazon ECR, you can use the fantastic ECR Docker Credential Helper in combination with gsts.

  1. Install docker-credential-helper-ecr (on macOS, you can do it via Homebrew using brew install docker-credential-helper-ecr).

  2. Add the following config to your ~/.docker/config.json file:

    {
  "credHelpers" : {
    "<ACCOUNT_ID>.dkr.ecr.<ECR_REGION>.amazonaws.com" : "ecr-login"
  }
}

The config entry ecr-login maps to the binary docker-credential-ecr-login which must be available under your $PATH.

The next step a docker pull for an image from an ECR registry matching the string above is called, Docker will invisibly call gsts and perform authentication on your behalf.

Amazon EKS

If you'd like to automatically authenticate your Kubernetes authentication via Amazon EKS, add the following exec config under the users property of your ~/.kube/config file:.

apiVersion: v1
clusters:
  - [...]
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-west-1:111122223333:cluster/my-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1
      args:
      - eks
      - get-token
      - --region
      - eu-west-1
      - --cluster-name
      - my-cluster
      command: aws
      env:
      - name: AWS_PROFILE
        value: default
      interactiveMode: Never
      provideClusterInfo: false

In this particularly case, the AWS_PROFILE env setting isn't strictly necessary as the default value would be used.

Quick Actions

gsts offer a quick way to open the Amazon AWS console via the command line:

gsts console

Reference

❯ gsts --help

Commands:
  gsts console  Authenticate via SAML and open Amazon AWS console in the default browser

Options:
      --help                               Show help                                                                                         [boolean]
      --version                            Show version number                                                                               [boolean]
      --aws-profile                        AWS profile name to associate credentials with                                                   [required]
      --aws-role-arn                       AWS role ARN to authenticate with
      --aws-session-duration               AWS session duration in seconds (defaults to the value provided by the IDP, if set)                [number]
      --aws-region                         AWS region to send requests to                                                                   [required]
      --cache-dir                          Where to store cached data                                               [default: "~/Library/Caches/gsts"]
      --clean                              Start authorization from a clean session state                                                    [boolean]
      --force                              Force re-authorization even with valid session                                   [boolean] [default: false]
      --idp-id                             Identity Provider ID (IdP ID)                                                                    [required]
      --no-credentials-cache               Disable default behaviour of storing credentials in --cache-dir                                   [boolean]
  -o, --output                             Output format                                                                     [choices: "json", "none"]
      --playwright-engine                  Set playwright browser engine              [choices: "chromium", "firefox", "webkit"] [default: "chromium"]
      --playwright-engine-executable-path  Set playwright executable path for browser engine
      --playwright-engine-channel          Set playwright browser engine channel       [choices: "chrome", "chrome-beta", "msedge-beta", "msedge-dev"]
      --sp-id                              Service Provider ID (SP ID)                                                             [string] [required]
      --username                           Username to auto pre-fill during login
  -v, --verbose                            Log verbose output                                                                                  [count]

Discovery of IdP and SP IDs

If you're the admin of Google Workspace, after configuring the SAML application for AWS you can extract the SP ID by looking at the service parameter of the SAML AWS application page.

The IDP ID can be found under Security > Set up single sign-on (SSO) for SAML applications as the parameter idpid.

In case you are using a pre-configured AWS SAML application as traditionally available under the dotted menu on any Google app (Gmail, Calendar and so on) you can instead right-click the AWS icon and copy the link:

The copied URL will be in the format of https://accounts.google.com/o/saml2/initsso?idpid=<IDP_ID>&spid=<SP_ID>&forceauthn=false.

Troubleshooting

gsts conflicts with an alias from oh-my-zsh's git plugin

ohmyzsh's git plugin includes an alias named gsts as a shorthand for git stash show --text. You can either disable the git plugin entirely or, alternatively, add unalias gsts at the end of your dotfiles if you don't use this git command often.

"Error when retrieving credentials from custom-process: Error: Failed to launch the browser process!" when using the aws-cli with credential_process

Although seamingly unrelated to gsts, try unsetting LD_LIBRARY_PATH before calling it, like so:

credential_process = bash -c "unset LD_LIBRARY_PATH; gsts --aws-role-arn arn:aws:iam::123456789012:role/role-name --sp-id 12345 --idp-id A12bc34d5"

License

MIT

gsts's People

Contributors

denstorti avatar dependabot[bot] avatar dmmartins avatar joaomilho avatar jontg avatar limewxr avatar pluies avatar roeezab avatar ruimarinho avatar shanee-spring avatar thepatrick avatar volkangurel avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

3diq mhenniges rsyvarth kylemcintire jwfh denstorti ns0092 davcen x041 chwardle lunarway morkot doctorondemand ahilsend yaqi-wu-work volkangurel perrystreetsoftware skarlso bahtijars delta2112 spasam bahtijar consultingmd hasssammalik timkellogg praharsh92 kczulko shanee-spring rehanhwr jontg jjinno navispeed top-sigma kalbasit brownjeff

gsts's Issues

The requested DurationSeconds exceeds the MaxSessionDuration set for this role

This script assumes that the value of https://aws.amazon.com/SAML/Attributes/SessionDuration is less than the value of MaxSessionDuration for all roles, which isn't true for my use case, which is multiple roles, but only the dev account allows up to 12 hour sessions (other roles have the default 1 hour limit).

aws-google-auth solved this by allowing the user to specify a command line argument / environment variable to specify the duration.

Would you be open to a PR that would allow specifying an override value for sessionDuration?

Parsed SAML assertion {
  attributes: [
    {
      name: 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
      value: [Array]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/Role',
      value: [Array]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/SessionDuration',
      value: [Array]
    }
  ]
}
Found SessionDuration attribute 28800
Found Role ARN arn:aws:iam::[account]:role/[role]
Found Principal ARN arn:aws:iam::[account]:saml-provider/[provider]
The requested DurationSeconds exceeds the MaxSessionDuration set for this role.

gsts aws page fails to load after successful login 

This site can’t be reached

The web page at https://us-east-1.signin.aws.amazon.com/platform/saml/acs/842ef922-c9d6-44b7-9427-962a3ccc2ee6 might be temporarily down or it may have moved permanently to a new web address.
ERR_FAILED



evilroot in ~ λ gsts --version
3.0.6
evilroot in ~ λ node --version
v15.12.0
evilroot in ~ λ uname -a
Darwin Nabuhodonozor.local 20.3.0 Darwin Kernel Version 20.3.0: Thu Jan 21 00:07:06 PST 2021; root:xnu-7195.81.3~1/RELEASE_X86_64 x86_64 i386 MacBookPro11,5 Darwin

More than happy to provide more logs, I checked with every possible engine - same result - AWS page can't be loaded.

headless chrome spins forever

Several of our users have reported this issue and now it's happening for me as well. Maybe due to a brew update/upgrade? Not sure at what point it broke, since I only use it when credentials expire.

$ gsts --version
4.0.1

$ aws --version
aws-cli/2.7.2 Python/3.9.13 Darwin/21.4.0 source/x86_64 prompt/off

$ sw_vers
ProductName:	macOS
ProductVersion:	12.3.1
BuildVersion:	21E258

Any ideas on how to further troubleshoot this? When running gsts, the headless chrome window opens, but nothing ever happens. It also never times out. Opens two tabs too. As a workaround, we have added this flag to our refresh script --engine-executable-path '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'.

If I open a new third tab in that headless chrome and copy/paste that URL, it'll load. Maybe an init issue?

$ gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=REDACTED --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --force --verbose
ℹ Attempting to retrieve session expiration credentials
ℹ Credentials file does not exist at /Users/donovanhernandez/.aws/credentials
ℹ Allowing request to "https://accounts.google.com/o/saml2/initsso?idpid=REDACTED&spid=REDACTED&forceauthn=false"
ℹ Allowing request to "https://ssl.gstatic.com/accounts/ui/avatar_2x.png"
ℹ Allowing request to "https://ssl.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_112x36dp.png"
ℹ Allowing request to "https://ssl.gstatic.com/accounts/ui/wlogostrip_230x17_1x.png"
ℹ Allowing request to "https://fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0bf8pkAg.woff2"
ℹ Allowing request to "https://accounts.google.com/generate_204?XYTAOQ"
⚠ User is not authenticated, spawning headful instance
ℹ Allowing request to "https://accounts.google.com/o/saml2/initsso?idpid=REDACTED&spid=REDACTED&forceauthn=false"

image

GSTS fails to spawn headful instance if called directly

This is admittedly a very corner case, but with how gsts respawns itself into a headful instance here:

gsts/index.js

Line 420 in 3d7a1ef

const ui = childProcess.spawn('gsts', args, { stdio: 'inherit' });

It fails if gsts isn't on the PATH. It came up within the context of Volta, which manages global installs and calls the tools directly instead of leaving them on the PATH, but could also come up if a user has gsts installed locally in a project and calls ./node_modules/.bin/gsts, instead of having it globally installed.

existing entries in credentials file error

We are unable to refresh tokens automatically if the session is expired. I created a new profile, test123, copy/pasted it, and it worked just fine. The workaround is to run a rm -f ~/.aws/credentials every time this happens, but I don't believe we should have to do this. Is this a bug?

I've tried to automate this but couldn't get it to work:

credential_process = bash -c "rm -f ~/.aws/credentials; gsts --idp-id=REDACTED --sp-id=REDACTED --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json"

$ cat ~/.aws/config
[default]
output = json
region = us-east-1
source_profile = heydonovan

[profile heydonovan]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=heydonovan --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1

[profile test123]
credential_process = gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=test123 --aws-role-arn=arn:aws:iam::REDACTED:role/REDACTED --json
output = json
region = us-east-1

$ aws sts get-caller-identity --profile heydonovan

An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

$ aws sts get-caller-identity --profile test123
{
    "UserId": "REDACTED:REDACTED",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACED:assumed-role/REDACTED/REDACTED"
}

$ cat ~/.aws/credentials

[heydonovan]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-02T05:58:20.000Z
aws_session_token="REDACTED"

[test123]
aws_access_key_id=REDACTED
aws_role_arn=arn:aws:iam::REDACTED:role/REDACTED
aws_secret_access_key=REDACTED
aws_session_expiration=2022-03-03T04:48:11.000Z
aws_session_token="REDACTED"

Add option to copy URL instead of opening browser automatically

I use WSL, so GUI support is clunky. I got it to work, but I would like to be able to just copy the authentication URL into my native browser instead of gsts trying to open a browser automatically. Google Cloud's gcloud does this for example.

Would it be possible to implement this flow, enabled by a command line option?

WSL2 Support

I get the following message in WSL2 because WSL does not support X-Windows. As you can interact with chrome via selenium server I figure the same must be possible with puppeteer. If we can configure it to connect to the browser remotely rather than trying to launch chromium it would probably work.

Error: Failed to launch the browser process!
[15561:15561:0520/125002.805120:ERROR:browser_main_loop.cc(1512)] Unable to open X display.


TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/master/docs/troubleshooting.md

    at onClose (/home/sam/.nvm/versions/node/v12.16.3/lib/node_modules/gsts/node_modules/puppeteer/lib/Launcher.js:750:14)
    at ChildProcess.<anonymous> (/home/sam/.nvm/versions/node/v12.16.3/lib/node_modules/gsts/node_modules/puppeteer/lib/Launcher.js:740:61)```

Why do credentials default to ~/.aws/credentials ? 

  --aws-shared-credentials-file  AWS shared credentials file
                                 [default: "/Users/ruimarinho/.aws/credentials"]

This argument enables us to specify a credentials path for gsts to use. I'm confused as to why it globbers the ~/.aws/credentials file rather than creating and using its own file.

gsts uses this file for the storing of temporary credentials, when they expire it renews them. However, when written to this specific file awscli will always prefer the files entry over the credential_process output.

As such, when credentials expire they are not auto renewed.

Flow with using the default ~/.aws/credentials:

  • Runs an AWS command
  • gsts gets executed
  • ~/.aws/credentials is generated
  • Runs an AWS command
  • ~/.aws/credentials is read and credentials from there are used
  • Credentials expire
  • Runs an AWS command
  • Command fails
  • Runs an AWS command
  • Command fails
  • ....

Flow with using anything other than ~/.aws/credentials:

  • Runs an AWS command
  • gsts gets executed
  • gsts generates its own credentials file, and returns them to awscli via its --json output
  • Runs an AWS command
  • gsts reads its own credentials file and returns them to awscli via its --json output
  • Credentials expire
  • Run an AWS command
  • gsts reads its own credentials file, sees the credentials have expired, renews them, saves them, returns them to awscli via its --json output

I believe defaulting this argument to anything other than ~/.aws/credentials would result in a better user experience.

allow setting puppeteer executablePath

For my new aarch machine, puppeteer ships with the x86_64 binary still, and that won't be runnable; thus, I need to override executablePath

Is it possible to support a command line flag for specifying a custom chromium to run instead of puppeteer's default? e.g. executablePath: '/usr/bin/chromium-browser'

Homebrew installation errors: `Failed changing dylib ID` and `Failed to fix install linkage`

Summary

Yo! I just today attempted to install gsts via Homebrew and got some interesting errors:

treykasada@MacBook-Pro ~> brew tap ruimarinho/tap
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 2 taps (homebrew/core and homebrew/cask).
==> Updated Formulae
Updated 13 formulae.
==> Updated Casks
modern-csv

==> Tapping ruimarinho/tap
Cloning into '/usr/local/Homebrew/Library/Taps/ruimarinho/homebrew-tap'...
remote: Enumerating objects: 5, done.
remote: Counting objects: 100% (5/5), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 5 (delta 0), reused 5 (delta 0), pack-reused 0
Unpacking objects: 100% (5/5), done.
Tapped 1 formula (30 files, 25.3KB).

treykasada@MacBook-Pro ~> brew install gsts
Updating Homebrew...
==> Installing gsts from ruimarinho/tap
==> Downloading https://github.com/ruimarinho/gsts/archive/v2.4.3.tar.gz
Already downloaded: /Users/treykasada/Library/Caches/Homebrew/downloads/c777c13000c7204d15ee9240640e6af1d279ad6abdbbd302a34b2c42e3cfb889--gsts-2.4.3.tar.gz
==> npm install -ddd --global --build-from-source --cache=/Users/treykasada/Library/Caches/Homebrew/npm_cache --prefix=/usr/local/Cellar/gsts/2.4.3/libexec /private/t
Error: Failed changing dylib ID of /usr/local/Cellar/gsts/2.4.3/libexec/lib/node_modules/gsts/node_modules/puppeteer/.local-chromium/mac-722234/chrome-mac/Chromium.app/Contents/Frameworks/Chromium Framework.framework/Versions/80.0.3987.0/Chromium Framework
  from @executable_path/../Frameworks/Chromium Framework.framework/Versions/80.0.3987.0/Chromium Framework
    to /usr/local/opt/gsts/libexec/lib/node_modules/gsts/node_modules/puppeteer/.local-chromium/mac-722234/chrome-mac/Chromium.app/Contents/Frameworks/Chromium Framework.framework/Versions/80.0.3987.0/Chromium Framework
Error: Failed to fix install linkage
The formula built, but you may encounter issues using it or linking other
formulae against it.
==> Summary
🍺  /usr/local/Cellar/gsts/2.4.3: 4,326 files, 327.6MB, built in 32 seconds

treykasada@MacBook-Pro ~ [1]> which gsts
/usr/local/bin/gsts

As you can see, the brew tap works fine, but the brew install seems to indicate problems during installation. Interestingly though, the gsts executable is present after the install, and the scripts I use it in all seem to work in spite of the errors.

Not sure if this is a bug or something cooked with my system, but figured I should raise it anyway. 🙂

Component versions

Homebrew version: 2.6.2
homebrew-core gitref: 7ae83 (last commit 2020-12-16)
homebrew-cask gitref: 81bd71 (last commit 2020-12-16)
macOS version: Big Sur 11.1
Shell: Fish 3.1.2

Full exit on errors.RoleNotFoundError

When the following code fires:

if (e instanceof errors.RoleNotFoundError) {
  logger.error(`Role ARN "${argv.awsRoleArn}" not found in the list of available roles ${JSON.stringify(e.roles)}`);
  route.abort();
  return;
}

gsts does not return an error code to the O/S. It appears to hang on macOS and doesn't return to the command prompt.

gsts/index.js

Line 294 in bde055f

logger.error(`Role ARN "${argv.awsRoleArn}" not found in the list of available roles ${JSON.stringify(e.roles)}`); 

▶ gsts --version                                                                   
3.0.6

Invalid regular expression under ubuntu

When running gsts under ubuntu I get the following error:

/usr/local/lib/node_modules/gsts/parser.js:11
const REGEX_PATTERN_ROLE = /(?<roleArn>arn:(aws|aws-us-gov|aws-cn):iam:[^:]*:[0-9]+:role\/(?<name>[^,]+))/i;
                           ^

SyntaxError: Invalid regular expression: /(?<roleArn>arn:(aws|aws-us-gov|aws-cn):iam:[^:]*:[0-9]+:role\/(?<name>[^,]+))/: Invalid group

i am getting error related to browser not downloaded. The browser is installed and functional

Error: Browser is not downloaded. Run "npm install" or "yarn install"
at ChromeLauncher.launch (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/Launcher.js:236:15)
at module.exports.launch (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/Puppeteer.js:40:27)
at PuppeteerExtra.launch (/usr/local/lib/node_modules/gsts/node_modules/puppeteer-extra/dist/index.cjs.js:129:41)

v2.3.0-beta.1 hangs instead of logging in

Need to dig in to this a bit more, but:

gsts \
    --aws-role-arn arn:aws:iam::ACC1:role/ROLE1,arn:aws:iam::ACC1:saml-provider/PROVIDER \
    --aws-session-duration 28800 \
    --sp-id "$OUR_SPID" \
    --idp-id "$OUR_IDPID" \
    --username "$MY_USER" \
    --aws-profile "$MY_AWS_PROFILE" \
    --enable-experimental-u2f-support \
    --verbose

Gives me:

ℹ Attempting to retrieve session expiration credentials
ℹ Parsed SAML assertion {
  attributes: [
    {
      name: 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
      value: [ 'MY_SESSION_NAME', [length]: 1 ]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/Role',
      value: [
        'arn:aws:iam::ACC1:role/ROLE1,arn:aws:iam::ACC1:saml-provider/PROVIDER',
        ...
        [length]: 3
      ]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/SessionDuration',
      value: [ '28800', [length]: 1 ]
    },
    [length]: 3
  ]
}
ℹ Parsed default IDP SessionDuration attribute with value 28800
ℹ Parsed Role attribute with value [
  Role {
    name: 'ROLE1',
    roleArn: 'arn:aws:iam::ACC1:role/ROLE1',
    principalArn: 'arn:aws:iam::ACC1:saml-provider/PROVIDER',
    sessionDuration: 28800
  },
  ...
  [length]: 3
]
ℹ Found custom role ARN "arn:aws:iam::ACC1:role/ROLE1" with principal ARN "arn:aws:iam::ACC1:saml-provider/PROVIDER"
ℹ An error has ocurred while authenticating Error: connect ETIMEDOUT 169.254.169.254:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1137:16) {
  message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
  errno: 'ETIMEDOUT',
  code: 'CredentialsError',
  syscall: 'connect',
  address: '169.254.169.254',
  port: 80,
  time: 2020-04-24T01:40:03.373Z,
  originalError: {
    message: 'Could not load credentials from any providers',
    errno: 'ETIMEDOUT',
    code: 'CredentialsError',
    syscall: 'connect',
    address: '169.254.169.254',
    port: 80,
    time: 2020-04-24T01:40:03.373Z,
    originalError: {
      message: 'EC2 Metadata roleName request returned error',
      errno: 'ETIMEDOUT',
      code: 'ETIMEDOUT',
      syscall: 'connect',
      address: '169.254.169.254',
      port: 80,
      time: 2020-04-24T01:40:03.373Z,
      originalError: [Object]
    }
  }
}
(node:72095) UnhandledPromiseRejectionWarning: TypeError: logger.fail is not a function
    at Page.<anonymous> (/Users/MY_USER/.nvm/versions/node/v12.16.1/lib/node_modules/gsts/index.js:262:16)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
(node:72095) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:72095) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
ℹ Request to "https://signin.aws.amazon.com/saml" has been aborted

Request to aws saml url fails due to disallowed requests to aws static resources

Hi there,

I recently upgraded to v4.0.0 and started hitting this error:

ℹ Initiating request to "https://signin.aws.amazon.com/saml"
ℹ Aborting request to "https://signin.aws.amazon.com/static/js/jquery.min.js"
ℹ Aborting request to "https://signin.aws.amazon.com/static/image/down.png"
ℹ Request to "https://signin.aws.amazon.com/static/js/jquery.min.js" has failed
ℹ Aborted due to client request
ℹ An error has ocurred while authenticating page.waitForSelector: Target closed
=========================== logs ===========================
waiting for selector "#saml_form" to be visible
============================================================
    at RouteHandler.handler (/usr/local/lib/node_modules/gsts/index.js:279:22) {
  name: 'Error'
}
✖ An unknown error has ocurred with message "page.waitForSelector: Target closed
=========================== logs ===========================
waiting for selector "#saml_form" to be visible
============================================================". Please try again with --verbose
route.abort: Target page, context or browser has been closed
    at RouteHandler.handler (/usr/local/lib/node_modules/gsts/index.js:306:15) {
  name: 'Error'
}

The authentication succeeds and the token is stored correctly, but the error occurs when trying to access the saml url to confirm that the tool succeeded.

It looks like the check to allow requests to certain urls on line 313 of index.js doesn't include a pattern to match static resources from AWS.

I've fixed it locally by modifying the if block on line 313 to include aws.amazon.com/static, i.e.:

    if (/google|gstatic|youtube|googleusercontent|googleapis|gvt1|aws.amazon.com\/static/.test(route.request().url())) {
      logger.debug(`Allowing request to "${route.request().url()}"`);
      route.continue();
      return;
    }

Thanks for developing this great tool!

Potential upcoming breakage - Google blocking login automation?

I've just noticed: https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html

I added the following to gsts, as suggested for testing purposes:

  await page.setExtraHTTPHeaders({
    'Google-Accounts-Check-OAuth-Login': 'true'
  });

Seemed to cause things to fall over, but I may have made a mistake.

Not sure if this is an issue, but since I didn't see an existing one I thought I'd create it (even if it only needs to be closed).

ROLE_NOT_FOUND_ERROR 

Attempting to retrieve session expiration credentials
Session has expired on 2020-04-02T14:23:16.000Z
Parsed SAML assertion { attributes:
   [ { name: 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
       value: [Array] },
     { name: 'https://aws.amazon.com/SAML/Attributes/Role',
       value: [Array] },
     { name: 'https://aws.amazon.com/SAML/Attributes/SessionDuration',
       value: [Array] } ] }
Found SessionDuration attribute 43200
Found Role ARN arn:aws:iam::[snip]:role/platform
Found Principal ARN arn:aws:iam::[snip]:saml-provider/google
(node:29547) UnhandledPromiseRejectionWarning: ReferenceError: ROLE_NOT_FOUND_ERROR is not defined
    at Page.page.on (/home/lizf/.config/yarn/global/node_modules/gsts/index.js:417:27)
    at process._tickCallback (internal/process/next_tick.js:68:7)
(node:29547) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:29547) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

This still happens when I run --clear and log in again. However, logging in via browser still succeeds at accessing AWS console.

Caching SAML Assertion

Hi there,
I'm considering an option to let gsts write the SAML assertion to disk and use it if possible.
If a non expired assertion is found with matching sp-id and idp-id I suppose it could be used to assume any role without even launching puppeteer.

The use case I'm mainly interested in is to use the assertion with other tools (like aws sts assume-role-with-saml) for debugging and building scripts around gsts to select role ARNs in advance.

What do you think? This is not a feature request, I'm just considering if the project would be open for such contributions.

Error on node 8.11.4

When I run gsts on node 8.11.4 I get the follow error

% gsts
/Users/diego/.nvm/versions/node/v8.11.4/lib/node_modules/gsts/parser.js:11
const REGEX_PATTERN_ROLE = /(?<roleArn>arn:(aws|aws-us-gov|aws-cn):iam:[^:]*:[0-9]+:role\/(?<name>[^,]+))/i;
                           ^

SyntaxError: Invalid regular expression: /(?<roleArn>arn:(aws|aws-us-gov|aws-cn):iam:[^:]*:[0-9]+:role\/(?<name>[^,]+))/: Invalid group
    at Object.<anonymous> (/Users/diego/.nvm/versions/node/v8.11.4/lib/node_modules/gsts/parser.js:11:28)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)
    at Module.require (module.js:596:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (/Users/diego/.nvm/versions/node/v8.11.4/lib/node_modules/gsts/credentials-manager.js:7:16)
    at Module._compile (module.js:652:30)

nodejs prior to version 10 doesn't support named regex capture. I understand node 8 is pretty old and you may not be interested in keep the compatibility.

chromium window closes after google 2fa has succeeded, before creds fetched 

ℹ Request to "https://signaler-pa.googleapis.com/punctual/multi-watch/channel?gsessionid=[snip]&key=[snip]&VER=8&RID=rpc&SID=[snip]&CI=0&AID=0&TYPE=xmlhttp&zx=[snip]&t=1" has failed
ℹ Aborted due to client request
ℹ An unknown error has ocurred while authenticating in headful mode page.waitForResponse: Page closed
=========================== logs ===========================
waiting for response "https://signin.aws.amazon.com/saml"
============================================================
    at /Users/cdueltgen/.volta/tools/image/packages/gsts/lib/node_modules/gsts/index.js:385:18
ℹ Headful instance has exited with code 1

cc @cdueltgen who experienced this problem

Big Sur 11.6.1, gsts 3.0.7

Add --list-available-roles

Currently gsts interactively displays a list of roles to chose from when --aws-role-arn is not provided.

For automation, it would be very helpful to get this list in non-interactive way with a new --list-available-roles flag.

This flag could output the list of roles and let gsts exit.

Obeying --json would be a huge plus :)

Homebrew install is broken

Thanks for a great tool, used it on Ubuntu previously with no issues. Recently moved to Mac and tried to install via Homebrew and got the following error:

❯ brew tap ruimarinho/tap --verbose --debug
/opt/homebrew/Library/Homebrew/shims/shared/git --version
==> Tapping ruimarinho/tap
git clone https://github.com/ruimarinho/homebrew-tap /opt/homebrew/Library/Taps/ruimarinho/homebrew-tap --origin=origin --template=
Cloning into '/opt/homebrew/Library/Taps/ruimarinho/homebrew-tap'...
remote: Enumerating objects: 79, done.
remote: Counting objects: 100% (79/79), done.
remote: Compressing objects: 100% (60/60), done.
remote: Total 79 (delta 19), reused 54 (delta 12), pack-reused 0
Receiving objects: 100% (79/79), 11.16 KiB | 2.79 MiB/s, done.
Resolving deltas: 100% (19/19), done.
/opt/homebrew/Library/Homebrew/brew.rb (Formulary::FromPathLoader): loading /opt/homebrew/Library/Taps/ruimarinho/homebrew-tap/Formula/mota.rb
Warning: Calling bottle :unneeded is deprecated! There is no replacement.
Please report this issue to the ruimarinho/tap tap (not Homebrew/brew or Homebrew/core):
  /opt/homebrew/Library/Taps/ruimarinho/homebrew-tap/Formula/mota.rb:10

Error: Invalid formula: /opt/homebrew/Library/Taps/ruimarinho/homebrew-tap/Formula/mota.rb
formulae require at least a URL
/opt/homebrew/Library/Homebrew/brew.rb (Formulary::FromPathLoader): loading /opt/homebrew/Library/Taps/ruimarinho/homebrew-tap/Formula/gsts.rb
Error: Cannot tap ruimarinho/tap: invalid syntax in tap!
/opt/homebrew/Library/Homebrew/tap.rb:308:in `install'
/opt/homebrew/Library/Homebrew/cmd/tap.rb:67:in `tap'
/opt/homebrew/Library/Homebrew/brew.rb:110:in `<main>'

Homebrew version:

Homebrew 3.3.7
Homebrew/homebrew-core (git revision f37f5a1f6b0; last commit 2021-12-06)
Homebrew/homebrew-cask (git revision 0a72d97737; last commit 2021-12-07)

ERR_CONNECTION_CLOSED

We have a user on macOS Monterey that is unable to initiate the headless chrome browser:

$ gsts --version
4.0.1

$ gsts --clean --idp-id=REDACTED --sp-id=REDACTED --verbose
ℹ Cleaning directory /Users/REDACTED/Library/Application Support/gsts
ℹ Attempting to retrieve session expiration credentials
ℹ Credentials file does not exist at /Users/REDACTED/.aws/credentials
ℹ Allowing request to "https://accounts.google.com/o/saml2/initsso?idpid=REDACTED&spid=REDACTED&forceauthn=false"
ℹ Request to "https://accounts.google.com/o/saml2/initsso?idpid=REDACTED&spid=REDACTED&forceauthn=false" has failed
ℹ An error ocurred while browsing to the initsso page page.goto: net::ERR_CONNECTION_CLOSED at https://accounts.google.com/o/saml2/initsso?idpid=REDACTED&spid=REDACTED&forceauthn=false
=========================== logs ===========================
navigating to "https://accounts.google.com/o/saml2/initsso?idpid=REDACTED&spid=REDACTED&forceauthn=false", waiting until "load"
============================================================
    at /usr/local/Cellar/gsts/4.0.1/libexec/lib/node_modules/gsts/index.js:349:32 {
  name: 'Error'
}

Let me know if any additional logs are needed, that URL loads fine in a regular browser.

Display account aliases for roles

Hi! Currently gsts is capable of displaying roles that can be assumed for all the accounts.
Do you think it'd be possible to also get accounts' aliases so that it'd be easier to operate?

This feature exists in AWS SAML UI (Production and Staging on the screenshot), it'd be awesome to get it available with gsts too!

image

gsts v3 gets stuck after successful login

Hey @ruimarinho ! Glad to see gsts v3 released, but it seems it introduces a new issue with v3.

Basically, if I first login IAM role 1, then switch to i.e. login IAM role 2 (with the same AWS profile flag, if that matters), the second login does succeed but then, instead of gsts exiting, gsts will get stuck and not exit, which can be mitigated by a force exit if used interactively, but breaks other previously working tools that call gsts commands (as the call gets stuck and doesn't return).

Since v3 is very new and comes with some big changes, I'm not sure that I captured the problem pattern 100% correctly. Let me know if you need more info to reproduce. Thank you!

Windows: An error has ocurred while authenticating [Error: EINVAL: invalid argument, mkdir 'C:\C:']

I tried on two Windows machines and found the same error. The error occurs after the Chromium window closes after a successful Google authentication.

C:\WINDOWS\system32>gsts --aws-role-arn arn:aws:iam::123456789:role/GoogleAppsSAML-Admin --sp-id 1234 --idp-id AB12 --username [email protected] --aws-profile default --json --verbose
i Attempting to retrieve session expiration credentials
‼ Found credentials for a different role ARN
‼ User is not authenticated, spawning headful instance
i Pre-filling email with [email protected]
i Parsed SAML assertion {
  attributes: [
    {
      name: 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
      value: [ '[email protected]', [length]: 1 ]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/Role',
      value: [
        'arn:aws:iam::123456789:role/GoogleAppsSAML-Admin,arn:aws:iam::123456789:saml-provider/GoogleApps',
        'arn:aws:iam::987654321:role/GoogleAppsSAML-Admin,arn:aws:iam::987654321:saml-provider/GoogleApps',
        [length]: 2
      ]
    },
    [length]: 2
  ]
}
i Parsed Role attribute with value [
  Role {
    name: 'GoogleAppsSAML-Admin',
    roleArn: 'arn:aws:iam::123456789:role/GoogleAppsSAML-Admin',
    principalArn: 'arn:aws:iam::123456789:saml-provider/GoogleApps',
    sessionDuration: undefined
  },
  Role {
    name: 'GoogleAppsSAML-Admin',
    roleArn: 'arn:aws:iam::987654321:role/GoogleAppsSAML-Admin',
    principalArn: 'arn:aws:iam::987654321:saml-provider/GoogleApps',
    sessionDuration: undefined
  },
  [length]: 2
]
i Found custom role ARN "arn:aws:iam::123456789:role/GoogleAppsSAML-Admin" with principal ARN "arn:aws:iam::123456789:saml-provider/GoogleApps"
i Role ARN "arn:aws:iam::123456789:role/GoogleAppsSAML-Admin" has been assumed {
  ResponseMetadata: { RequestId: 'REDACTED' },
  Credentials: {
    AccessKeyId: 'REDACTED',
    SecretAccessKey: 'REDACTED',
    SessionToken: 'REDACTED',
    Expiration: 2020-07-27T15:13:38.000Z
  },
  AssumedRoleUser: {
    AssumedRoleId: 'REDACTED:[email protected]',
    Arn: 'arn:aws:sts::123456789:assumed-role/GoogleAppsSAML-Admin/[email protected]'
  },
  Subject: '[email protected]',
  SubjectType: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
  Issuer: 'https://accounts.google.com/o/saml2?idpid=C02nef731',
  Audience: 'https://signin.aws.amazon.com/saml',
  NameQualifier: 'REDACTED'
}
i An error has ocurred while authenticating [Error: EINVAL: invalid argument, mkdir 'C:\C:'] {
  errno: -4071,
  code: 'EINVAL',
  syscall: 'mkdir',
  path: 'C:\\C:'
}
× An unknown error has ocurred with message "EINVAL: invalid argument, mkdir 'C:\C:'". Please try again with --verbose
i Request to "https://signin.aws.amazon.com/saml" has been aborted
i Browser closed outside running context, exiting
i Headful instance has exited with code 0

Add Okta identity support

Hi @ruimarinho, my company is using Okta integrated with our Google services. This causes gsts to invalidate requests made to Okta resources and the authentication process gets stuck. As a quick workaround, I added the "okta" substring into the allowed identity resources and it worked well.

gsts/index.js

Lines 313 to 317 in d3741f4

if (/google|gstatic|youtube|googleusercontent|googleapis|gvt1/.test(route.request().url())) {
logger.debug(`Allowing request to "${route.request().url()}"`);
route.continue();
return;
}

Do you think this would be the proper solution?

role-arn argument is not respected when existing session exists

When I want to change who I am, gsts is very keen to tell me that there's an existing session:

; gsts --aws-role-arn arn:aws:sts::426442959523:role/...
Skipping re-authorization as session is valid until Sat Apr 25 2020 04:54:45 GMT+1000 (Australian Eastern Standard Time). Use --force to ignore.

It would be nice if --force wasn't required in this situation (i.e. that it recognised that this wasn't the current role).

Failed to launch chromium because executable doesn't exist 

browserType.launchPersistentContext: Failed to launch chromium because executable doesn't exist at /Users/XXXX/Library/Caches/ms-playwright/chromium-844399/chrome-mac/Chromium.app/Contents/MacOS/Chromium
Try re-installing playwright with "npm install playwright"
Note: use DEBUG=pw:api environment variable and rerun to capture Playwright logs.
    at Connection.sendMessageToServer (/usr/local/lib/node_modules/gsts/node_modules/playwright/lib/client/connection.js:69:15)
    at Proxy.<anonymous> (/usr/local/lib/node_modules/gsts/node_modules/playwright/lib/client/channelOwner.js:44:61)
    at /usr/local/lib/node_modules/gsts/node_modules/playwright/lib/client/browserType.js:82:48
    at async BrowserType._wrapApiCall (/usr/local/lib/node_modules/gsts/node_modules/playwright/lib/client/channelOwner.js:72:28)

related: microsoft/playwright#4033

Mac Install (Brew?)

I'm keen to make more use of this tool in my team (users of aws-google-auth just now).
The install process however requires npm or yarn which isn't part of the majority of our setups.

Is there a possibility we could make use of something like brew to make installing this easier or would you still need the node env installing on the mac?

Expecting value: line 1 column 1 (char 0)

I am trying to install this tool using the credential_process. I have all the values as per the docs. When I run a test command such as aws sts get-caller-identity or aws ec2 describe-instances , I get the following output Expecting value: line 1 column 1 (char 0). I must be missing something.

I am a Linux user if it helps.

Plist file generated from --daemon command has invalid option

The plist file generated from the --daemon flag has this option:

      <string>--engine-executable-path=null</string>

This is even the case when --engine-executable-path isn't used.

Which is causing puppeteer to error because it can't find browser null:

TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/master/docs/troubleshooting.md

    at onClose (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/Launcher.js:750:14)
    at ChildProcess.<anonymous> (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/Launcher.js:741:65)
    at ChildProcess.emit (events.js:315:20)
    at ChildProcess.EventEmitter.emit (domain.js:485:12)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:274:12)
    at onErrorNT (internal/child_process.js:468:16)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)
Error: Failed to launch the browser process! spawn null ENOENT

Fixable on my end by just removing that configuration option from the file.
Ran into this issue in 3.0.2, but it might have happened in earlier versions.

Error: Cannot find module 'agent-base'

I'm trying to set up gsts on a new machine. I have the exact same aws config and gsts install (v4.0.1 from the AUR on Archlinux), but on the new machine I get the following error:

Error when retrieving credentials from custom-process: node:internal/modules/cjs/loader:942
  throw err;
  ^

Error: Cannot find module 'agent-base'
Require stack:
- /usr/lib/node_modules/gsts/node_modules/https-proxy-agent/dist/agent.js
- /usr/lib/node_modules/gsts/node_modules/https-proxy-agent/dist/index.js
- /usr/lib/node_modules/gsts/node_modules/playwright-core/lib/common/netUtils.js
- /usr/lib/node_modules/gsts/node_modules/playwright-core/lib/server/registry/index.js
- /usr/lib/node_modules/gsts/node_modules/playwright-core/lib/server/index.js
- /usr/lib/node_modules/gsts/node_modules/playwright-core/lib/inProcessFactory.js
- /usr/lib/node_modules/gsts/node_modules/playwright-core/lib/inprocess.js
- /usr/lib/node_modules/gsts/node_modules/playwright-core/index.js
- /usr/lib/node_modules/gsts/node_modules/playwright/index.js
- /usr/lib/node_modules/gsts/index.js
    at Module._resolveFilename (node:internal/modules/cjs/loader:939:15)
    at Module._load (node:internal/modules/cjs/loader:780:27)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
    at require (node:internal/modules/cjs/helpers:102:18)
    at Object.<anonymous> (/usr/lib/node_modules/gsts/node_modules/https-proxy-agent/dist/agent.js:20:22)
    at Module._compile (node:internal/modules/cjs/loader:1105:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Module._load (node:internal/modules/cjs/loader:827:12)
    at Module.require (node:internal/modules/cjs/loader:1005:19) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/usr/lib/node_modules/gsts/node_modules/https-proxy-agent/dist/agent.js',
    '/usr/lib/node_modules/gsts/node_modules/https-proxy-agent/dist/index.js',
    '/usr/lib/node_modules/gsts/node_modules/playwright-core/lib/common/netUtils.js',
    '/usr/lib/node_modules/gsts/node_modules/playwright-core/lib/server/registry/index.js',
    '/usr/lib/node_modules/gsts/node_modules/playwright-core/lib/server/index.js',
    '/usr/lib/node_modules/gsts/node_modules/playwright-core/lib/inProcessFactory.js',
    '/usr/lib/node_modules/gsts/node_modules/playwright-core/lib/inprocess.js',
    '/usr/lib/node_modules/gsts/node_modules/playwright-core/index.js',
    '/usr/lib/node_modules/gsts/node_modules/playwright/index.js',
    '/usr/lib/node_modules/gsts/index.js'
  ]
}

Node.js v18.1.0

Error `Cannot find module ./credentials-manager`

I used yarn to install gsts.
However, I get this error:

[root@mbp]# gsts
internal/modules/cjs/loader.js:638
    throw err;
    ^

Error: Cannot find module './credentials-manager'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15)
    at Function.Module._load (internal/modules/cjs/loader.js:562:25)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18)
    at Object.<anonymous> (/usr/sbin/gsts:7:28)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)

[root@mbp]#

FYI: Workaround for AWS Cli V2

Just an FYI in case others run into the same issue. I was running into an issue with the V2 AWS CLI, which I was able to resolve by unsetting LD_LIBRARY_PATH in credential_process.

Workaround

[profile default]
region = us-east-1
credential_process = bash -c "unset LD_LIBRARY_PATH; gsts --aws-role-arn arn:aws:iam::1234:role/Admin --sp-id 1234--idp-id       AB12--username [email protected] --aws-profile default --json"

Error

Error when retrieving credentials from custom-process: Error: Failed to launch the browser process!
/home/nik/.nvm/versions/node/v14.4.0/lib/node_modules/gsts/node_modules/puppeteer/.local-chromium/linux-722234/chrome-linux/chrome: /usr/local/aws-cli/v2/2.0.34/dist/libz.so.1: no version information available (required by /lib/x86_64-linux-gnu/libcups.so.2)
/home/nik/.nvm/versions/node/v14.4.0/lib/node_modules/gsts/node_modules/puppeteer/.local-chromium/linux-722234/chrome-linux/chrome: /usr/local/aws-cli/v2/2.0.34/dist/libz.so.1: no version information available (required by /lib/x86_64-linux-gnu/libgio-2.0.so.0)
/home/nik/.nvm/versions/node/v14.4.0/lib/node_modules/gsts/node_modules/puppeteer/.local-chromium/linux-722234/chrome-linux/chrome: /usr/local/aws-cli/v2/2.0.34/dist/libz.so.1: no version information available (required by /lib/x86_64-linux-gnu/libpng16.so.16)
/home/nik/.nvm/versions/node/v14.4.0/lib/node_modules/gsts/node_modules/puppeteer/.local-chromium/linux-722234/chrome-linux/chrome: /usr/local/aws-cli/v2/2.0.34/dist/libz.so.1: no version information available (required by /lib/x86_64-linux-gnu/libpng16.so.16)
/home/nik/.nvm/versions/node/v14.4.0/lib/node_modules/gsts/node_modules/puppeteer/.local-chromium/linux-722234/chrome-linux/chrome: symbol lookup error: /lib/x86_64-linux-gnu/libpng16.so.16: undefined symbol: inflateReset2, version ZLIB_1.2.3.4


TROUBLESHOOTING: https://github.com/puppeteer/puppeteer/blob/master/docs/troubleshooting.md

    at onClose (/home/nik/.nvm/versions/node/v14.4.0/lib/node_modules/gsts/node_modules/puppeteer/lib/Launcher.js:750:14)
    at Interface.<anonymous> (/home/nik/.nvm/versions/node/v14.4.0/lib/node_modules/gsts/node_modules/puppeteer/lib/Launcher.js:739:50)
    at Interface.emit (events.js:327:22)
    at Interface.EventEmitter.emit (domain.js:485:12)
    at Interface.close (readline.js:424:8)
    at Socket.onend (readline.js:202:10)
    at Socket.emit (events.js:327:22)
    at Socket.EventEmitter.emit (domain.js:485:12)
    at endReadableNT (_stream_readable.js:1224:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)

multiple daemon entries

as a workaround for this issue (#60), we are exploring the use of gsts --daemon

gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=test_a --aws-role-arn=arn:aws:iam::12345:role/${ROLE} --force --daemon
gsts --idp-id=REDACTED --sp-id=REDACTED --aws-profile=test_b --aws-role-arn=arn:aws:iam::98765:role/${ROLE} --force --daemon

We have two different AWS accounts, and two different roles. However, running this command only resulted in one io.github.ruimarinho.gsts.plist file being generated, with only the test_b profile. I believe it overwrites the test_a one. Is it possible to have two daemons? One for each profile?

$ cat /Users/donovanhernandez/Library/LaunchAgents/io.github.ruimarinho.gsts.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>io.github.ruimarinho.gsts</string>
    <key>EnvironmentVariables</key>
    <dict>
      <key>PATH</key>
      <string>/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin</string>
    </dict>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>600</integer>
    <key>StandardErrorPath</key>
    <string>/usr/local/var/log/gsts.stdout.log</string>
    <key>StandardOutPath</key>
    <string>/usr/local/var/log/gsts.stderr.log</string>
    <key>ProgramArguments</key>
    <array>
      <string>/usr/local/bin/gsts</string>
      <string>--aws-profile=test_b</string>
      <string>--aws-role-arn=arn:aws:iam::98765:role/REDACTED</string>
      <string>--aws-shared-credentials-file=/Users/donovanhernandez/.aws/credentials</string>
      <string>--force</string>
      <string>--idp-id=REDACTED</string>
      <string>--engine=chromium</string>
      <string>--sp-id=REDACTED</string>
    </array>
  </dict>
</plist>⏎

Tmux captures input for Headful Browser

When launching the headful browser from a tmux session, tmux captures keyboard input so you can't type into any fields in the browser window, makes it hard to enter a password. (I was able to successfully submit the password form when running the exact same command outside of tmux, so I figure that's to blame)

Not sure if there's anything to be tweaked within gsts to fix this or not.

Allow for usage of aws config file for google config like aws-google-auth does

Using the aws config file for the google config helps with managing many profiles that assume a different role each.

Rather than having to remember the role arns for different profiles and pass them to the gsts command it would be handy for gsts to look in the aws config based on the aws-profile that I pass it.

See an example of a config item used for aws-google-auth below along with a link to the part in the code where the file is read and config is set

[profile {profile_name}]
region = {region}
google_config.ask_role = False
google_config.keyring = False
google_config.duration = 3600
google_config.google_idp_id = {idp_id}
google_config.google_sp_id = {sp_id}
google_config.u2f_disabled = False
google_config.google_username = {user_name}
google_config.bg_response = None
google_config.role_arn = arn:aws:iam::{account_id}:role/{role_name}

https://github.com/cevoaustralia/aws-google-auth/blob/19a48a54fa69e5874764b9764da3f6bac6312777/aws_google_auth/configuration.py#L163

Security key not detected

For some reason, when chromium is executed by puppeteer, my security key's light never comes on, and tapping it has no effect. I had to use backup codes to log in with gsts.

This is on Ubuntu Linux, gsts version 2.1.0

UnhandledPromiseRejectionWarning Error

Ran into this error:

(node:88139) UnhandledPromiseRejectionWarning: Error
    at Parser.parseSamlResponse (/usr/local/lib/node_modules/gsts/parser.js:36:13)
    at CredentialsManager.assumeRoleWithSAML (/usr/local/lib/node_modules/gsts/credentials-manager.js:30:89)
    at Page.<anonymous> (/usr/local/lib/node_modules/gsts/index.js:184:34)
    at Page.emit (events.js:315:20)
    at Page.EventEmitter.emit (domain.js:485:12)
    at NetworkManager.<anonymous> (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/Page.js:110:68)
    at NetworkManager.emit (events.js:315:20)
    at NetworkManager.EventEmitter.emit (domain.js:485:12)
    at NetworkManager._onRequest (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/NetworkManager.js:234:10)
    at NetworkManager._onRequestPaused (/usr/local/lib/node_modules/gsts/node_modules/puppeteer/lib/NetworkManager.js:210:12)
(node:88139) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)

(node:88139) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

At the same time, Chromium shows this page:

image

It's stuck in this status, even if I use Ctrl+C to kill the process, and run another gsts command with the --clean flag.

I'm using a newly installed v2.2.0

Please let me know if you need more information to troubleshoot. Thanks!

Remove profile prefix when saving the aws config

I see that the profile is saved as. [profile sts] instead of just [sts].

This causes the following error to be thrown during compilation -

Your profile name includes a 'profile ' prefix. This is considered part of the profile name in the Java SDK, so you will need to include this prefix in your profile name when you reference this profile from your Java code.

If I remove the profile prefix manually, this error is gone. Is this something we can fix here or the issue should go someplace else?

aws issue link: aws/aws-sdk-java#1707

Thanks!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.