UnhandledPromiseRejectionWarning Error about gsts HOT 10 CLOSED

🎉 it worked! Listing the available roles showed me that my arn was not written properly. Thank you so much!

from gsts.

@ruimarinho thank you! it's working great!

from gsts.

Hi @limewxr!

Can you add a logging line on https://github.com/ruimarinho/gsts/blob/master/parser.js#L29:

console.log(require('util').inspect(saml.parsedSaml, { depth: null }));

And remove any sensitive information? The role attribute is not being found so there's probably something new coming from the XML response.

The message "This site can't be reached" is expected and ultimately should be a successful message. I'm not loading that page to conserve bandwidth, but it means your login worked.

from gsts.

Thanks @ruimarinho for your prompt reply!

Here's the log (sensitive information masked):

{
  attributes: [
    {
      name: 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
      value: [ '[email protected]' ]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/Role',
      value: [
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx',
        'arn:aws:iam::xxxxxxxxxx:role/xxxxxxxxxx,arn:aws:iam::xxxxxxxxxx:saml-provider/xxxxxxxxxx'
      ]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/SessionDuration',
      value: [ '43200' ]
    }
  ]
}

from gsts.

OK, I think I know why this happens and how to reproduce:

This happens when I try to assume an IAM role that's not granted to me, i.e. not in the Role list.

So, the question becomes if we can handle this error in a more elegant way, e.g. tell the user that the username and password are valid, but the role specified by the user does not exist or is not granted to the user?

Appreciate your thoughts on this, thanks!

from gsts.

By the way, an issue with the aws-google-auth project is that its "Invalid username or password" error message is misleading.

It took our users a long time to retry the correct password quite a few times and on different computers, when the actual error was not a username or password issue at all, but the JavaScript requirement that Google is rolling out.

So I really would appreciate it if you can help make sure that gsts gives the accurate error message to users to avoid unnecessary frustration. Thanks!

from gsts.

I'm running into this issue for a role that I have access to. It works fine from the console but not with gsts.

from gsts.

If I omit the role arn flag, it works against one of the roles. But I can't figure out how to switch to other roles

from gsts.

@limewxr thank you for the sample response. I already had a test for multiple roles but the issue was in capturing the 'role not found' error. I took the opportunity to make the result more descriptive as per @saada suggestion.

I have fixed one tiny bug related to the principal associated with the role ARN (not observed in your case) just in case you are assigned a profile with a different identity provider (unlikely).

@saada could you please open a new issue if it still persists after upgrading to 2.2.1? The Invalid username or password issue does not apply to gsts because the UI is used for authentication. There is no parsing or scraping done so you see what you get.

from gsts.

@limewxr @saada in case you're interested, I've published a new version with a revamped UI as [email protected]. Would be great to have your feedback!

from gsts.