KrzysztofS.97629 (Customer) asked a question.
This night you changed something in SAML without any notice and our integration with AWS broke.
Web version works, but our CLI configuration with gimme-aws-creds stopped working.
Stacktrace:
Using password from keyring for my.mail@example.com
Multi-factor Authentication required.
webauthn: webauthn selected
Challenge with security keys ...
Please enter PIN:
Touch your authenticator device now...
Traceback (most recent call last):
File "/usr/local/bin/gimme-aws-creds", line 17, in <module>
GimmeAWSCreds().run()
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 468, in run
self._run()
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 795, in _run
for data in self.iter_selected_aws_credentials():
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 771, in iter_selected_aws_credentials
for role in self.aws_selected_roles:
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 671, in aws_selected_roles
selected_roles = self._get_selected_roles(self.requested_roles, self.aws_roles)
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 662, in aws_roles
self.saml_data['SAMLResponse'],
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 653, in saml_data
self._cache['saml_data'] = saml_data = self.okta.get_saml_response(self.aws_app['links']['appLink'])
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 646, in aws_app
self._cache['aws_app'] = aws_app = self._get_selected_app(self.conf_dict.get('aws_appname'), self.aws_results)
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 599, in aws_results
self.auth_session
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/main.py", line 581, in auth_session
auth_result = self.okta.auth_session()
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/gimme_aws_creds/okta.py", line 181, in auth_session
"session": response.cookies['sid'],
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/requests/cookies.py", line 328, in __getitem__
return self._find_no_duplicates(name)
File "/Users/myhost/Library/Python/3.7/lib/python/site-packages/requests/cookies.py", line 399, in _find_no_duplicates
raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path))
KeyError: "name='sid', domain=None, path=None"
Also, it affects anybody using Okta as AWS SSO, not only our company. Many people are complaining.
Same problem... Suddenly, all previously working tools leveraging gimme-aws-creds library stopped working with the same error
Fortunately Nike merged my pull request for workaround and new version of gimme-aws-creds was working properly after few hours.
But still, breaking change in the SAML integration (wrong cookie) was introduced without any warning. Affecting all users of AWS with Okta.
And after a week still no acknowledgment from Okta side...
Thanks for that information and your workaround Krzysiek!