CredentialProcess is unusable

[AlainODea]

Describe the bug
CredentialProcess no longer works. It's not clear why.

To Reproduce
Steps to reproduce the behavior:

1. Set up default profile to use credential_process as follows:

   [default]
   credential_process = java -cp /Users/username/.okta/okta-aws-cli.jar com.okta.tools.CredentialProcess

2. Run aws sts get-caller-identity
3. Provide Okta credentials when prompted
4. See error:

   can only concatenate str (not "NoneType") to str
   

Case 2: running CredentialProcess directly:

1. Run java -cp /Users/username/.okta/okta-aws-cli.jar com.okta.tools.CredentialProcess
2. See incorrect output:

   {"Version":1,"AccessKeyId":null,"SecretAccessKey":null,"SessionToken":null,"Expiration":"2018-10-19T13:38:39.458283Z"}

Expected behavior
I expect the aws cli to return information about my session.
I expect CredentialProcess to return usable credentials, not nulls.

Screenshots
N/A

Additional context
macOS Mojave 10.14

java -version
openjdk version "11" 2018-09-25
OpenJDK Runtime Environment AdoptOpenJDK (build 11+28)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11+28, mixed mode)

[scojoio]

Working my way back, your second case is likely the result of a valid session already underway. When I started playing with this tool several weeks ago, its behavior (using a function named aws to wrap the aws-cli) was a bit heavy-handed for my taste. My organization has been using awsprocesscreds for a while now, but it doesn't support kubectl & aws-iam-authenticator out of the box or MFA at all, which is why I was so pleased to see the latest version addressed all of my concerns thus far. It appears that CredentialProcess is now called from OktaAwsCliAssumeRole by way of WithOkta and somewhere along the way it (I assume) only requests a new token after the current session has expired. So now it returns null values until the session expires (try replacing 2018 with 2017 in ~/.okta/.current-session - or remove the file entirely - and you'll see that it provides your expected output). This causes credential_process to fail when python tries to convert null into a string.

okta-aws is a much better function name that calls WithOkta and you can use it now instead of going directly to CredentialProcess. Fortunately, Okta left that avenue open as it has allowed me to implement this tool for AWSPowerShell.NetCore without too much trouble. Long story short, backup your config.properties, delete your ~/.okta directory, and run the install scripts again. If you're still using bash, consider this an opportunity to step into a modern, object-oriented, shell and install PowerShell Core whether you plan on using the PSModule or the aws-cli. It's open-source and cross-platform so you needn't worry about getting any dirty Windows on your lovely OS X.

[AlainODea]

I appreciate the analysis you've done on this. I suspected it was attempting to reuse sessions. You are correct that it can't do that. It needs to unconditionally invoke STS:AssumeRoleWithSAMLResponse every time it is called similar to OKTA_ENV_MODE. It is up to the caller (AWS CLI or boto3 mostly) to manage expiry.

I wrote CredentialProcess. I opened this issue to publicly acknowledge that the feature is broken. This makes that fact more easily discoverable and takes the burden of proof off potentially frustrated users.

I changed the installer from shadowing aws to creating a distinct shell function called okta-aws after realizing the problems and confusion it was causing. Heavy-handed is a fair assessment of the previous approach 🙂

I regularly use PowerShell on macOS and Windows 10. It's amazingly handy for SAML troubleshooting thanks to the property-based access to XML documents. I use fish on macOS day to day with this tool as it is what my colleagues primarily use. I test on Bash, fish, and PowerShell.