-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CredentialProcess is unusable #232
Comments
Working my way back, your second case is likely the result of a valid session already underway. When I started playing with this tool several weeks ago, its behavior (using a function named
|
I appreciate the analysis you've done on this. I suspected it was attempting to reuse sessions. You are correct that it can't do that. It needs to unconditionally invoke STS:AssumeRoleWithSAMLResponse every time it is called similar to OKTA_ENV_MODE. It is up to the caller (AWS CLI or boto3 mostly) to manage expiry. I wrote CredentialProcess. I opened this issue to publicly acknowledge that the feature is broken. This makes that fact more easily discoverable and takes the burden of proof off potentially frustrated users. I changed the installer from shadowing aws to creating a distinct shell function called okta-aws after realizing the problems and confusion it was causing. Heavy-handed is a fair assessment of the previous approach 🙂 I regularly use PowerShell on macOS and Windows 10. It's amazingly handy for SAML troubleshooting thanks to the property-based access to XML documents. I use fish on macOS day to day with this tool as it is what my colleagues primarily use. I test on Bash, fish, and PowerShell. |
- Prevent session reuse from CredentialProcess - Introduce okta-credential-process command - Provide manpage-like docs Future work: use [ronn](https://github.com/rtomayko/ronn) to make real man pages at build time Resolves oktadev#232
- Prevent session reuse from CredentialProcess - Introduce okta-credential-process command - Provide manpage-like docs Future work: use [ronn](https://github.com/rtomayko/ronn) to make real man pages at build time Resolves oktadev#232
Describe the bug
CredentialProcess no longer works. It's not clear why.
To Reproduce
Steps to reproduce the behavior:
aws sts get-caller-identity
Case 2: running CredentialProcess directly:
java -cp /Users/username/.okta/okta-aws-cli.jar com.okta.tools.CredentialProcess
Expected behavior
I expect the aws cli to return information about my session.
I expect CredentialProcess to return usable credentials, not nulls.
Screenshots
N/A
Additional context
macOS Mojave 10.14
The text was updated successfully, but these errors were encountered: