Skip to content
This repository has been archived by the owner on May 18, 2021. It is now read-only.

Can't authenticate if App-level MFA is turned on #63

Closed
ostankin opened this issue Jul 23, 2018 · 8 comments
Closed

Can't authenticate if App-level MFA is turned on #63

ostankin opened this issue Jul 23, 2018 · 8 comments
Labels
enhancement stale wontfix

Comments

@ostankin
Copy link

ostankin commented Jul 23, 2018
edited
Loading

Summary

If the profile is connected to an Okta application that has Application Level MFA enabled, authentication fails.

OS: OS X 10.13.6
aws-okta version: aws-okta-v0.19.0-darwin-amd64 binary

Details

Prerequisites:

  • Two Okta applications: one regular, one with MFA turned on.
    okta-app-mfa Both applications are assigned to a user with ID john.doe@example.com, and both provide full read-only access to an AWS account with ID 1234567891011.
  • two profiles in ~/.aws/config for both applications:
[profile normal-app]
aws_saml_url = home/amazon_aws/XXXXXXXXXXX
role_arn = arn:aws:iam::1234567891011:role/

[profile app-with-mfa]
aws_saml_url = home/amazon_aws/YYYYYYYYYYYY
role_arn = arn:aws:iam::1234567891011:role/

Run results:

$ aws-okta -d exec normal-app -- aws ec2 describe-instances
DEBU[0000] Parsing config file /Users/john.doe/.aws/config
DEBU[0000] Using aws_saml_url from profile: normal-app
DEBU[0000] using okta provider
DEBU[0001] Failed to reuse session token, starting flow from start
DEBU[0001] Step: 1
DEBU[0001] Step: 2
DEBU[0001] Step: 3
DEBU[0004] Writing session for normal-app to keyring
DEBU[0004]  Using session HAAO, expires in 59m58.763470426s
...<successful command execution>

$ aws-okta -d exec app-with-mfa -- aws ec2 describe-instances
DEBU[0000] Parsing config file /Users/john.doe/.aws/config
DEBU[0000] Using aws_saml_url from profile: app-with-mfa
DEBU[0000] using okta provider
DEBU[0004] Failed to reuse session token, starting flow from start
DEBU[0004] Step: 1
DEBU[0005] Step: 2
DEBU[0005] Step: 3
Okta user john.doe@example.com does not have the AWS app added to their account.  Please contact your Okta admin to make sure things are configured properly.
@ewanlyall
Copy link

We are just starting to trial Okta with AWS and hit this issue today too. We use Okta for a bunch of apps and don't want to enable MFA globally, rather on a per-app basis.

I have tested that aws-okta works if we enforce MFA globally for all apps and it works nicely with Google Authenticator, Okta Verify etc.

However, if we enforce MFA only on the AWS Application itself, aws-okta fails with the same error as @ostankin describes.

deiwin added a commit to salemove/aws-okta that referenced this issue Sep 17, 2018
@deiwin
Add OpenID Connect client for Okta
36efa4b 
Okta APIs don't support app-level MFA. Even the [documentation for their own
AWS CLI tool][1] says:

> Note: At this time, per-app MFA is not supported in this integration. Only
organization-level MFA is supported.

This provides an alternative to the SAML client, that works better with MFA
being enabled only for a specific Okta application. With SAML it's difficult to
get the control back to the CLI program once the user has finished
authentication. With OIDC it's easier and we can then force the OS to focus the
window from which the CLI program is run, creating a reasonable smooth flow.
It's not ideal - not as good as being able to input the MFA information through
the CLI, but the best I could come up with given the APIs.

Setup instructions are included in the readme.

Fixes segmentio#63

[1]: https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta#Execution1
@deiwin deiwin mentioned this issue Sep 17, 2018
Closed
deiwin added a commit to salemove/aws-okta that referenced this issue Sep 17, 2018
@deiwin
Add OpenID Connect client for Okta
ecf2c7e 
Okta APIs don't support app-level MFA. Even the [documentation for their own
AWS CLI tool][1] says:

> Note: At this time, per-app MFA is not supported in this integration. Only
organization-level MFA is supported.

This provides an alternative to the SAML client, that works better with MFA
being enabled only for a specific Okta application. With SAML it's difficult to
get the control back to the CLI program once the user has finished
authentication. With OIDC it's easier and we can then force the OS to focus the
window from which the CLI program is run, creating a reasonable smooth flow.
It's not ideal - not as good as being able to input the MFA information through
the CLI, but the best I could come up with given the APIs.

Setup instructions are included in the readme.

Fixes segmentio#63

[1]: https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta#Execution1
@deiwin
Copy link

deiwin commented Sep 18, 2018

I proposed a solution in #83. If anybody wants to try it out before it's merged, then I've released a macOS binary that supports app-level MFA if you follow these instructions.

deiwin added a commit to salemove/aws-okta that referenced this issue Mar 4, 2019
@deiwin
Add OpenID Connect client for Okta
6208ab2 
Okta APIs don't support app-level MFA. Even the [documentation for their own
AWS CLI tool][1] says:

> Note: At this time, per-app MFA is not supported in this integration. Only
organization-level MFA is supported.

This provides an alternative to the SAML client, that works better with MFA
being enabled only for a specific Okta application. With SAML it's difficult to
get the control back to the CLI program once the user has finished
authentication. With OIDC it's easier and we can then force the OS to focus the
window from which the CLI program is run, creating a reasonable smooth flow.
It's not ideal - not as good as being able to input the MFA information through
the CLI, but the best I could come up with given the APIs.

Setup instructions are included in the readme.

Fixes segmentio#63

[1]: https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta#Execution1
@stale
Copy link

stale bot commented May 6, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label May 6, 2019
@stale stale bot closed this as completed May 13, 2019
@nickatsegment nickatsegment added stale and removed stale labels May 17, 2019
@dsundstrom
Copy link

Sad to see this one die on the vine. We were going to switch all our AWS access from local IAM access and assuming roles with MFA to this. The lack of support for application MFA has blocked us.

@nickatsegment
Copy link
Contributor

Sad to see this one die on the vine. We were going to switch all our AWS access from local IAM access and assuming roles with MFA to this. The lack of support for application MFA has blocked us.

#83 was pretty close to being accepted and merged. If you wanna take some time to spruce it up, we can get it in. Also, I'd love to have a non-Segment volunteer to maintain it, since we wouldn't be using it ourselves, and it's a substantial chunk of code.

@dsundstrom
Copy link

Fair enough. The python solution from https://github.com/Nike-Inc/gimme-aws-creds works with app-level MFA and SAML, so it'd be worth seeing if there could a solution there. Switching away from SAML isn't something we can take on right now.

@ramamoob
Copy link

Any chance for supporting app level MFA. This feature will certainly be very useful.

@nickatsegment
Copy link
Contributor

@ramamoob #63 (comment)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement stale wontfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for app-level MFA salemove/aws-okta
6 participants
@ramamoob @deiwin @ewanlyall @ostankin @nickatsegment @dsundstrom