Expected Behavior

Ideally, onelogin-aws-cli should detect from the the Destination attibute in the SAML response that the request is for China, the response contains:
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="Rce100dcf22acc5c3a0610870db3956f59bc27d57" Version="2.0" IssueInstant="2018-07-10T14:59:14Z" Destination="https://signin.amazonaws.cn/saml">

Current Behavior

The following error is printed:
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: d01a459a-8451-11e8-aa5b-xx)

Possible Solution

As a workaround, one can export of prefix execution with
AWS_DEFAULT_REGION=cn-north-1

Steps to Reproduce

Set-up a Chinese AWS account in OneLogin and try getting credentials with onelogin-aws-cli

Starting v0.1.10, running onelogin-aws-login with the legacy config(not [defaults] but [default] section exists) just fails like this:

$ onelogin-aws-login
Traceback (most recent call last):
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/bin/onelogin-aws-login", line 11, in <module>
    load_entry_point('onelogin-aws-cli==0.1.10', 'console_scripts', 'onelogin-aws-login')()
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/onelogin_aws_cli/cli.py", line 43, in login
    config_section, args = _load_config(parser, cfg, args)
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/onelogin_aws_cli/cli.py", line 22, in _load_config
    config_section = config_file.section(cli_args.config_name)
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/onelogin_aws_cli/configuration.py", line 72, in section
    self.add_section(section_name)
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/configparser.py", line 1199, in add_section
    self._validate_value_types(section=section)
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/configparser.py", line 1172, in _validate_value_types
    raise TypeError("section names must be strings")
TypeError: section names must be strings

A work-around is to specify -C default so that the full command looks like:

onelogin-aws-login -C default

Is this an expected behavior? Would you mind if I brought back the default config name selection of default?

BTW, if you haven't specified -d $duration_seconds, you encounter #83. But that's another story.

Similarly to #62, I have 10 or so assumed roles per AWS app, and I'm prompted to choose one of them each time I try to login.

This turned out to be a slight issue when I tried to instruct my colleagues to move from never-expiring AWS key id/secret key pair + MFA to OneLogin for SSO.

If you think this is valid, I'd like to suggest adding a role_arn option to the config file so that one can preselect it in the defaults and/or per specific config profile.

[defaults]
base_uri = https://api.us.onelogin.com/
subdomain = mycompany
username = [email protected]
save_password = yes
client_id = f99ee51f00400649280db1028ffa3ca9b21b680f2189b238d342cc8158c401c7
client_secret = a85234b6db01a29a493e2422d7930dffe6f4d3a826270a18838574f6b8ef7c3e

[testing]
aws_app_id = 555029
role_arn = <arn of the role i want to assume>

Problem:
When using AWS SAML federation, there is a maximum of 1 hour of the lifetime of the AWS STS credentials. This is not a problem if the application can automatically renew the AWS STS credentials through the SAML assertion without human intervention. When using the official onelogin python client as in #33 the user should not be prompted for a new MFA challenge, until the OneLogin refresh token expires (which is 10 hours).

NOTE: Although the authentication to AWS is done through SAML, the authentication to OneLogin is handled by OAuth, so the refresh tokens are used by the OneLogin python client by default which gives us a 10 hour lifetime without mfa. See:

• https://github.com/onelogin/onelogin-python-sdk/blob/master/src/onelogin/api/client.py?utf8=%E2%9C%93#L1435
• https://github.com/onelogin/onelogin-python-sdk/blob/master/src/onelogin/api/client.py?utf8=%E2%9C%93#L163
• https://github.com/onelogin/onelogin-python-sdk/blob/master/src/onelogin/api/client.py?utf8=%E2%9C%93#L200

To ensure credentials are continually re-generated, the onelogin-aws-login client must be run in a runtime with the --durationSeconds flag enabled. This requires a user to keep the process open and running in a terminal, which is fragile as the user may accidentally close the tab or application.

Proposed Solution:

1. Create a new bin/ scripts onelogin-aws-daemon, which will run in daemon mode, handle the hourly AWS SAML/STS role assumption and expose a socket with two features:

• report on the current validity of the AWS tokens
• act as a listener to the subsequent onelogin-aws-login command to allow the user to re-enter their MFA OTP.

2. Modify the existing onelogin-aws-login to discover the running daemon and change into client mode to forward MFA OTP details onto the onelogin-aws-daemon when the AWS STS session has expired.
3. Create daemon configurations for:

• a systemd service file (centos>=7,debian>=8)
• a launchd plist (macos)

4. Move the existing configuration to ~/.onelogin-aws/credentials which will contain the existing contents of ~/.onelogin-aws.config
5. Create a new file ~/.onelogin-aws/config which will hold user-specific configurations such as username, flags to specify whether or not to save the username/password, and the daemon port.
6. Allow the user to save their username to a config file
7. Allow the user to save their password to a system keychain using a library such as https://github.com/jaraco/keyring
8. Maintain all existing functionality. Eg, allow the user to run onelogin-aws-login with --renewSeconds in a tty session.

The main benefit here is the reduced overhead on the engineer/data scientist/tech to ensure their AWS creds are always valid and that they are not responsible for the persistent running of the process, and this can be delegated to systemd, launchd, upstart, sysvinit, etc.

@slycoder @cameronmarlow thoughts?

The latest release of onelogin-aws-cli fails without -d $duration_seconds, emitting an error like this:

$ onelogin-aws-login -C default
Google Authenticator Token: *snip*
*snip*
Role Number: 2
Traceback (most recent call last):
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/bin/onelogin-aws-login", line 11, in <module>
    load_entry_point('onelogin-aws-cli==0.1.10', 'console_scripts', 'onelogin-aws-login')()
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/onelogin_aws_cli/cli.py", line 55, in login
    api.save_credentials()
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/onelogin_aws_cli/__init__.py", line 131, in save_credentials
    self.assume_role()
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/onelogin_aws_cli/__init__.py", line 122, in assume_role
    DurationSeconds=self.duration_seconds
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/client.py", line 314, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/client.py", line 586, in _make_api_call
    api_params, operation_model, context=request_context)
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/client.py", line 621, in _convert_to_request_dict
    api_params, operation_model)
  File "/Users/kuoka-yusuke/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/validate.py", line 291, in serialize_to_request
    raise ParamValidationError(report=report.generate_report())
botocore.exceptions.ParamValidationError: Parameter validation failed:
Invalid type for parameter DurationSeconds, value: None, type: <class 'NoneType'>, valid types: <class 'int'>

This obviously work:

$ onelogin-aws-login -C default -d 3600

But it took some time until I finally notice that it is now an implicitly required flag 😃
Is it an expected behavior? Would you mind if I brought back the default value of 3600 seconds?

I assume this is intended to be installed on the machines of developers / ops people who need to have AWS cli access.

This code seems to make use of the OneLogin events API, which requires the token to have very high privileges:

This API can be called using either the Manage users or Manage All scope.

I propose to remove this call so that the privilege of this token can be "Authorization Only" and can be distributed to end users.

AWS sessions can be tracked on AWS end via cloudtrail.

Expected Behavior

Onelogin protect devices should be able to authenticate by responding to a push notification using activate_factor

Current Behavior

Onelogin had a bug so that only with elevated priveleges could the push notification be triggered. They have reportedly fixed this, so any usage of this script should now be based on an API key with sufficient privilege to trigger the push notification.

Possible Solution

If the MFA device is a onelogin protect type device, call activate_trigger if necessary and poll the saml_verify endpoint with the state token until the user responds to the push notification or sends the OTP via the app, rather than ask for manual entry of the OTP

Steps to Reproduce

Select a OneLogin Protect type MFA, user is asked to enter the OTP manually

Context (Environment)

Manual entry adds unnecessary steps since the main feature of the OneLogin protect device is that onelogin can trigger push notifications for 1 touch approval

Many of the flows that go through get_saml_assertion, especially error paths, are not well covered by our current tests. We should add more tests.

Is there an example config file in PLIST format?

Expected Behavior

Current example file is .ini.

Current Behavior

Would expect an XML or PLIST file for macOS users.

Possible Solution

Steps to Reproduce

Context (Environment)

Push a config file to several Macs.

Detailed Description

Possible Implementation

Expected Behavior

Setting username field in config file should result in it being used.

Current Behavior

Setting username in config file appears to have no effect.

Possible Solution

This is what I found:

• cli._load_config sets username to None in cli_args, which is correct because I did not specify any cli arg or environment variable.
• cli.login calls config_section.set_overrides(vars(args)) which propagates username=None into the overrides.
• When credentials.UserCredentials.load_username calls self.configuration['username'] it gets None because configuration.Section.__get_item__ finds username in self._overrides which is None.

Not sure why go through the trouble of having this concept of "overrides". Seems like it would be simpler to just load all relevant cli args, environment variables, and config file fields at the start of the program, and then when it is time to read a value, you just get it from the first one available in that order.

Steps to Reproduce

1. Specify username in config file.
2. Don't specify username in cli args or environment variable.
3. Observe in __init__.get_saml_assertion that self.user_credentials.username is None and onelogin returns http 400.

Tested with 0.1.9 and 0.1.10.

The 'dist' stage of the pex compilation is breaking the build. This breaking feature was added in #30.

I have spent a couple of days trying to fix this issue, and the problems seems to be that as lxml relies on libxml (used for the SAML assertion parsing), it must have specific wheels for each os you wish to install on. Furthermore, as lxml only distributes with manylinux1 wheels and pex does not support them, I can not see a way forward.

If this was tested/built inside a docker container, I would like to suggest that the dockerimage @mumoshu used before the build be made a part of the travis build process.

I can appreciate the wish for a binary in docker (as the example in the PR provides), but if python3 is installed anyway as mentioned in #30, what is the advantage of:
curl -o onelogin-aws-login <onelogin-aws-login release> && chmod +x onelogin-aws-login
over
pip3 install onelogin-aws-cli?

In regards to alternatives to fixing this, I have built a homebrew formula which wraps this install in a hidden python3 virtualenv for mac osx, and I can try and get it into homebrew core, but that is out of my control to an extent. On the linux side, a deb/rpm/apk could be built, if pex can't be fixed, and this is a feature which is needed.

The PR probably should have had master merged/rebased back into the branch to run the travis build, which would have caught this.This is blocking the config updates (as their build now fails and tests can not be run) I made in prep for a daemon and which would have caught the breaking, so I would like to get it fixed.

If there is no way forward in fixing this, is there a possibility for the PR to be rolled back, so as not to block other work?

@mumoshu do you have any insight into how to fix the lxml issue:

Could not satisfy all requirements for lxml==3.8.0:
    lxml==3.8.0(from: onelogin_aws_cli->onelogin)
/home/travis/.travis/job_stages: line 60: dist/onelogin-aws-login: No such file or directory

Expected Behavior

onelogin-aws-login should provide constraints for --renew-seconds or provide a period less than or equal to the max onelogin session time (of 10 hours), without erroring or displaying stack traces.

Current Behavior

When setting a refresh period of greater than 5 minutes, the AWS token for SAML issuance, an error is thrown.

Traceback (most recent call last):
  File "/Users/development/onelogin-aws-cli/.direnv/python-3.6.3/bin/onelogin-aws-login", line 11, in <module>
    load_entry_point('onelogin-aws-cli', 'console_scripts', 'onelogin-aws-login')()
  File "/Users/development/onelogin-aws-cli/onelogin_aws_cli/cli.py", line 90, in login
    api.save_credentials()
  File "/Users/development/onelogin-aws-cli/onelogin_aws_cli/__init__.py", line 167, in save_credentials
    self.assume_role()
  File "/Users/development/onelogin-aws-cli/onelogin_aws_cli/__init__.py", line 156, in assume_role
    SAMLAssertion=self.saml.saml_response
  File "/Users/development/onelogin-aws-cli/.direnv/python-3.6.3/lib/python3.6/site-packages/botocore/client.py", line 314, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/development/onelogin-aws-cli/.direnv/python-3.6.3/lib/python3.6/site-packages/botocore/client.py", line 612, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.ExpiredTokenException: An error occurred (ExpiredTokenException) when calling the AssumeRoleWithSAML operation: Token must be redeemed within 5 minutes of issuance

Possible Solution

1. Provide a constraint on the --renew-seconds whereby values longer than 5 minutes are not allowed. The user would be provided with useful feedback before authentication occurs.
2. Inspect the expiration date in the AWS response and schedule the renew to automatically occur at that time period.
3. Ensure the onelogin SAML auth token is refreshed before it expires.

Steps to Reproduce

1. Run $ onelogin-aws-login --renew-seconds 330.
2. Perform authentication.
3. Wait for 5 and a half minutes.

Context (Environment)

There are no suggestions that there should be min/max renew periods. This could be a problem for a large userbase in terms of rate throttling if a period less than 5 minutes is required for the refresh.

It also breaks base functionality as described in the readme.

Expected Behavior

I expected to be asked for the Google authenticator token like here

Current Behavior

Instead of this, I receive a message about the proxy schema after writing the password like this one

It doesn't matter that the password is correct or not

Possible Solution

Configure somehow the proxy schema through a directive in the config file, or even better, to be allowed to use the --no-verify-ssl parameter when executing the aws-cli

Steps to Reproduce

just execute onelogin-aws-login

It doesn't really work as advertised because of the saml expiry and isn't really necessary now because of the longer role lifetimes.

If a user has multiple OTP devices, they will always be prompted to choose one of the devices.

It reduce the number of choices it would be beneficial to be able to select a device and save it to the config file on a [defaults] or specifically config profile basis.

If a password changes in onelogin or downstream Identity Provider, the user must go to their OS keychain, find the password entry, and delete the entry manually.

Expected Behavior

onelogin-aws-cli should manage the statefulness of configurations and settings it creates, and should therefore have an option to allow a user to reset their password without understanding how the password is stored.

Current Behavior

The user must go to the OS keychain handler, find the entry, and delete it themselves.

Possible Solution

Add a CLI option to allow the user to reset their password

Steps to Reproduce

1. Create configuration file with save_password=yes set.
2. Run onelogin-aws-login
3. When prompted with Onelogin Password: enter an incorrect password and finish all prompts.
4. Run onelogin-aws-login again and notice that the incorrect password is reused and is unable to be cleared.

Context (Environment)

When users either enter an incorrect password or their password is changed upstream, they should be able to manage this without understanding how the utility stores passwords.

Expected Behavior

Testcases should pass and shoulds mock out keyring, so as not to call any OS keychains

Current Behavior

It appears the test cases are currently calling keyring on the master branch in travis. https://travis-ci.org/physera/onelogin-aws-cli/jobs/370302728

Possible Solution

Mock the keyring functions or their wrappers in the onelogin_aws_cli.Credentials class.

Steps to Reproduce

1. View https://travis-ci.org/physera/onelogin-aws-cli/jobs/370302728

Context (Environment)

I'm not sure how the PR build succeeded and the master branch merge failed, but it looks like it is.
We probably shouldn't call keyring during tests anyway and make sure to mock it out in the test cases which may call it.

Possible Implementation

An example of how to mock it can be seen when mocking getpass:

Alternatively, use a MagicMock to mock the wrappers. For example,

Expected Behavior

It would be nice if we could pass the OTP token (and the otp_device) through the CLI args / env variable (so e.g. you can run a script to get a token an pass it to this tool, without needing interactive input)

Current Behavior

Interactive prompt where it's not using the actual name of the OTP device but the type (e.g. I get twice Google Authenticator even though I gave them different names)

Possible Solution

Allow passing token and otp device through CLI

Context (Environment)

Allow hooking 1password-cli with this tool to not have to copy paste the token

I get error without much explanation or debug info of whats going on and what needs fixing.

Error: '500' 'Expecting value: line 1 column 1 (char 0)'

Expected Behavior

• Some sort of useful information should be provided or more debug output e.g. printed response.
• Maybe improve docs of how to run cloned repo locally.

Current Behavior

I get following, not very informative output:

Onelogin Username: ...
Onelogin Password: ...
Google Authenticator Token: ...
Traceback (most recent call last):
  File ".../.pyenv/versions/3.7.7/bin/onelogin-aws-login", line 10, in <module>
    sys.exit(login())
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/cli.py", line 57, in login
    raise e
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/cli.py", line 53, in login
    api.save_credentials()
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/__init__.py", line 180, in save_credentials
    self.assume_role()
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/__init__.py", line 162, in assume_role
    self.get_role()
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/__init__.py", line 145, in get_role
    self.get_arns()
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/__init__.py", line 119, in get_arns
    self.get_saml_assertion()
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/__init__.py", line 91, in get_saml_assertion
    self.mfa.otp
  File ".../.pyenv/versions/3.7.7/lib/python3.7/site-packages/onelogin_aws_cli/__init__.py", line 59, in check_for_errors
    desc=self.ol_client.error_description
Exception: Onelogin Error: '500' 'Expecting value: line 1 column 1 (char 0)'

Also, tried to clone and debug locally, following instructions under Developing onelogin-aws-cli, however as someone with zero Python experience I get:

python3 onelogin_aws_cli/cli.py
Traceback (most recent call last):
  File "onelogin_aws_cli/cli.py", line 8, in <module>
    from onelogin_aws_cli import DEFAULT_CONFIG_PATH, OneloginAWS
ModuleNotFoundError: No module named 'onelogin_aws_cli'

So I think a little bit more beginner friendly documentation of how to run locally should be added too.

Steps to Reproduce

1. export ONELOGIN_AWS_CLI_DEBUG=1
2. onelogin-aws-login

To save users typing aws --profile ... or having to set AWS_PROFILE manually it would be great if there was an option to create a new shell with all the aws env vars already set, like aws-vault does.

On Windows 10, attempting to log in irremediably results in:

>onelogin-aws-login
Onelogin Password:
Onelogin Error: '401' 'Authentication Failed: Invalid user credentials'

Works fine on linux or WSL with the same config.

rdegges/python-ipify hasn't been updated for some time, making onelogin-aws-cli fail in Python 3.8. There are PRs open, but nothing on the maintainer to approve/merge those changes.

Expected Behavior

Client works.

Current Behavior

$ /usr/local/opt/[email protected]/bin/python3 -m onelogin_aws_cli
Traceback (most recent call last):
  File "/usr/local/Cellar/[email protected]/3.8.1/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 184, in _run_module_as_main
    mod_name, mod_spec, code = _get_module_details(mod_name, _Error)
  File "/usr/local/Cellar/[email protected]/3.8.1/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 143, in _get_module_details
    return _get_module_details(pkg_main_name, error)
  File "/usr/local/Cellar/[email protected]/3.8.1/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 110, in _get_module_details
    __import__(pkg_name)
  File "/usr/local/lib/python3.8/site-packages/onelogin_aws_cli/__init__.py", line 13, in <module>
    import ipify
  File "/usr/local/lib/python3.8/site-packages/ipify/__init__.py", line 31, in <module>
    from .ipify import get_ip
  File "/usr/local/lib/python3.8/site-packages/ipify/ipify.py", line 14, in <module>
    from .settings import API_URI, MAX_TRIES, USER_AGENT
  File "/usr/local/lib/python3.8/site-packages/ipify/settings.py", line 9, in <module>
    from platform import mac_ver, win32_ver, linux_distribution, system
ImportError: cannot import name 'linux_distribution' from 'platform' (/usr/local/Cellar/[email protected]/3.8.1/Frameworks/Python.framework/Versions/3.8/lib/python3.8/platform.py)

There is no test cases to handle both the execution branches in https://github.com/physera/onelogin-aws-cli/blob/master/onelogin_aws_cli/configuration.py#L68 as discussed in #89

To address #13, #50, and #21 it would be much simpler if the cli options and config options could be merged, as well as allowing environment variables in the precedence change.

I'd like to suggest the precedence order from most to least important would be:

• cli options
• environment variables
• config file section
• config file default section

Any ideas?

onelogin-aws-login -c
Configure Onelogin and AWS


Pick a Onelogin API server:

1. https://api.us.onelogin.com/
2. https://api.eu.onelogin.com/

? 2

Onelogin API credentials. These can be found at:
https://admin.us.onelogin.com/api_credentials
Onelogin API Client ID: abcd
Traceback (most recent call last):
  File "/bin/onelogin-aws-login", line 24, in <module>
    OneloginAWS.generate_config()
  File "/usr/lib/python2.7/site-packages/onelogin_aws_cli/__init__.py", line 229, in generate_config
    default["client_id"] = input("Onelogin API Client ID: ")
  File "<string>", line 1
    abcd
        ^
SyntaxError: unexpected EOF while parsing

This is an idea for a new feature. Do let me know if you think this is a good idea or not.

Description

When you have multiple AWS accounts, and multiple Roles with the same name under each AWS account, the list becomes quite hard to parse for a normal human user. I suggest being able to alias the account-part of each role.

Example

This is a realistic example at our company. In this case there are 3 AWS accounts, each one contains a role called Admin, plus some other roles.

Onelogin Password:
Google Authenticator Token: xxxxxx
Pick a role:
[1] arn:aws:iam::xxxxxxxxxxxx:role/Admin
[2] arn:aws:iam::xxxxxxxxxxxx:role/SomethingLessThanAdmin
[3] arn:aws:iam::yyyyyyyyyyyy:role/Admin
[4] arn:aws:iam::yyyyyyyyyyyy:role/SomethingLessThanAdmin
[5] arn:aws:iam::yyyyyyyyyyyy:role/SomethingLessThanAdmin2
[6] arn:aws:iam::zzzzzzzzzzzz:role/Admin
[7] arn:aws:iam::zzzzzzzzzzzz:role/SomethingLessThanAdmin

In order for the user to know which of the three Admin roles to pick, they have to reverse look up each AWS account ID in some external table. This is quite annoying and time consuming.

Suggestion

It would help if the program could say a human friendly string like company-dev/Admin, company-stage/Admin, and company-prod/Admin instead.

Possible implementation

We could have a logic that says something like: If there is an alias for the account, display "{account_alias}/{role_name}", else display "{account_id}/{role_name}" or just "{role_arn}".

Maybe also make this feature optional with a config flag?

Maybe also provide some sorting options via config?

The only question is how to get the account alias.

There is the ListAccountAliases API endpoint that retrieves the already configured alias for each account. However, it requires authentication.

We could just have a mapping in the config file. It could look something like this.

[defaults]
username = asdf

  [account-xxxxxxxxxxxx]
    alias = company-dev
  [account-yyyyyyyyyyyy]
    alias = company-stage
  [account-zzzzzzzzzzzz]
    alias = company-prod

This format also opens up for the possiblity to have other options per account.

Some of the profile names can be unwieldy, e.g. 123456789012/OneLoginRole/[email protected]. It would be nice to have the profile name configurable via the configuration or specified on the command line.

FileNotFoundError: [Errno 2] No such file or directory: '/home/.../.aws/credentials'

Hi, this cli is awesome!

If output config name is changable, more useful for me.

like here

$ onelogin-aws-login --config_name hoge --alias default

$ cat ~/.aws/credentials
[default] <--- alias name
aws_access_key_id = ***
aws_secret_access_key = ***
aws_session_token = ***

Thanks.

I get the error:
ImportError: cannot import name 'linux_distribution' from 'platform' (/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/platform.py)
when running onelogin-aws-login -C

started after updating python to 3.8

onelogin-aws-login -C prod
Traceback (most recent call last):
File "/usr/local/bin/onelogin-aws-login", line 5, in
from onelogin_aws_cli.cli import login
File "/usr/local/lib/python3.8/site-packages/onelogin_aws_cli/init.py", line 13, in
import ipify
File "/usr/local/lib/python3.8/site-packages/ipify/init.py", line 31, in
from .ipify import get_ip
File "/usr/local/lib/python3.8/site-packages/ipify/ipify.py", line 14, in
from .settings import API_URI, MAX_TRIES, USER_AGENT
File "/usr/local/lib/python3.8/site-packages/ipify/settings.py", line 9, in
from platform import mac_ver, win32_ver, linux_distribution, system
ImportError: cannot import name 'linux_distribution' from 'platform' (/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/platform.py)

Trying get it to work with onelogin and I get this error after auth.

onelogin-aws-login
<Response [200]>
Onelogin Username: 'XXX'
Onelogin Password:
<Response [200]>
OTP Token: XXXX
<Response [500]>

Traceback (most recent call last): File "/usr/local/bin/onelogin-aws-login", line 26, in <module> api.save_credentials() File "/usr/local/lib/python2.7/site-packages/onelogin_aws_cli/__init__.py", line 140, in save_credentials self.assume_role() File "/usr/local/lib/python2.7/site-packages/onelogin_aws_cli/__init__.py", line 115, in assume_role self.get_saml_assertion() File "/usr/local/lib/python2.7/site-packages/onelogin_aws_cli/__init__.py", line 110, in get_saml_assertion headers, params) File "/usr/local/lib/python2.7/site-packages/onelogin_aws_cli/__init__.py", line 57, in request raise Exception("Error: {}".format(res.json())) File "/usr/local/lib/python2.7/site-packages/requests/models.py", line 866, in json return complexjson.loads(self.text, **kwargs) File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/__init__.py", line 339, in loads return _default_decoder.decode(s) File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 364, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 382, in raw_decode raise ValueError("No JSON object could be decoded") ValueError: No JSON object could be decoded

MacOS 10.12
Onelogin API key is for auth only
AWS login works from onelogin into AWS console.
pip install onelogin_aws_cli Requirement already satisfied: onelogin_aws_cli in /usr/local/lib/python2.7/site-packages Requirement already satisfied: boto3 in /usr/local/lib/python2.7/site-packages (from onelogin_aws_cli) Requirement already satisfied: requests in /usr/local/lib/python2.7/site-packages (from onelogin_aws_cli) Requirement already satisfied: botocore<1.6.0,>=1.5.0 in /usr/local/lib/python2.7/site-packages (from boto3->onelogin_aws_cli) Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/local/lib/python2.7/site-packages (from boto3->onelogin_aws_cli) Requirement already satisfied: s3transfer<0.2.0,>=0.1.10 in /usr/local/lib/python2.7/site-packages (from boto3->onelogin_aws_cli) Requirement already satisfied: docutils>=0.10 in /usr/local/lib/python2.7/site-packages (from botocore<1.6.0,>=1.5.0->boto3->onelogin_aws_cli) Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in /usr/local/lib/python2.7/site-packages (from botocore<1.6.0,>=1.5.0->boto3->onelogin_aws_cli) Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /usr/local/lib/python2.7/site-packages (from s3transfer<0.2.0,>=0.1.10->boto3->onelogin_aws_cli) Requirement already satisfied: six>=1.5 in /usr/local/lib/python2.7/site-packages (from python-dateutil<3.0.0,>=2.1->botocore<1.6.0,>=1.5.0->boto3->onelogin_aws_cli)

Hey guys, I get a bad request returned when trying to authenticate. Have you experienced this issue? Know how to fix?

[root@bastion-prod ~]# onelogin-aws-login
Onelogin Username: evan.furman
Onelogin Password:
Traceback (most recent call last):
  File "/usr/local/bin/onelogin-aws-login", line 26, in <module>
    api.save_credentials()
  File "/usr/local/lib/python3.4/site-packages/onelogin_aws_cli/__init__.py", line 140, in save_credentials
    self.assume_role()
  File "/usr/local/lib/python3.4/site-packages/onelogin_aws_cli/__init__.py", line 115, in assume_role
    self.get_saml_assertion()
  File "/usr/local/lib/python3.4/site-packages/onelogin_aws_cli/__init__.py", line 86, in get_saml_assertion
    res = self.request("api/1/saml_assertion", headers, params)
  File "/usr/local/lib/python3.4/site-packages/onelogin_aws_cli/__init__.py", line 57, in request
    raise Exception("Error: {}".format(res.json()))
Exception: Error: {'status': {'code': 400, 'message': 'bad request', 'type': 'bad request', 'error': True}}

Thanks!

When running the client in renew mode, the session token will expire. It needs to be refreshed whenever it expires (or refreshed each time it is run, which is probably easier)

Title states it.

$ pip install onelogin-aws-cli
$ onelogin-aws-cli -c
Traceback (most recent call last):
  File "/bin/onelogin-aws-login", line 7, in <module>
    from onelogin_aws_cli import OneloginAWS
  File "/usr/lib/python2.7/site-packages/onelogin_aws_cli/__init__.py", line 3, in <module>
    import configparser
ImportError: No module named configparser

when i run pip install onelogin-aws-cli, it installs 0.1.15 which is not the latest

https://pypi.org/project/onelogin-aws-cli/

Add a new section to the config file like

[config onelogin-aws-login]
save_username = true
save_password = true

allowing the username to be saved to a profile and the password to be saved to a system keychain.

Being able to choose multiple config profiles/onelogin apps/aws roles to authenticate against in a single shot, would simplify the process of having multiple processes with renewSeconds running if the user has multiple AWS accounts.

In my organization, dozens of devs are starting to use onelogin-aws-cli(Thank you very much for creating/maintaining this!). The only and largest struggle for me is that many of them already has a working python2 and/or python3 envs each with virutalenv(s) or no virtualenv at all. There seems like no uniform, easy way to keep one's onelogin-aws-login installation up-to-date and accessible whatever python/virutualenv he/she uses for ones own development work.

Possible solution

While hanging around GitHub, I got to know that there's a tool named pex which is capable of creating a self-contained executable python env for your app.

See how it works in the wild at e.g.: datawire/forge@6fd6d6d

Would you mind hosting the self-contained binary at GitHub releases of this project once if I contributed the script for automating it?

Thanks!

Problem

In our organization, we have a hard requirement from regulation that basically says "idle login sessions must be automatically timed out after 15 minutes".

Although this can be annoying, it is still functional as long as a login session is active in nature, for example an SSH session keeps being active as long as you are using it.

However, since onelogin-aws-cli is passive in nature, this does turn into a very real problem. If some automation tool is running a long process for more than 15 minutes, the session will time out while the tool is running, breaking the workflow, which may not be recoverable. For example, building AMI's with Packer can definitely take quite some time.

--renew-seconds

I see that onelogin-aws-cli used to have a flag called --renew-seconds. However, as far as I can tell from the code, that feature had the drawback of running in the foreground and occupying the terminal.

Fork off and die

I think a better way to implement session refreshing would be to fork off a background process and let the onelogin-aws-login program finish and release control of the terminal back to the user as it currently does.

However, this might be a somewhat substantial feature to implement and support, so I would really appreciate some input on it before proceeding.

I imagine at least one configuration option called something like session_refresh_frequency that says how often to refresh the session.

AWS CLI Plugin API

Alternatively, I thought about building a plugin for AWS CLI that somehow detects that the session has timed out, and calls back to onelogin-aws-cli to reauthenticate.

However, the plugin API for AWS CLI is not official at all yet. Also, I imagine that the plugin API might not allow me to hook into and control the execution of any other arbitrary command.

So as far as I can see, an AWS CLI plugin is not looking like a realistic option at this point.

OneLogin Profile name in ~/.aws/credentials differs between AWS partitions (Partitions overview)

I'm going to use AWS China partition for my example

STS arn Gobal AWS partition

arn:aws:sts::999999999999/OneLoginRole/[email protected]

STS arn China AWS partition

arn:aws-cn:sts::999999999999/OneLoginRole/[email protected]

Expected Behavior

When I use onelogin-aws-cli for China the ~/.aws/credentials file should contain a profile which is called

[999999999999/OneLoginRole/[email protected]]

Current Behavior

The ~/.aws/credentials file contains a profile with arn:aws-cn:sts: prefix

[arn:aws-cn:sts::999999999999/OneLoginRole/[email protected]]

Steps to Reproduce

1. Set-up a Chinese AWS account in OneLogin and get credentials with onelogin-aws-cli
2. Take a look at the output "Use aws cli with --profile ..."

Context (Environment)

• Python3.5 (virtualenv)
• onelogin-aws-cli 0.1.15

launching onelogin-aws-client complains about a unicode character in helper script which contains the full path (therefore containing unicode characters) of the python interpreter

Expected Behavior

The helper script shoud contain the appropriate header for unicode encoding

I'm trying to get to the point where my ~/.aws/credentials file looks like this:

[production]
aws_access_key_id = [REDACTED]
aws_secret_access_key = [REDACTED]
aws_session_token = [REDACTED]

[sandbox]
role_arn = arn:aws:iam::123456789123:role/SandboxAdmin
source_profile = production

Of course running onelogin-aws-login -C production will generate the appropriate credentials just fine, but how do I go about generating the second part? If I add the role_arn inside the ~/.onelogin-aws.config file, it still prompts for a OTP which defeats the point.

Currently trying to hack it into the save_credentials function inside __init__.py.

Expected Behavior

There should be more details regarding the explicit behaviour of the precedence between config file, CLI options, and environment variables.

Current Behavior

There is a description of what the config options do, but not which sources have precedence.

Possible Solution

Write a section in the readme describing this.

Context (Environment)

When trying to deploy this en masse, I noticed that the seconds_duration option was being overridden.
During development, there was inconsistency in the approach taken to handling configuration and some documentation would crystalise this meaning

Hey,
According to onelogin documentation, the "Role" Macro consists out of the role ARN and the SAML provider ARN, however, it works even if the order is reversed (i.e. SAML provider ARN and then the role ARN)

In my case I specified the SAML provider first, and got this error:

botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: Request ARN is invalid

Once i changed the order in the Macro, I manage to assume the role successfully.

Expected Behavior

onelogin-aws-login -c writes ~/.onelogin-aws.config successfully.

Current Behavior

After inputting a subdomain name, onelogin-aws-login fails saying I/O operation on closed file..

$ onelogin-aws-login -c
Configure Onelogin and AWS

Pick a Onelogin API server:
[1] https://api.us.onelogin.com/
[2] https://api.eu.onelogin.com/
? 1

Onelogin API credentials. These can be found at:
https://admin.us.onelogin.com/api_credentials
Onelogin API Client ID: myclientid
Onelogin API Client Secret: myclientsecret

Onelogin AWS App ID. This can be found at:
https://admin.us.onelogin.com/apps
Onelogin App ID for AWS: myappid

Onelogin subdomain is 'company' for login domain of 'comany.onelogin.com'
Onelogin subdomain: mydomain
I/O operation on closed file.

~/.onelogin-aws.config is there but empty.

$ ls -lah ~/.onelogin-aws.config
-rw-r--r--  1  myuser mygroup    0B  5  2 19:02 /Users/myuser/.onelogin-aws.config

Possible Solution

I'm not an expert in python but anyway - onelogin-aws-cli seems to rely on ConfigParser to read the config file. Would there be any backward-incompatible change which breaks onelogin-aws-cli on very recent versions of Python 3.5.x?

Or maybe recent change to the cli broke it?

However, I couldn't locate specific commit which might have affected this, as far as I could see from reading commits from HEAD to 8d93f53.

Steps to Reproduce

1. Run onelogin-aws-login -c
2. Input valid values to inputs, including the subdomain

Context (Environment)

Python 3.6.5 (on macOS High Sierra, FWIW)

$ python3 --version
Python 3.6.5

To have feature parity with https://github.com/onelogin/onelogin-aws-cli-assume-role , it should print out the export AWS environment variables for the user in the current shell. This also helps with Terraform users, as there is no way to specify an AWS profile.

Expected Behavior

After successful authentication, it should print out the commands to set these as the current AWS environment variables.

Current Behavior

credentials get cached in a different file

Possible Solution

print the export AWS environment variables for the user in the current shell.

Steps to Reproduce

Context (Environment)

I'm trying to run terraform with onelogin-aws-login unsuccessfully

Detailed Description

Possible Implementation

Please see pull request export_aws_variables
#126

Expected Behavior

When a user is asked to choose the MFA device they would like to use to authenticate, the cli should show a list of device names instead of types (or a combination).

Example: I have 1 "OneLogin Protect"device type with the name "OneLogin Protect iPhone" and 2 "Google Authenticator" devices with names: "Google Authenticator" and "1Password OTP".

The cli would show:

Which OTP Device?
[1] OneLogin Protect iPhone
[2] Google Authenticator
[3] 1Password OTP

Current Behavior

Currently the cli only shows type, then you get this list:

Which OTP Device?
[1] OneLogin Protect
[2] Google Authenticator
[3] Google Authenticator

Possible Solution

I guess we could use user_display_name instead of type_display_name?

API Docs: https://developers.onelogin.com/quickstart/mfa

Steps to Reproduce

1. add multiple MFA devices of the same type in OneLogin
2. authenticate via onelogin-aws-cli
3. follow steps until "Which OTP Device?" question is asked

https://admin.us.onelogin.com/api_credentials
Onelogin API Client ID:
Traceback (most recent call last):
File "/usr/local/bin/onelogin-aws-login", line 17, in
OneloginAWS.generate_config()
File "/usr/local/lib/python2.7/site-packages/onelogin_aws_cli/init.py", line 179, in generate_config
default["client_id"] = input("Onelogin API Client ID: ")
File "", line 1

^
SyntaxError: unexpected EOF while parsing
[root@ip-172-28-0-98 ~]#