Inscrutable error from okta-aws

cos · March 10, 2021, 10:19pm

I’m trying to use this tool:

I signed up for this forum because the README there directed me to here. I am not an “okta developer” nor am I developing apps for use with okta. I am working at a company that uses okta and I’m trying to set up CLI tools that work with okta, but I do not have okta admin access in our organization.

With that out of the way, I installed and configured that tool according to the instruction. I had to ask other people for the Okta AWS app’s URL. We actually have multiple AWS apps in our Okta, and I was initially able to find the app URL for one of those on internal documentation and tried that one.

~% okta-aws test sts get-caller-identity
Username: _I entered my okta username_
Password:

Push Factor Authentication
Waiting for you to approve the Okta push notification on your device...
Waiting for you to approve the Okta push notification on your device...
Waiting for you to approve the Okta push notification on your device...
Exception in thread "main" java.lang.IllegalStateException: Sorry, you can't access AWS (Prod) because you are not assigned this app in Okta.

That’s fine, because I am indeed not assigned that app in Okta. So this was a proof of concept to get that far. Next, I gave the instructions for how to get the app URL to one of our admins and asked him for the app URL for the AWS SSO app, which I do have in our Okta. But when I put that in the configuration file and tried again, this happened:

~% okta-aws test sts get-caller-identity
Exception in thread "main" java.util.NoSuchElementException
    at java.base/java.util.LinkedHashMap$LinkedHashIterator.nextNode(LinkedHashMap.java:721)
    at java.base/java.util.LinkedHashMap$LinkedEntryIterator.next(LinkedHashMap.java:751)
    at java.base/java.util.LinkedHashMap$LinkedEntryIterator.next(LinkedHashMap.java:749)
    at com.okta.tools.helpers.RoleHelper.chooseAwsRoleToAssume(RoleHelper.java:106)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:133)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)

What does this mean? What problem might be causing this?

It’s possible he gave me an incorrect app URL, but I don’t know enough to tell him that.

warren · March 11, 2021, 6:21pm

I’m guessing this line could be the issue but not exactly sure what the underlying issue is.

github.com

oktadeveloper/okta-aws-cli-assume-role/blob/7a47adbcd67004dfc27678efdf5d45e13b9df475/src/main/java/com/okta/tools/WithOkta.java#L30


import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
public class WithOkta {
    private static final Logger logger = Logger.getLogger(WithOkta.class.getName());
    public static void main(String[] args) throws Exception {
        if (LogoutHandler.handleLogout(args)) return;
        OktaAwsCliEnvironment environment = OktaAwsConfig.loadEnvironment();
        OktaAwsCliAssumeRole.RunResult runResult = OktaAwsCliAssumeRole.withEnvironment(environment).run(Instant.now());
        ProcessBuilder awsProcessBuilder = new ProcessBuilder().inheritIO();
        if (environment.oktaEnvMode) {
            Map<String, String> awsEnvironment = awsProcessBuilder.environment();
            awsEnvironment.put("AWS_ACCESS_KEY_ID", runResult.accessKeyId);
            awsEnvironment.put("AWS_SECRET_ACCESS_KEY", runResult.secretAccessKey);
            awsEnvironment.put("AWS_SESSION_TOKEN", runResult.sessionToken);
            awsEnvironment.put("AWS_DEFAULT_REGION", environment.awsRegion);
            // Cleanup command line arguments if present
            args = removeProfileArguments(args);
        }

You might want to try out this tool as well

cos · June 3, 2021, 4:28pm

We ended up going with AWS SSO, since the AWS CLI now (since fall 2020) natively profiles configured for SSO, and our AWS SSO gets provisioned from okta. Unfortunately SSO profiles with the CLI store short term creds in cleartext in a local file, so it would be nice to have a better alternative. I may come back to trying these tools at some point in the future. Do give an update if you figure out what caused the problem. Thanks!