Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRP auth fails with NoCredentialsError #146

Open
leotohill opened this issue Oct 1, 2019 · 5 comments
Open

SRP auth fails with NoCredentialsError #146

leotohill opened this issue Oct 1, 2019 · 5 comments

Comments

@leotohill
Copy link

Though this project appears to be dead, I'll post the issue for others who may run into it.

While SRP does not use AWS IAM credentials, if you don't have any in your credential store, the SRP call will fail with a NoCredentialsError exception.

You can create dummy/false credentials, and the call will succeed. Clearly a defect.

For more details (from somebody else, not me) see

https://stackoverflow.com/questions/47849702/aws-boto-warrant-library-srp-authentication-and-credentials-error
@leotohill
Copy link
Author

leotohill commented Oct 1, 2019
edited
Loading

I figured out an easy solution. The problem is that the boto3 libraries are trying to sign the request to aws, but this request is not supposed to be signed. To prevent that, create the identity pool client with a config that specifies no signing. Use the form of AWSSRP that accepts a pre-created client, rather than letting it create its own.

client = boto3.client('cognito-idp', region_name='us-east-1', config=Config(signature_version=UNSIGNED))
aws = aws_srp.AWSSRP(username=args.user_id, password=args.password, pool_id=args.user_pool_id,
                         client_id=args.client_id, client=client) 
srp_result = aws.authenticate_user()

in the warrant code, AWSSRP class, when the initializer creates a client instance (in the case where the caller did not provide one), it should specify this same config option.

@Zuiluj
Copy link

Zuiluj commented Oct 16, 2019

This is actually true. We're now fixing it. Right now, I'm still looking into AWS cognito docs for functions that does not require signed signature as the initialization of the class does create a client its own with the use of [access_key, secret_key, user_pool_region], meaning it does not specify the configuration of the request whether it is unsigned or not.
Though right now, or rather, in the next version, we're removing the aws_srp class in favor of warrant-lite.

@Zuiluj
Copy link

Zuiluj commented Oct 25, 2019

Next release would fix this issue. By simply not providing the AWS access key and secret, the signature would automatically be unsigned.

@sodre
Copy link

sodre commented Nov 28, 2019

@Zuiluj, I just ran into this issue as well, and would really want a fix that does not involve me monkey patching :)
Any ideas when to release the next version? Maybe an interim hot-fix would be to use the unsigned signature just in the calls to Cognito.authenticate...

@cjkoral
Copy link

cjkoral commented Jan 24, 2020

@Zuiluj Seeing this as well. Any idea on when you'll be releasing the patch? Need assistance getting it over the line?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sodre @leotohill @cjkoral @Zuiluj