Passed --aws-iam-role ignored when assertion only contains one principal #296
Description
I'm using the Okta AWS CLI with the AWS Account Federation app's Group filter. When a user is only a member of one of the groups that are part of that group filter, meaning their SAML assertion will only contain one principal for one IAM IdP+IAM Role, usage of the okta-aws-cli web command ignores the passed --aws-iam-role entirely.
For instance, let's say I have two groups:
- group-a grants access to role-a
- group-b grants access to role-b
If I am in both groups, I can choose which role I want to use via the CLI flags:
$ okta-aws-cli web ... --aws-iam-role arn:aws:iam::123123123123:role/role-a
IdP: arn:aws:iam::123123123123:saml-provider/TEST Role: arn:aws:iam::123123123123:role/role-a
export AWS_ACCESS_KEY_ID=ASIAEXAMPLEACCESSKEY
...
$ okta-aws-cli web ... --aws-iam-role arn:aws:iam::123123123123:role/role-b
IdP: arn:aws:iam::123123123123:saml-provider/TEST Role: arn:aws:iam::123123123123:role/role-b
export AWS_ACCESS_KEY_ID=ASIAEXAMPLEACCESSKEY
...Note that when I specify role-a, I get credentials for role-a. Same thing for role-b.
Now, let's say I'm only in group-a.
My user is not a member of group-b, meaning my SAML assertions only have one principal for role-a.
The following command behaves as I expect:
$ okta-aws-cli web ... --aws-iam-role arn:aws:iam::123123123123:role/role-a
IdP: arn:aws:iam::123123123123:saml-provider/TEST Role: arn:aws:iam::123123123123:role/role-a
export AWS_ACCESS_KEY_ID=ASIAEXAMPLEACCESSKEY
...However, this command does not behave as I expect:
$ okta-aws-cli web ... --aws-iam-role arn:aws:iam::123123123123:role/role-b
IdP: arn:aws:iam::123123123123:saml-provider/TEST Role: arn:aws:iam::123123123123:role/role-a
export AWS_ACCESS_KEY_ID=ASIAEXAMPLEACCESSKEY
...Note that in my CLI command I requested role-b, but I was given role-a.
I would expect this to result in a CLI error that indicates I don't have access to role-b, not automatically give me credentials for role-a because that's all I have access to.
This leads to strange issues where I am no longer a member of a group that grants me access to a role, but when I try to use that role anyway, I end up using a different role entirely as opposed to just getting a CLI error. This means I'm potentially impacting an environment I wasn't expecting to touch.