Single Role Being Autoselected if "resolve_aws_alias = True" yet I have 60+ Roles

[JRman]

If I have "resolve_aws_alias = True" which I DO want to decode my AWS acct ids.. gimme-aws-creds is autoselecting a SINGLE role for me with no prompting: (acct ids and REAL role names redacted)

Detected single role: arn:aws:iam::y:role/test-saml

If I set the same variable False in my .okta_aws_login_config I get the complete role list and prompted:

(I have over 60 roles I cut the list off for brevity... the X denoting the acctid is UNIQUE for each role)

Pick a role:

[0] arn:aws:iam::x:role/test-saml
[1] arn:aws:iam::x:role/othertest-saml
[2] arn:aws:iam::x:role/test-saml
[9] arn:aws:iam::x:role/test-saml
[4] arn:aws:iam::x:role/othertest-saml
[5] arn:aws:iam::x:role/test-saml
[6] arn:aws:iam::x:role/test-saml
[7] arn:aws:iam::x:role/othertest-saml
[8] arn:aws:iam::x:role/test-saml
[9] arn:aws:iam::x:role/test-saml
[10] arn:aws:iam::x:role/test-saml
[11] arn:aws:iam::x:role/test-saml
[12] arn:aws:iam::y:role/test-saml
[19] arn:aws:iam::x:role/test-saml
[14] arn:aws:iam::x:role/test-saml
[15] arn:aws:iam::x:role/test-saml
[16] arn:aws:iam::x:role/test-saml
...

Expected Behavior

Would expect prompting for role regardless of the Alias setting.

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

• App Version used:
• Environment name and version:
• Operating System and version:

[epierce]

Do your accounts have unique aliases? If not, the account data won't get read correctly from the AWS role selection screen. If you do have unique aliases, is there anything that's not typical about your setup (i.e. your accounts are in GovCloud, your machine is set to a non-English locale, etc)? The aliases are scraped out of the AWS role selection screen, so if the HTML elements in your screen are different of some reason, the parser would miss the Account names.

[JRman]

Yes, all the aliases are unique.

The REALLY interesting thing, we only see this when run from the CLI on an AWS EC2 instance. If I run this from my laptop it does NOT happen, I get prompted correctly for role even if alias setting is True.

And the "auto selected" role is the ONE role that matches the account where the EC2 instance is deployed.

So not sure what is going on here... Not sure if somewhere the instance role/profile is being used and confusing things?

[epierce]

I can't replicate this on an EC2 instance. I thought it might be an environment variable that boto is picking up from the EC2 instance, but I can't find any that would cause that issue.

[JRman]

I was looking for any debug flags, etc that maybe I could try, but did not find any....

[solarce]

I am seeing similar behavior when I have resolve_aws_alias = True and from what I can see, the overall HTML of the AWS page for choosing a role has changed dramatically for me, as of today.

See my redacted screenshot for how it looks for me now,

[joeclarktx]

I'm seeing this issue as well. i can reproduce it every time i login. it happens when in a Mac, but not on a Windows machine attaching to the same IdP