Cannot log in to certain regions

[cira-jonathan]

I'm trying to use my AD credentials to log into our AWS account and there are 4 regions I can't log into using aws-adfs via the command line.

This is the command I use to log in:
aws-adfs login --adfs-host= --provider-id urn:amazon:webservices --region --profile --no-ssl-verification --no-sspi

This is the error message I get when I try to authenticate:
Traceback (most recent call last):
File "/usr/local/bin/aws-adfs", line 11, in
load_entry_point('aws-adfs==1.24.4', 'console_scripts', 'aws-adfs')()
File "/usr/lib/python3/dist-packages/click/core.py", line 722, in call
return self.main(*args, **kwargs)
File "/usr/lib/python3/dist-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/lib/python3/dist-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3/dist-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3/dist-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/aws_adfs/login.py", line 222, in login
DurationSeconds=int(config.session_duration),
File "/usr/local/lib/python3.6/dist-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.6/dist-packages/botocore/client.py", line 635, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidIdentityTokenException: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithSAML operation: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: 93edccae-0153-4dad-8d9c-92a5c99f2e7e; Proxy: null)

As I mentioned above, this only occurs with the 4 regions. Those regions are:

• Cape Town -> af-south-1
• Hong Kong -> ap-east-1
• Milan -> eu-south-1
• Bahrain -> me-south-1

Those regions were previously disabled but have since been enabled and the error still occurs. Is there another configuration settings I have to set before this works?

Any help in this matter would be much appreciated.

[pdecat]

Hi @cira-jonathan,

Are you using Duo? If so, have you seen this?

How do I resolve a "Specified provider doesn't exist" error when protecting AWS with Duo Access Gateway?

ISSUE

After successfully passing primary authentication and approving secondary authentication, the user is redirected to an AWS error page that says:
"Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException)"

RESOLUTION

Make sure the provider information is configured correctly in AWS as described in the documentation. The provider name should be "dag"; it is case-sensitive and cannot be customized.

CAUSE

The provider information was configured in correctly in AWS.

See https://help.duo.com/s/article/3717?language=en_US
And https://duo.com/docs/aws#enable-aws-sso

[trav-c]

I believe have encountered this also, if it is the same issue (I don't recall if it's the exact same error/stack trace), it is caused by certain regions only supporting regional STS endpoints, while boto3 always defaults to legacy endpoints, it can be worked around by setting the environment variable AWS_STS_REGIONAL_ENDPOINTS=regional, eg

exportAWS_STS_REGIONAL_ENDPOINTS=regional
aws-adfs login .....

See https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

According to the AWS docs it should also be fixable by setting the default in ~/.aws/config but that didn't seem to work for me with aws-adfs