From bf3f7997eddf78bc45d7dad7672d8155b111575c Mon Sep 17 00:00:00 2001 From: Dave Kujawski Date: Fri, 31 Jan 2020 08:16:59 -0700 Subject: [PATCH] adding additional debug/error information --- lib/okta.go | 1 + lib/utils.go | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/okta.go b/lib/okta.go index e9399ed0..9ecbdeb9 100644 --- a/lib/okta.go +++ b/lib/okta.go @@ -261,6 +261,7 @@ func (o *OktaClient) AuthenticateProfile3(profileARN string, duration time.Durat } // retrieve IAM Roles + log.Debug("Step: 3.1") principal, role, err := GetRoleFromSAML(assertion.Resp, profileARN) if err != nil { return sts.Credentials{}, oc, err diff --git a/lib/utils.go b/lib/utils.go index a312776d..e01626fe 100644 --- a/lib/utils.go +++ b/lib/utils.go @@ -27,6 +27,7 @@ func GetRoleFromSAML(resp *saml.Response, profileARN string) (string, string, er if err != nil { return "", "", err } + log.Debugf("Found roles from SAML: %#v", roles) role, err := GetRole(roles, profileARN) if err != nil { return "", "", err @@ -91,7 +92,7 @@ func GetRole(roleList saml.AssumableRoles, profileARN string) (saml.AssumableRol return arole, nil } } - return saml.AssumableRole{}, fmt.Errorf("ARN isn't valid") + return saml.AssumableRole{}, fmt.Errorf("ARN isn't valid %s", profileARN) } // if the user only has one role assume that role without prompting.