2021-07-17 09:52:18,704 [authenticator authenticator.py:authenticate] [114651-MainProcess] [140189704632128-MainThread] - ERROR: Cannot extract roles from response This account does not have access to any roles

[minalvnk]

Gettting the below error always while running the command :
aws-adfs login --adfs-host=host.xxxx.xxxx

2021-07-17 09:52:18,704 [authenticator authenticator.py:authenticate] [114651-MainProcess] [140189704632128-MainThread] - ERROR: Cannot extract roles from response
This account does not have access to any roles

tried with the option --no-ssl-verification. Even could not resolve this issue.
aws-adfs --version
1.24.5

[pdecat]

Hi, could you try with --no-sspi? See #98 (comment)

[minalvnk]

I tried but no luck.

[pdecat]

Hi @minalvnk,

you should be able to get more details about what's going on by adding --verbose to your aws-adfs login command, e.g. aws-adfs --verbose login ....

Note: you should have traces of the HTTP requests / responses that are happening.
In case you want to share some parts here, be careful to redact all sensitive content such as login, tokens, etc.

[rpattcorner]

Having a similar issue, however as of now the --verbose option is missing. On an AmazonLinux box I see:

$ ./aws-adfs --version
2.6.3
====== but ====
$ ./aws-adfs login --verbose --adfs-host=myhost --no-ssl-verification --no-sspi
Usage: aws-adfs login [OPTIONS]
Try 'aws-adfs login --help' for help.

Error: No such option: --verbose

The core problem is ...

$ ./aws-adfs login --adfs-host=MYHOST --no-ssl-verification --no-sspi
(VARIOUS INSECURE REQUEST WARNINGS)
Username: thatsme
Password:
/home/ssm-user/.local/lib/python3.7/site-packages/urllib3/connectionpool.py:1052: InsecureRequestWarning: Unverified HTTPS request isbeing made to host 'MYHOST'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
2023-01-31 16:46:39,239 [authenticator authenticator.py:authenticate] [28066-MainProcess] [140200594151232-MainThread] - ERROR: Cannot extract saml assertion from request's response. Re-authentication needed?
This account does not have access to any roles when accessed directly via the adfs host

The account indeed does have access to roles
Problem persists even with the ssl verification and sspi flags removed
Any thoughts on how to at least get some more info? Also tried --provider-id urn:amazon:webservices but no difference.

[pdecat]

@rpattcorner --verbose must be passed before login, e.g. aws-adfs --verbose login --adfs-host=myhost --no-ssl-verification --no-sspi

[rpattcorner]

@pdecat Patrick, thank you so much. Somehow I missed the positioning in the documentation. That quickly solved the problem, which was a garden variety username formatting issue.

Now I can ask you the interesting questions, which I'll put in a separate issue. This could open up some serious architectural possibilities