Issues with AWS signin account

Hi,

I'm using several AWS accounts and up until now, I was able to go to https://signin.aws.amazon.com/console and autocomplete any. Since upgrading to 7.0, the account field is no longer filled (this happened before and had to re-create all of my AWS passwords, which is what I'm trying to avoid).
I know I can go to https://account123.signin.aws.amazon.com/console and it'll fill the account field on it's own, but "open and fill" doesn't work either

Any help is greatly appreciated,
Bests,
J


1Password Version: 7.0
Extension Version: 4.7.1.90
OS Version: 10.13.4
Sync Type: Not Provided

Comments

  • Hi @TaiSHi,

    It looks like Amazon have changed the page and that does impact 1Password when you need it to fill more than two fields on a given page. Even though on the surface it looks similar there is definitely a difference in fields used on the page compared to what I saved the last time I looked at this.

    There's no easy way around recreating the Login items I'm afraid but there might be a way to create it whereby it doesn't fall prey to changes to the site as much next time.

    Manually create a Login item in 1Password, not in your browser and set the username and password appropriately. After you add the website field you should find you have a View Saved Form Details button. Click it and add a third field. Title it account and leave the type as text. Finally save. Do you find this item works? It hopefully should. You could maybe even use this approach to create a template item that you use to help replace all the existing AWS Login items you have.

    When you say open-and-fill doesn't work can you elaborate a little for me please as you should find open-and-fill working. I am aware of an issue if there is no existing window open for the browser but besides that one scenario open-and-fill should be working in all browsers.

  • Hey @littlebobbytables

    I did check the AWS login page and inspected the element (the ID is still 'account'), what worries me is that this happened twice after upgrading 1P (I believe both were sort of major-versions). My login items do have an account form field with type Text. This is what leads me to believe there might be a bug.

    When I do the open and fill, the following happens:
    1P fires up my browser to: https://rhy-dev-all.signin.aws.amazon.com/console?onepasswdfill=somesecrethash
    It's redirected to: https://console.aws.amazon.com/console/home
    Which in turn is redirected to: https://us-east-1.signin.aws.amazon.com/oauth?SignatureVersion=allthestuffamazonputsinhere

    The account name is auto filled, but the rest isn't.

    Thanks for your prompt reply!
    Bests,
    J

  • Hello @TaiSHi,

    Your existing Login items will have that field yes but it's the previous presence of other fields and their subsequent absence that alters the fingerprint of the page, something that is crucial for Login items saved in the browser where you want 3+ fields to fill.

    So with my older AWS Login items there are two fields that refer to MFA that are no longer present. Deleting those fields though isn't sufficient as it the fingerprint still won't match the current page, those MFA fields still leave an impression behind. Saving an entirely new Login item in the browser would be one way to correct this but it does leave the item open to Amazon changes breaking it again. The steps for saving a basic Login item in the main 1Password window will create a Login item that isn't as strict with the fingerprint requirements so that should Amazon tweak the page again that it doesn't automatically mean the Login item will break.

    For open-and-fill, the multiple redirects will be interfering. Can you visit the https://us-east-1.signin.aws.amazon.com URL directly? If you can that should work for open-and-fill.

  • @littlebobbytables I'll test creating the login manually from the 1P app today and test, I'll let you know how it goes. Thanks for the explanation and continued assistance!

  • Please do let us know how you get along @TaiSHi and whether we can be of any further assistance with this.

  • Hey @littlebobbytables,

    Just tested adding a completely manual account, with all the details and https://signin.aws.amazon.com/console (zone-less), it works like a dream (open and fill as well as filling a new page)!

    I'll take my time and set them all up

    Thanks for your assistance,
    Bests,
    J

  • Glad I could help @TaiSHi :smile: Hopefully you won't be bothered again by this and this will be the last faffing about you have to do. Should that change at all or you experience any other issues please do let us know.

  • hi @littlebobbytables

    I'm trying to follow your instructions above
    Manually create a Login item in 1Password, not in your browser and set the username and password appropriately. After you add the website field you should find you have a View Saved Form Details button. Click it and add a third field. Title it account and leave the type as text. Finally save.

    I do not see this "View Saved Form Details" button. I have a drop down for "Web form details", but no way to add an additional field after username & password.

    I'm using 1Password for Windows v7.2.576

  • brentybrenty

    Team Member

    @sloot: I'm sorry for the confusion. You won't find that option, as this discussion is referencing the Mac version. That isn't something the new Windows app has yet, but it's something we're looking at for future updates. However, if you save the login manually at the second step with the Windows app, it will be able to fill all three fields the next time. I hope this helps. :)

  • littlebobbytableslittlebobbytables

    Team Member
    edited September 2018

    Hello @sloot,

    Try this instead.

    AWS IAM 1PIF file.

    Import this 1PIF file into 1Password which you can do via the 1Password > Import menu option in 1Password for Windows. From there you will want to edit the item and access the saved form details. Replace the placeholder values of all three fields with your real details and then replace the website field with the correct ones for your IAM user. This item has the account ID set as the username so it will also work in the situations detailed at AWS Login when switching accounts between Root and IAM User which seems to be a thing depending on how you use AWS. That should ensure a usable Login item under all currently known scenarios.

  • Thank you. I've set that up, and I'll give it a try.

  • I feel like this is going to be a "can't make everyone happy" scenario....

    That 1pif file works great, but ..

    When I look at the entry in 1password for Windows, I do not see my iam username. I see the account number in username and the password in password. the iam username only shows under web form details, which is collapsed. It is possible (and sensible) for me to have two different iam usernames with different privilege levels, both belonging to the same account number. I guess my solution is to duplicate the username into the title of the entry.

  • Hi @sloot,

    You're right, at least for the moment it is impossible to create a single Login item that will intelligently fill the three field form but also understand not to use the designated username on the single field form that requires the account number. It all comes down to your own usage.

    We can help create one that will the standard three field form and has the IAM user name as the designated username or the account number to also allow filling on the other page that adyang brought to my attention.

    If you really only use the three field form then you should find that saving a new Login item normally within the browser will fill all three fields and by default sets the username to the IAM user name. That should allow you to sidestep the previous trouble that required the saving from inside the main 1Password window and neatly sidesteps the fact that you can't adjust the web form details in 1Password for Windows yet like you can on the Mac.

    If that doesn't fill everywhere it needs to please let me know. As I'm not a real user of AWS, any details on how to reach the page in question will be helpful :smile:

  • Thank you for your help. I think I can work with what you supplied, by duplicating the username into the title of the 1password entry.

    If you'd like, I could give you a pair of readonly accounts to my AWS so you can see how the forms work.

    The 'fun' thing about this scenario is that the recommended way of doing AWS logins is via different logins (with different privileges) under one AWS account. This means that once someone starts using that login system, they're likely to have multiple logins.

    An additional complication for myself (and likely others) is that I have a work AWS account as well as a personal AWS account.

  • Greetings @sloot,

    It's a kind offer but it's okay. As Amazon keep the account creation requirements simple I have a test AWS account, root plus two IAM users but as I don't have any actual reason to use AWS I tend to need pointers when ensuring I test the correct scenarios for a reported issue. Whilst testing for adyang I figured I may as well adjust my own items so they worked for both sign-in workflows now that I had learned of the second. My items are still set up with the default website field pointing to the three field sign-in form for ease. Previously I had them set up so that the IAM user name was the Login username and so I could easily distinguish items. It's just a shame there are these two (I'm assuming) commonly used paths that require these adjustments.

  • Thank you for all your help in trying to simplify what Amazon has made awkward :-)

  • Hi @sloot,

    It's a pity that there are these two very distinct ways of accessing an IAM user account as I do see why it makes more sense to have the user name as the Login item's username but I also see why that is problematic on the page where it asks for just the account number. Hopefully whatever system you've ended up on means things work for the pages you need it to. Please do let me know if you come across any other oddities that I may not be aware of.

  • I'd like to add a bit of info that I didn't see above. I have multiple AWS accounts that are associated with different companies.

    I noticed that sometimes when I'm already on the AWS Console login page (with Account, Username and Password fields), 1Password fills in what appears to be the correct info and I get an authentication error.

    Looking at the AWS console URL, its a long character string that ends with something like:

    homepage&response_type=code&iam_user=true&account=<insert_company_name>

    The name of the company is at the end of the string. If I select the wrong AWS login from 1Password, I can't just choose a different account and let the login form be filled by 1Password because that company name at the end will not change to match. I have to start over on a new empty page, or reselect the account I want on a different tab. I can also go into the URL and change the company name at the end, too. I don't see this as a bug. It's just a complication created (unknowingly) by Amazon. Now that I have figured it out, It's less annoying because I can avoid the problem.

  • Hello @dromard,

    My testing has always been limited to a single main AWS account, it never occurred to me that there might be complications when trying to switch between two or more. That's a nice observation and a good one to know about :smile:

This discussion has been closed.