okta-awscli - Retrieve AWS credentials from Okta

Master branch:

Develop branch:

Authenticates a user against Okta and then uses the resulting SAML assertion to retrieve temporary STS credentials from AWS.

This project is largely inspired by https://github.com/nimbusscale/okta_aws_login, but instead uses a purely API-driven approach, instead of parsing HTML during the authentication phase.

Installation

Note: These directions are for non-Amplify users. For Amplify users, installation directions can be found on Answerhub.

• pip install amplify-okta-awscli
• Configure okta-awscli via the ~/.okta-aws file with the following parameters:

[default]
base-url = <your_okta_org>.okta.com

## These parameters are optional flags to change the default behavior of okta-awscli
auto-write-profile = True
# Set the above to "True" if you want to automatically write creds to ~/.aws/credentials. Defaults to False.
check-valid-creds = False
# Set the above to "False" if you want new credentials everytime you run okta-awscli. Defaults to True
store-role = False
# Set the above to "False" if you want to be prompted for a role everytime you run okta-awscli rather than having the role selected for you. Defaults to True.

## The remaining parameters are optional.
## You will be prompted for them, if they're not included here.
username = <your_okta_username>
factor = <your_preferred_mfa_factor> # Current choices are: GOOGLE or OKTA
role = <your_preferred_okta_role> # AWS role name (match one of the options prompted for by "Please select the AWS role" when this parameter is not specified
app = <your_prefered_okta_app> # ex. `Amazon Web Services` to automatically select Amazon Web Services
session-duration = <seconds> # The duration for the temporary credentials in seconds. Must be between 3600 (1 hour) and 43200 (12 hours) to be valid. If invalid or not specified, session duration defaults to 3600 (1 hour).
region = <aws-region> # The AWS region to access resources in, e.g. `us-west-2`. Defaults to `us-east-1`.

Supported Features

• Tenant wide MFA support
• Okta Verify Play Store | App Store
• Okta Verify Push Support
• Google Authenticator Play Store | App Store

Unsupported Features

• Per application MFA support

Usage

okta-awscli --profile <aws_profile> <awscli action> <awscli arguments>

• Follow the prompts to enter MFA information (if required) and choose your AWS app and IAM role.
• Multiple Okta profiles are supported, but if none are specified, then default will be used.

Examples

okta-awscli --profile cfer-dev

This command will simply output STS credentials to cfer-dev in your credentials file.

okta-awscli --profile my-aws-account iam list-users

If no awscli commands are provided, then okta-awscli will simply output STS credentials to your credentials file, or console, depending on how --profile is set.

Optional flags:

• --profile Sets your temporary credentials to a profile in .aws/credentials. If omitted, credentials will output to console.
• --export Outputs credentials to console instead of writing to ~/.aws/credentials.
• --reset Resets default values in ~/.okta-aws for the okta-profile being used.
• --force Ignores result of STS credentials validation and gets new credentials from AWS. Used in conjunction with --profile.
• --verbose More verbose output.
• --debug Very verbose output. Useful for debugging.
• --cache Cache the acquired credentials to ~/.okta-credentials.cache (only if --profile is unspecified)
• --okta-profile Use a Okta profile, other than default in .okta-aws. Useful for multiple Okta tenants.
• --token or -t Pass in the TOTP token from your authenticator