oktaws
This program authenticates with Okta, assumes a provided role, and pulls a temporary key with STS to support the role assumption built into the aws cli.
Installation
Grab a binary for your OS from the latest release, and put it somewhere in your PATH. Only supports Windows and MacOS for now!
Setup
First, create an ~/.oktaws/<OKTA ACCOUNT>.toml file with the following information:
username = '<USERNAME>'
role = '<DEFAULT ROLE>'
[profiles]
profile1 = '<OKTA APPLICATION NAME>'
profile2 = { application = '<OKTA APPLICATION NAME>', role = '<ROLE OVERRIDE>' }
The role value above is the name (not ARN) of the role you would like to log in as. This can be found when logging into the AWS console through Okta.
The ~/.aws/config file is read for information, but not modified. It should look similar to the following to link the profile section with the temporary credentials.
See Assuming a Role for information on configuring the AWS CLI to assume a role.
[default]
output = json
region = us-east-1
[profile profile1]
role_arn = arn:aws:iam::MY_ACCOUNT_ID:role/final_role
source_profile = profile1
With those set up, you can run oktaws profile1 to generate keys for a single profile, or just oktaws to generate keys for all profiles.
Usage
$ oktaws [AWS profile]
$ aws --profile [AWS profile] [command]for example
$ oktaws production
$ aws --profile production ec2 describe-instancesDebugging
Login didn't work? Use the -v flag to emit more verbose logs. Add more -vs for increased verbosity:
$ oktaws production -vvContributors
- Jonathan Morley [@jonathanmorley]