search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
925 stars 263 forks source link

Update README to note that for OIE, OIDC app Authentication Policy must match AWS app Authentication Policy #420

Closed stargonautone closed 1 year ago

stargonautone commented 1 year ago

The okta-aws-cli project on GitHub notes that in OIE the OIDC native app should have equivalent policies to the AWS Account Federation app(s) or else more stringent policies on the AWS app(s) may result in a 400 Bad Request error:

https://github.com/okta/okta-aws-cli#recommendations

Expected Behavior

Attempt login with gimme-aws-creds, open browser when prompted by OIE login, perform MFA as prompted, return to CLI to complete transaction.

Current Behavior

Attempt login with gimme-aws-creds, open browser when prompted by OIE login, perform MFA as prompted, return to CLI and find it has received a 400 Bad Request error.

Possible Solution

Updating the OIDC Native Application in Okta to use matching Authentication Policy to the AWS Account Federation app(s) returns behavior to "Expected Behavior"

Steps to Reproduce (for bugs)

  1. Attempt login with gimme-aws-creds
  2. Open browser when prompted by OIE login
  3. Perform MFA as prompted
  4. Return to CLI to observe results; may need to select role to complete attempt to receive token

Context

This may help others who think that MFA suddenly does not work as of upgrading to OIE. Note that this issue also impacts okta-aws-cli if Authentication Policy is more stringent on the AWS Account Federation app than on the OIDC Native App.

Your Environment

epierce commented 1 year ago

README has been updated