search

Nike-Inc / gimme-aws-creds

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
Apache License 2.0
919 stars 262 forks source link

User is forced to select mfa factor if they have setup both Okta Verify and Google Authenticator #445

Closed schlueter closed 4 months ago

schlueter commented 6 months ago

Expected Behavior

When using gimme-aws-creds a user can configure a preferred mfa type to avoid having to select one each time the program is used. However, Okta allows for multiple instances for some types (namely totp) to be setup. Ideally, a user would be able to configure their preferred mfa provider in addition to the type, perhaps in a configuration field such as preferred_mfa_provider.

Current Behavior

There is no current way to configure a preferred mfa provider, only type, which makes gimme-aws-creds prompt the user to select a factor if they have set up multiple factors matching their preferred type.

Possible Solution

https://github.com/Nike-Inc/gimme-aws-creds/pull/446

Steps to Reproduce (for bugs)

  1. In Okta, setup extra verification for each Google Authenticator and Okta Verify.
  2. Configure gimme-aws-creds with preferred_mfa_type = token:software:totp.
  3. Use gimme-aws-creds and observe that the user is prompted to select an mfa factor.

Context

In order to give myself options, I have both Google Authenticator and Okta Verify setup. In the past, I have disabled Okta Verify so that gimme-aws-creds only has one totp mfa to find, but this seems like an unnecessary concession when I can contribute a solution to the issue.

Your Environment

epierce commented 4 months ago

This new feature will be released in 2.8.1