search

okta / okta-aws-cli

A CLI for having Okta as the IdP for AWS CLI operations
https://github.com/okta/okta-aws-cli
Other
128 stars 34 forks source link

Credentials are always written to the 'default' profile even when using the --profile flag #105

Closed gg-chrisd closed 1 year ago

gg-chrisd commented 1 year ago

When using the --profile flag or specifying AWS_CLI_PROFILE in the .env file, it still writes credentials to the default profile.

Some of our Terraform modules will run against multiple AWS environments, so having the ability to save credentials to different profiles allows us to run this as one module, rather than having to split it per environment and re-auth each time.

monde commented 1 year ago

@gg-chrisd , I'm not able to reproduce this. Are you using the latest version? Where is it installed from? What OS? I'm on a macbook, this is what I see. I write to a profile named test. I try to do an s3 ls with the implied default profile. I try to do an s3 ls with the defined test profile. ome values scrubbed out, but is a true copy/paste of me trying to repo your issue:

$ cat ~/.aws/credentials
[default]
aws_access_key_id     = xxx
aws_secret_access_key = xxx
aws_session_token     = xxx

$ okta-aws-cli --oidc-client-id 0oa4x34ogyC1i1krJ1d7 --org-domain my-org --write-aws-credentials --profile test --open-browser
System web browser will open the following URL to begin Okta device authorization for the AWS CLI

https://my-org/activate?user_code=QFJCGPRP

? Choose an IdP: AWS Account Federation (arn:aws:iam::123:saml-provider/Mondragon_AWS_CLI)
? Choose a Role: arn:aws:iam::123:role/MMondragon_S3_Read
Updated profile "test" in credentials file "/Users/me/.aws/credentials".

$ cat ~/.aws/credentials
[default]
aws_access_key_id     = xxx
aws_secret_access_key = xxx
aws_session_token     = xxx

[test]
aws_access_key_id     = abc
aws_secret_access_key = def
aws_session_token     = ghi

$ aws s3 ls

An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.

$ aws --profile test s3 ls
2022-02-09 15:12:51 one-bucket
2022-08-05 09:50:08 two-bucket
gg-chrisd commented 1 year ago

@monde Just tested again this morning and it's working, so I can only assume I made a typo or maybe something else was going on, apologies for that and thanks for coming back to me!

Placing a profile in the .env file using the OKTA_AWSCLI_PROFILE doesn't seem to work, though, not sure if I'm doing something wrong there, as well? It's not a massive issue as the command line flag is much more useful anyway.

In my .env file I have: OKTA_AWSCLI_PROFILE="test", along with other working config, but when I perform an okta-aws-cli, I get:

Updated profile "default" in credentials file...

This is in WSL2 on Windows.