search

okta / okta-aws-cli

A CLI for having Okta as the IdP for AWS CLI operations
https://github.com/okta/okta-aws-cli
Other
128 stars 34 forks source link

support for aws-cli credential_process #119

Closed diegoroccia closed 9 months ago

diegoroccia commented 1 year ago

I would like to hook okta-aws-cli as credential_process to the aws cli. reference: https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html

this way I can use my aws cli directly without having to run a separate command to get the credentials via okta-aws-cli

This is how saml2aws implements it:

https://github.com/Versent/saml2aws#using-saml2aws-as-credential-process

So what we would need is

a flag --credential-process generating an output with the right JSON format, as well as a flag --quiet that will block the logging from being displayed

lw-cchapin commented 1 year ago

110

monde commented 1 year ago

I was looking at https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html when I originally implemented okta-aws-cli. At the time the okta-aws-cli required user input so implementing process credentials with not possible because I found the AWS CLI completely swallows stdout/stderr. Since then I think it's possible to run okta-aws-cli without human input if the IdP and Role pre-select flags are used in otka-aws-cli . Also, I'm working on a headless feature for okta-aws-cli so this would be a good time to add process-credentials suport.

monde commented 1 year ago

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-642837

jkiang13 commented 10 months ago

I've been using this as a workaround for this in okta-aws-cli v1.x. It translates the export commands to JSON via awk.

[profile okta-aws-cli-test]
credential_process=/bin/sh -c 'okta-aws-cli --org-domain <org_domain> --oidc-client-id <oidc_client_id> --open-browser true | awk '\''BEGIN {RS = ""} {gsub("\n","\",")sub("export AWS_ACCESS_KEY_ID=","\"AccessKeyId\":\"")sub("export AWS_SECRET_ACCESS_KEY=","\"SecretAccessKey\":\"")sub("export AWS_SESSION_TOKEN=","\"SessionToken\":\"")} {print "{\"Version\":1," $0 "\"}"}'\'''
monde commented 10 months ago

Cool work around on v1 @jkiang13 fwiw, v2 is GA'ing next week and we have "Process credential provider output as JSON" feature, you can see more in the beta notes: https://github.com/okta/okta-aws-cli/releases/tag/v2.0.0-beta.6

bitle commented 9 months ago

I tried the most reset v2 version and I'm running into this error message:

okta-aws-cli web --format process-credentials --oidc-client-id <client-id> --org-domain <domain> --aws-acct-fed-app-id <fed-app-id> --open-browser
Error: arguments --aws-iam-idp , --aws-iam-role , and --open-browser must be set for "process-credentials" format

If I follow the answer above to generate process-credentials with awk it works fine.

monde commented 9 months ago

Process credential support is the v2 release, but it has a bug if you try to combine it with also writing the credential file that has been fixed. That bug is fixed and will be released later this week.

Here's an example of how I run int in my local env:

# ~/.aws/credentials
[default]
credential_process = okta-aws-cli web --format process-credentials --oidc-client-id abc --org-domain test.okta.com --aws-iam-idp arn:aws:iam::123:saml-provider/My_IdP --aws-iam-role arn:aws:iam::123:role/S3_Read --open-browser --write-aws-credentials

I should have closed this issue with the v2 release.