search

okta / okta-aws-cli

A CLI for having Okta as the IdP for AWS CLI operations
https://github.com/okta/okta-aws-cli
Other
128 stars 34 forks source link

Update Documentation to recommend "Federated Broker Mode" for Native OIDC App #145

Closed stargonautone closed 9 months ago

stargonautone commented 1 year ago

The Native OIDC App used to navigate the Device Authorization Flow needs to be assigned to end users in order to allow the authentication to work for okta-aws-cli or gimme-aws-creds. Enabling Federation Broker Mode for the OIDC app allows for this assignment to be implicit for all users without consuming API Access Management licenses if a custom authorization server is assigned to all clients.

Is there any reason Federated Broker Mode should not be recommended for the Native OIDC App used for this flow?

https://help.okta.com/en-us/content/topics/apps/apps-fbm-enable.htm

rangaprakash-okta commented 1 year ago

Maybe good idea to consider these limitations? https://help.okta.com/en-us/content/topics/apps/apps-fbm-known-issues.htm

Also as part of least access, Its a good idea to asses users who you assign to Okta CLI and they need to be audited as part of the federation. We don't want unauthorised access to users who are not meant to have AWS CLI access. In this case, it's easier to assign these users to a set of predefined groups and then assign the group to the native application to ensure access to the least privilege and to make provisioning from other sources easier. .

monde commented 9 months ago

@jefftaylor-okta what do you think about this recommendation specifically recommending enabling Federation Broker Mode.

We do have this one recommendation about policies to head off support request tickets. But that is more of a technical recommendation to get the system to work, not a hard operations recommendation, it seems to me.

We recommend that the AWS Federation Application and OIDC native application have equivalent policies if not share the same policy. If the AWS Federation app has more stringent assurance requirements than the OIDC app a 400 Bad Request API error is likely to occur.

https://github.com/okta/okta-aws-cli?tab=readme-ov-file#recommendations

jefftaylor-okta commented 9 months ago

@rangaprakash-okta Thank you for the thoughtful response!

@stargonautone Federation Broker Mode is indeed a feature you can use to ease the adoption of Okta's AWS CLI, but licenses can be different between customers. It's difficult to make this recommendation to all customers without understand their particular context.