okta-aws-cli needs to clarify in documentation and code:
(1) Document how the three token types that occur are used during operation
Access token from Okta OIDC app
Session token from Okta AWS Federation app
AWS session token
(2) Document Okta OIDC app access token expiry can not be set and is always 60 minutes
(3) Document --cache-access-token applies to that Okta OIDC app's access token and is written to ~/.okta/awscli-access-token.json
(4) Document how okta-aws-cli takes the Okta OIDC app's access token and presents it to the Okta AWS Federation app, and in turn the Okta AWS Fed app fetches a SAML assertion from AWS given a valid access token.
okta-aws-cli needs to clarify in documentation and code:
(1) Document how the three token types that occur are used during operation
(2) Document Okta OIDC app access token expiry can not be set and is always 60 minutes
(3) Document
--cache-access-tokenapplies to that Okta OIDC app's access token and is written to~/.okta/awscli-access-token.json(4) Document how
okta-aws-clitakes the Okta OIDC app's access token and presents it to the Okta AWS Federation app, and in turn the Okta AWS Fed app fetches a SAML assertion from AWS given a valid access token.(5) Document
--session-durationapplies to the AWS Session Token and it has a valid range of minimum 900 seconds (15 minutes), max 1 to 12 hours depending on AWS settings see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html(6) Improve documentation that
--write-aws-credentialswrites IAM creds to~/.aws/credentials(7) Add better input validation and error messages around AWS session duration parameter.