receiving 400 error on execution of okta-aws-cli app

[b3rgman]

Hello, I am trying to run the okta-aws-cli app with the new OIE. Here are the steps I have completed.

• Created the AWS Federation app and IAM roles. Access is working as expected independent of the okta-aws-cli app.
• created the OIDC native app
• cloned okta-aws-cli repo
• ran make tools
• ran make build exported variables for: OKTA_ORG_DOMAIN OKTA_OIDC_CLIENT_ID

When running okta-aws-cli I receive a generic 400 error

Error: authorize received API response "400 Bad Request"

I have looked at the recommendations note. The AWS Federation and OIDC native app both have the same policy applied in Okta. I also have okta.apps.read granted on the OIDC Native application.

Questions:

• Is there any other documentation to follow with this setup? I didn't see any thing related to the configuration of the OIDC native app and its options.
• If the apps have the same policy applied, what is throwing the 400 error?

[QuentinBtd]

Hello

I had the same problem as you, until I realized I forgotten to fill the Allowed Web SSO Client field in Applications > [the AWS Fed app] > Sign On with the OIDC Native Application ID.

If it helps you...

I think the documentation can be improved on this point 😄

[monde]

Also, was this occurring in the latest version of the okta-aws-cli v0.1.0 ?

[b3rgman]

@monde This was occurring with v0.1.0 We tried the above idea from @QuentinBtd with no success.

[monde]

@b3rgman can you run your okta-aws-cli command with debugging enabled GODEBUG=http2debug=1 okta-aws-cli It will be noisy but I'm interested in seeing which API call is getting the 400. Let me know, thanks.

[jbergman-apiture]

@monde I got this working. I was missing a grant type. The flow for this app is not very intuitive. It is a backwards step from what we are currently using. https://github.com/okta-awscli/okta-awscli. The browser piece and exporting the credentials need to be automated. Are there plans to streamline this app in the future? I'm going to keep running the other one for now as the flow for it much cleaner.

[monde]

@jbergman-apiture I'm not 100% certain what our PM's plans are for next iterations of features in okta-aws-cli. I definitely can see improving the UX in the Admin UI to help setting up the OIN AWS Federation App(s). The goal of the GA release of okta-aws-cli was to provide real OIE support to AWS CLI. Existing open source tools like Nike Gimme Creds are for classic orgs, do screen scraping (not API calls), and are not managed by Okta.

I'd open a support ticket and ask to be put into contact with the PM for okta-aws-cli - https://support.okta.com/