okta / okta-aws-cli

A CLI for having Okta as the IdP for AWS CLI operations
https://github.com/okta/okta-aws-cli
Other
128 stars 34 forks source link

okta-aws-cli

NOTE: Some environment variable names changed with the v2.0.0 release of okta-aws-cli; double check your existing named variables in the configuration documentation.

okta-aws-cli is a CLI program allowing Okta to act as an identity provider and retrieve AWS IAM temporary credentials for use in AWS CLI, AWS SDKs, and other tools accessing the AWS API. It has two primary commands:

 # *nix, export statements
$ okta-aws-cli web --oidc-client-id 0oabc --aws-acct-fed-app-id 0oaxy --org-domain my-org.okta.com
export AWS_ACCESS_KEY_ID=ASIAUJHVCS6UQC52NOL7
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5T...

rem Windows setx statements
C:\> okta-aws-cli web --oidc-client-id 0oabc --aws-acct-fed-app-id 0oaxy --org-domain my-org.okta.com
SETX AWS_ACCESS_KEY_ID ASIAUJHVCS6UQC52NOL7
SETX AWS_SECRET_ACCESS_KEY wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
SETX AWS_SESSION_TOKEN AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5T...

The result of both the web and m2m operations is to secure and emit IAM temporary credentials. The credentials have three different output formats that are chosen by the user: environment variables, AWS credentials file, or JSON process credentials format.

Table of Contents

Commands

Command Description
(empty) When okta-aws-cli is executed without a subcommand and without arguments it will print the online help and exit. With arguments it defaults to the web command.
web Human oriented retrieval of temporary IAM credentials through Okta authentication and device authorization.
m2m Machine/headless oriented retrieval of temporary IAM credentials through Okta authentication with a private key. IMPORTANT! This a not a feature intended for a human use case. Be sure to use industry state of the art secrets management techniques with the private key.
list-profiles Lists profile names in ~/.okta/okta.yaml.
debug Debug okta.yaml config file and exit.

Web Command

$ okta-aws-cli web --oidc-client-id 0oabc --aws-acct-fed-app-id 0oaxy --org-domain my-org.okta.com
export AWS_ACCESS_KEY_ID=ASIAUJHVCS6UQC52NOL7
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5T...

Web command is the human oriented device authorization mode. The user executes okta-aws-cli web to retrieve an authorization URL. The user can copy/paste the URL into a web browser, have the CLI open a web browser, or have the CLI print a QR code that can be scanned by a handset to open a web browser there. After the human completes the authorization flow in a browser they return to the CLI to complete the process of retrieving AWS credentials.

Web command is an integration that pairs an Okta OIDC Native Application with an Okta AWS Federation integration application. In turn the Okta AWS Fed app is itself paired with an AWS IAM identity provider. The Okta AWS Fed app is SAML based and the Okta AWS CLI interacts with AWS IAM using AssumeRoleWithSAML via AWS STS.

After the CLI has presented its SAML assertion to AWS STS it collects a proper IAM role for the AWS CLI operator. The resulting output is a set made up of Access Key ID, Secret Access Key, and Session Token of AWS credentials for the AWS CLI. The Okta AWS CLI expresses the AWS credentials as environment variables, or appended (or overwrites existing values) to an AWS CLI credentials file, or emits JSON in process credentials format.

The Session Token has a default expiry of 60 minutes.

IMPORTANT! The Okta AWS Federation Application does not work in a headless environment; it only operates with a human performing authorization in a web browser.

Web Command Requirements

For web command the Okta AWS CLI requires an OIE organization and an OIDC Native Application paired with an Okta AWS Federation integration application. The Okta AWS Fed app is itself paired with an AWS IAM identity provider.

The OIDC Native Application requires Grant Types Authorization Code, Device Authorization , and Token Exchange. These settings are in the Okta Admin UI at Applications > [the OIDC app] > General Settings > Grant type.

If Multiple AWS environments (alleviates the need for use of the --aws-acct-fed-app-id argument) are to be supported by a single OIDC application, the OIDC app must have the okta.apps.read grant for admin users and okta.users.read.self for non-admin users. Application grants are configured at Applications > [the OIDC app] > Okta API Scopes in the Okta Admin UI.

The pairing with the AWS Federation Application is achieved in the Fed app's Sign On Settings. These settings are in the Okta Admin UI at Applications > [the AWS Fed app] > Sign On. There are two values that need to be set on the Sign On form. The first is the Allowed Web SSO Client value which is the Client ID of the OIDC Native Application. The second is Identity Provider ARN (Required only for SAML SSO) value which is the AWS ARN of the associated IAM Identity Provider.

Okta has a wizard to help establish the settings needed in AWS IAM, automatic generation of a SAML certificate for the IAM Identity Provider, and the settings needed for the Okta AWS Federation app. Replace these required values in the URL below. Then follow the directions in that wizard.

https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service.html?baseAdminUrl=https://[ADMIN_DOMAIN]&app=amazon_aws&instanceId=[CLIENT_ID]

Multiple AWS environments

To support multiple AWS environments, associate additional AWS Federation applications with an OIDC app. The OIDC app must have the okta.apps.read grant to support admin users. To support non-admin users the OIDC app must have the okta.users.read.self grant. The following is an illustration of the association of objects that make up this kind of configuration.

okta-aws-cli supporting multiple AWS environments

The example diagram reflects the following:

Multiple AWS environments for Non-Admin Users

The multiple AWS environments feature will work for non-admin users if the OIDC Native app is granted theokta.users.read.self scope and the user is assigned to the OIDC Native app and assigned to each Okta AWS Federation app. The API endpoint GET /api/v1/users/me/appLinks is referenced to discover which applications are assigned to the non-admin user. The appLinks endpoint only lists Okta AWS Federation apps that the user would be able to see in the user's Okta Console.

IMPORTANT!!!

Below is a deprecated recommendation for non-admin users. We are leaving it in the README for legacy purposes. We are no longer recommending this workaround so long as the OIDC app is granted the okta.users.read.self scope.

OLD work around for non-admin users

Multiple AWS environments requires extra configuration for non-admin users. Follow these steps to support non-admin users.

1) Create a custom admin role with the only permission being "View application and their details", and a resource set constrained to "All AWS Account Federation apps".

2) Create a group that will contain the AWS custom admin role users.

3) Add a rule on the admin console authentication policy that denies access if the use is a member of the group from step 2.

4) Assign non-admin users this custom role in step 1 and assign them to the group in step 2.

The "Admin" button will be visible on the Okta dashboard of non-admin users but they will receive a 403 if they attempt to open the Admin UI.

M2M Command

IMPORTANT! This a not a feature intended for a human use case. Be sure to use industry state of the art secrets management techniques with the private key.

# This example presumes its arguments are set as environment variables such as
# one may find in a headless CI environment.
# e.g.
# export OKTA_AWSCLI_ORG_DOMAIN="my-org.oka.com"
# export OKTA_AWSCLI_OIDC_CLIENT_ID="0oaa4htg72TNrkTDr1d7"
# export OKTA_AWSCLI_IAM_ROLE="arn:aws:iam::1234:role/Circle-CI-ops"
# export OKTA_AWSCLI_CUSTOM_SCOPE="okta-m2m-access"
# export OKTA_AWSCLI_KEY_ID="kid-rock"
# export OKTA_AWSCLI_PRIVATE_KEY="... long string with new lines ..."
# export OKTA_AWSCLI_AUTHZ_ID="aus8w23r13NvyUwln1d7"

$ okta-aws-cli m2m
export AWS_ACCESS_KEY_ID=ASIAUJHVCS6UQC52NOL7
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5T...

M2M command is headless machine to machine authorization. The operator executes okta-aws-cli m2m which has access to a private key whose public key is registered in an Okta API service application. okta-aws-cli m2m signs a request for an Okta access token that is associated with the Okta service application. Given the Okta authorization (default or custom) server returns an access token, the access token is presented to AWS STS using AssumeRoleWithWebIdentity. AWS and Okta communicate directly by OIDC protocol to confirm authorization for IAM credentials.

Given access is granted by AWS the result of okta-aws-cli m2m is a set made up of Access Key ID, Secret Access Key, and Session Token of AWS credentials for the AWS CLI. The Okta AWS CLI expresses the AWS credentials as environment variables, or appended (or overwrites existing values) to an AWS CLI credentials file, or emits JSON in process credentials format.

The Session Token has a default expiry of 60 minutes.

M2M Command Requirements

M2M is an integration of:

Okta Service Application

The Okta API services app requires "Public key / Private key" for "Client authentication". This is set at Applications > [the API services app] > General Settings > Client Credentials. In the "Public Keys" section select "Add Key" then either add your own public key in JWKS format, or have Okta generate a new key pair and copy the PEM formatted private key. Where ever the private key resides it needs to be available to okta-aws-cli m2m at runtime; for instance injected as an environment variable from a secrets manager / vault.

Okta Authorization Server

Follow these steps for a custom authorization server, okta-aws-cli will utilize the default authorization server otherwise.

Okta custom authorization servers are available in Developer Edition orgs. For production orgs the Workforce Identity SKU "API Access Management" needs to be requested for the org if it doesn't already have the feature enabled.

Custom authorization servers are set in the Admin UI at Security > API and select "Add Authorization Server". The "Audience" value needs to be set to something URL-like, for instance "https://my-project-name". Audience will be referenced later in the AWS IAM OIDC Identity Provider settings.

Okta Custom Scope

A custom Okta scope needs to be set on the authorization server. This is at Security > API > [the authorization server] > Scopes and choose "Add Scope". okta-aws-cli will assume the scope is named okta-m2m-access, but if it isn't the CLI flag --custom-scope argument trains the CLI for the scope to use.

Okta Access Policy

On the authorization server panel select "Access Policies" this is at Security > API > [the server] > Access Policies. Then select "Add New Access Policy", give it a name and description. Also, select "Assign to" > "The following clients" and assign to the established Okta service app. Save the policy.

On the new access policy select "Add rule" and give it a descriptive name, for instance "Client Credentials Client acting on behalf of itself". Give the rule the parameters "IF Grant type is" / "Client acting on behalf of itself" and select "Client Credentials". Then "AND User is", assign your user(s) preference. Finally, "AND Scopes requested" / "The following scopes", choose the custom scope created. The CLI defaults to custom scope named okta-m2m-acces otherwise the --custom-scope CLI flag is required at runtime specify the name. Save the rule.

AWS IAM OIDC IdP

From the AWS Console, in the IAM panel, select "Identity providers". Then click "Add provider". In the add provider form select "OpenID Connect". Set the "Provider URL" to the issuer URL from the Okta API Authorization Servers list for your custom authorization server (example: https://[your org].okta.com/oauth2/[custom auth server id or 'default']). Set the "Audience" value from the "Audience" value listed for the authorization server in the Okta panel.

After the IdP is created note it's ARN value. Any IAM roles that need to be associated with the IdP need to have a trust relationship established on the role of the sts:AssumeRoleWithWebIdentity action type. This setting is on the trust relationship tab when viewing a specific role in the AWS Console. Also note the ARNs of these roles for later use.

List-Profiles Command

$ okta-aws-cli list-profiles
Profiles:

 sample-account X(Non-Prod)
 sample-account X (Prod)
 another-sample-account Y (Non-Prod)

List-profiles command is a human oriented command to show the list of profile names stored in the ~/.okta/okta.yaml file. The user executes okta-aws-cli list-profiles where a list of profile name shall be listed for convenience. The names will be indented.

Configuration

Global settings

NOTE: If your AWS IAM IdP is in a non-commercial region, such as GovCloud, the environmental variable AWS_REGION should be set accordingly.

At a minimum the Okta AWS CLI requires three configuration values. These are the values for the Okta Org domain, the client ID of the OIDC Native Application, and the ID of the Okta AWS Federation integration application. For the web command, when support for multiple AWS environments has been configured the AWS Fed app ID becomes optional.

An optional output format value can be configured. Default output format is as environment variables that can be used for the AWS CLI configuration. Output can also be expressed as AWS credential file values or JSON process credentials format.

Configuration can be done with command line flags, environment variables, an .env file, or a combination of the three. The first value found in that evaluation order takes precedent.

NOTE: If AWS_REGION is set in the .env file it will be promoted into the okta-aws-cli runtime if it isn't also already set as an ENV VAR. This will allow operators making use of an .env file to have proper AWS API behavior in specific regions, for instance in US govcloud and other non-North America regions.

Also see the CLI's online help $ okta-aws-cli --help

These global settings are optional unless marked otherwise:

Name Description Command line flag ENV var and .env file value
AWS Region (optional) AWS region (will override ENV VAR AWS_REGION and AWS_DEFAULT_REGION) e.g. us-east-2 --aws-region [value] OKTA_AWSCLI_AWS_REGION
Okta Org Domain (required) Full host and domain name of the Okta org e.g. my-org.okta.com or the custom domain value --org-domain [value] OKTA_AWSCLI_ORG_DOMAIN
OIDC Client ID (required) For web the OIDC native application / Allowed Web SSO Client ID, for m2m the API services app ID --oidc-client-id [value] OKTA_AWSCLI_OIDC_CLIENT_ID
AWS IAM Role ARN (optional for web, required for m2m) For web preselects the role list to this preferred IAM role for the given IAM Identity Provider. For m2m --aws-iam-role [value] OKTA_AWSCLI_IAM_ROLE
AWS Session Duration The lifetime, in seconds, of the AWS credentials. Must be between 60 and 43200. --session-duration [value] OKTA_AWSCLI_SESSION_DURATION
Output format Default is env-var. Options: env-var for output to environment variables, aws-credentials for output to AWS credentials file, process-credentials for credentials as JSON, or noop for no output which can be useful with --exec --format [value] OKTA_AWSCLI_FORMAT
Profile Default is default --profile [value] OKTA_AWSCLI_PROFILE
Cache Okta access token at $HOME/.okta/awscli-access-token.json to reduce need to open device authorization URL true if flag is present --cache-access-token OKTA_AWSCLI_CACHE_ACCESS_TOKEN=true
Alternate AWS credentials file path Path to alternative credentials file other than AWS CLI default --aws-credentials OKTA_AWSCLI_AWS_CREDENTIALS
(Over)write the given profile to the AWS credentials file. WARNING: When enabled, overwriting can inadvertently remove dangling comments and extraneous formatting from the creds file. true if flag is present --write-aws-credentials OKTA_AWSCLI_WRITE_AWS_CREDENTIALS=true
Emit deprecated AWS variable aws_security_token with duplicated value from aws_session_token. AWS CLI removed any reference and documentation for aws_security_token in November 2014. true if flag is present --legacy-aws-variables OKTA_AWSCLI_LEGACY_AWS_VARIABLES=true
Emit expiry timestamp x_security_token_expires in RFC3339 format for the session/security token (AWS credentials file only). This is a non-standard profile variable. true if flag is present --expiry-aws-variables OKTA_AWSCLI_EXPIRY_AWS_VARIABLES=true
Print operational information to the screen for debugging purposes true if flag is present --debug OKTA_AWSCLI_DEBUG=true
Verbosely print all API calls/responses to the screen true if flag is present --debug-api-calls OKTA_AWSCLI_DEBUG_API_CALLS=true
HTTP/HTTPS Proxy support HTTP/HTTPS URL of proxy service (based on golang net/http/httpproxy package) n/a HTTP_PROXY or HTTPS_PROXY
Execute arguments after CLI arg terminator -- as a separate process. Process will be executed with AWS cred values as AWS env vars AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN. true if flag is present --exec OKTA_AWSCLI_EXEC=true

Web command settings

If the OIDC Native App doesn't also have the okta.apps.read grant (for admin users) or the okta.users.read.self grant (for non-admin users) the client ID of the Okta AWS Federation integration application is also required.

These settings are all optional:

Name Description Command line flag ENV var and .env file value
Okta AWS Account Federation integration app ID See AWS Account Federation integration app. This value is only required if the CLI is not running for multiple AWS environments --aws-acct-fed-app-id [value] OKTA_AWSCLI_AWS_ACCOUNT_FEDERATION_APP_ID
AWS IAM Identity Provider ARN Preselects the IdP list to this preferred IAM Identity Provider. If there are other IdPs available they will not be listed. --aws-iam-idp [value] OKTA_AWSCLI_IAM_IDP
Display QR Code true if flag is present --qr-code OKTA_AWSCLI_QR_CODE=true
Automatically open the activation URL with the system web browser true if flag is present --open-browser OKTA_AWSCLI_OPEN_BROWSER=true
Automatically open the activation URL with the given web browser command Shell escaped browser command --open-browser-command [command] OKTA_AWSCLI_OPEN_BROWSER_COMMAND
Gather all profiles for all IdPs and Roles associated with an AWS Fed App (implies aws-credentials file output format)) true if flag is present --all-profiles OKTA_AWSCLI_OPEN_BROWSER=true

Allowed Web SSO Client ID

This is the "Allowed Web SSO Client" value from the "Sign On" settings of an AWS Account Federation" integration app and is an Okta OIDC Native Application ID. The ID is the identifier of the client is Okta app acting as the IdP for AWS.

Example: 0oa5wyqjk6Wm148fE1d7

AWS Account Federation integration app

ID for the AWS Account Federation" integration app.

Example: 0oa9x1rifa2H6Q5d8325

Environment variables example

export OKTA_AWSCLI_ORG_DOMAIN=my-org.okta.com
export OKTA_AWSCLI_OIDC_CLIENT_ID=0oa5wyqjk6Wm148fE1d7

.env file variables example

OKTA_AWSCLI_ORG_DOMAIN=my-org.okta.com
OKTA_AWSCLI_OIDC_CLIENT_ID=0oa5wyqjk6Wm148fE1d7

Command line flags example

OIDC client has okta.apps.read grant

$ okta-aws-cli web --org-domain my-org.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \

OIDC client does not have okta.apps.read grant (admins) or okta.users.read.self grant (non-admins)


$ okta-aws-cli web --org-domain my-org.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --aws-acct-fed-app-id 0oa9x1rifa2H6Q5d8325

M2M command settings

These settings are optional unless marked otherwise:

Name Description Command line flag ENV var and .env file value
Key ID (kid) (required) The ID of the key stored in the service app --key-id [value] OKTA_AWSCLI_KEY_ID
Private Key (required in lieu of private key file) PEM (pkcs#1 or pkcs#9) private key whose public key is stored on the service app --private-key [value] OKTA_AWSCLI_PRIVATE_KEY
Private Key File (required in lieu of private key) File holding PEM (pkcs#1 or pkcs#9) private key whose public key is stored on the service app --private-key-file [value] OKTA_AWSCLI_PRIVATE_KEY_FILE
Authorization Server ID The ID of the Okta authorization server, set ID for a custom authorization server, will use default otherwise. Default default --authz-id [value] OKTA_AWSCLI_AUTHZ_ID
Custom scope name The custom scope established in the custom authorization server. Default okta-m2m-access --custom-scope [value] OKTA_AWSCLI_CUSTOM_SCOPE

Friendly IdP and Role menu labels

When the operator has many AWS Federation apps listing the AWS IAM IdP ARNs can make it hard to read the list. The same can be said if an IdP has many IAM Role ARNs associated with it. To make this easier to manage the operator can create an Okta config file in YAML format at $HOME/.okta/okta.yaml that allows them to set a map of alias labels for the ARN values. Then ARN values for both IdPs and Roles can also be evaluated are regular expressions (see example below).

NOTE: The Okta language SDKs have standardized on using $HOME/.okta/okta.yaml as a configuration file and location. We will continue that practice with read-only friendly okta-aws-cli application values.

Before

? Choose an IdP:  [Use arrows to move, type to filter]
> Fed App 1 Label
  Fed App 2 Label
  Fed App 3 Label
  Fed App 4 Label

? Choose a Role:  [Use arrows to move, type to filter]
> arn:aws:iam::123456789012:role/admin
  arn:aws:iam::123456789012:role/ops

Example $HOME/.okta/okta.yaml

---
awscli:
  idps:
    "arn:aws:iam::123456789012:saml-provider/company-okta-idp": "Data Production"
    "arn:aws:iam::012345678901:saml-provider/company-okta-idp": "Data Development"
    "arn:aws:iam::901234567890:saml-provider/company-okta-idp": "Marketing Production"
    "arn:aws:iam::890123456789:saml-provider/company-okta-idp": "Marketing Development"
  roles:
    "arn:aws:iam::.*:role/admin": "Admin"
    "arn:aws:iam::.*:role/operator": "Ops"

After

? Choose an IdP:  [Use arrows to move, type to filter]
> Data Production
  Data Development
  Marketing Production
  Marketing Development

? Choose a Role:  [Use arrows to move, type to filter]
> Admin
  Ops

Configuration by profile name

Multiple okta-aws-cli configurations can be saved in the $HOME/.okta/okta.yaml file and are keyed by AWS profile name in the awscli.profiles section. This allows the operator to save many okta-aws-cli configurations in the okta.yaml.

$ okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com --profile staging

Example $HOME/.okta/okta.yaml

---
awscli:
  profiles:
    staging:
      oidc-client-id: "0osabc"
      org-domain: "org-stg.okata.com"
      aws-iam-idp: "arn:aws:iam::123:saml-provider/MyIdP"
      aws-iam-role: "arn:aws:iam::123:role/S3_Read"
      write-aws-credentials: true
      open-browser: true
    production:
      oidc-client-id: "0opabc"
      org-domain: "org-prd.okata.com"
      aws-iam-idp: "arn:aws:iam::456:saml-provider/MyIdP"
      aws-iam-role: "arn:aws:iam::456:role/S3_Read"
      write-aws-credentials: true
      open-browser: true

Debug okta.yaml

okta-aws-cli has a debug option to check if the okta.yaml file is readable and in valid format.

$ okta-aws-cli debug

Given this YAML as an example template of okta.yaml for reference:

---
awscli:
  idps:
    "arn:aws:iam::123456789012:saml-provider/company-okta-idp": "Data Production"
    "arn:aws:iam::012345678901:saml-provider/company-okta-idp": "Data Development"
  roles:
    "arn:aws:iam::123456789012:role/admin": "Prod Admin"
    "arn:aws:iam::123456789012:role/operator": "Prod Ops"
    "arn:aws:iam::012345678901:role/admin": "Dev Admin"
    "arn:aws:iam::012345678901:role/operator": "Dev Ops"

found home directory "/Users/person"
okta.yaml is readable "/Users/person/.okta/okta.yaml"
okta.yaml is valid yaml
okta.yaml has root "awscli" section
okta.yaml "awscli.idps" section is a map of 2 ARN string keys to friendly string label values
okta.yaml "awscli.roles" section is a map of 4 ARN string keys to friendly string label values
okta.yaml is OK
debugging okta-aws-cli config $HOME/.okta/okta.yaml is complete

If any of the checks fail a warning and diagnostic message is given.

okta-aws-cli will exit once the debug config operation is complete. It is not intended to be run with other flags.

Installation

Binaries

Binary releases for combinations of operating systems and architectures are posted to the okta-aws-cli releases section in Github. Each release includes CHANGELOG notes for that release.

OSX/Homebrew

okta-aws-cli is distributed to OSX via homebrew

$ brew install okta-aws-cli

Windows/Chocolatey

okta-aws-cli is distributed to Windows via Chocolatey

> choco install okta-aws-cli

Local build/install

See Development section.

TL;DR run directly from source

$ go run cmd/okta-aws-cli/main.go --help

TL;DR build from source, installed into golang bin directory

$ make build

Recommendations

We recommend that the AWS Federation Application and OIDC native application have equivalent policies if not share the same policy. If the AWS Federation app has more stringent assurance requirements than the OIDC app a 400 Bad Request API error is likely to occur.

NOTE: In authentication policy rule of AWS Federation app, Device State must be set to Any for using Okta AWS CLI. Other options are not supported at this time.

Operation

The behavior of the Okta AWS CLI is to be friendly for shell input and scripting. Output of the command that is human oriented is done on STDERR and output for the AWS CLI that can be consumed in scripting is done on STDOUT. This allows for the command's results to be eval'd into the current shell as eval will only make use of STDOUT values.

Plain usage

NOTE: The default sub command is web and it can be left off as a command argument.

NOTE: example assumes other Okta AWS CLI configuration values have already been set by ENV variables or .env file.

NOTE: output will be in setx statements if the runtime is Windows.

NOTE: okta-aws-cli only needs to be called the first time to gather AWS creds. Then called again once those creds have expired. It does not need to be called every time before each actual AWS CLI invocation.

$ okta-aws-cli
Open the following URL to begin Okta device authorization for the AWS CLI.

https://test-org.okta.com/activate?user_code=ZNQZQXQQ

? Choose an IdP: arn:aws:iam::123456789012:saml-provider/My_IdP
? Choose a Role: arn:aws:iam::456789012345:role/My_Role

export AWS_ACCESS_KEY_ID=ASIAUJHVCS6UQC52NOL7
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5T...

$ export AWS_ACCESS_KEY_ID=ASIAUJHVCS6UQC52NOL7
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5T...
$ aws s3 ls
2018-04-04 11:56:00 test-bucket
2021-06-10 12:47:11 mah-bucket

Scripted orientated usages

NOTE: example assumes other Okta AWS CLI configuration values have already been set by ENV variables or .env file.

$ eval `okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com` && aws s3 ls
2018-04-04 11:56:00 test-bucket
2021-06-10 12:47:11 mah-bucket

$ eval `okta-aws-cli`

$ aws s3 ls
2018-04-04 11:56:00 test-bucket
2021-06-10 12:47:11 mah-bucket

$ okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com --exec -- aws s3 ls s3://example
                           PRE aaa/
2023-03-08 16:01:01          4 a.log

AWS credentials file orientated usage

NOTE: example assumes other Okta AWS CLI configuration values have already been set by ENV variables or .env file.

$ okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com --profile test --format aws-credentials && \
  aws --profile test s3 ls

Open the following URL to begin Okta device authorization for the AWS CLI.

https://test-org.okta.com/activate?user_code=ZNQZQXQQ

? Choose an IdP: arn:aws:iam::123456789012:saml-provider/My_IdP
? Choose a Role: arn:aws:iam::456789012345:role/My_Role
Wrote profile "test" to /Users/mikemondragon/.aws/credentials

2018-04-04 11:56:00 test-bucket
2021-06-10 12:47:11 mah-bucket

NOTE: Writing to the AWS credentials file will include the x_security_token_expires value in RFC3339 format. This allows tools dependent on valid AWS credentials to validate if they are expired or not, and *potentially trigger a refresh if needed.

NOTE: the Okta AWS CLI will only append to the AWS credentials file. Be sure to comment out or remove previous named profiles from the credentials file. Otherwise an Unable to parse config file error like the following may occur.

aws --profile example s3 ls

Unable to parse config file: /home/user/.aws/credentials

Process credentials provider

okta-aws-cli supports JSON output for the AWS CLI credential process argument. Add this line to the default section of $/.aws/config. First m2m example presumes m2m arguments are in OKTA_AWSCLI_* environment variables, AWS CLI passes those through. Second web example has args spelled out directly in the credential process values.

M2M example:

credential_process = okta-aws-cli m2m --format process-credentials --oidc-client-id 0oabc --org-domain my-org.okta.com

Web example:

credential_process = okta-aws-cli web --format process-credentials --oidc-client-id 0oabc --org-domain my-org.okta.com --aws-iam-idp arn:aws:iam::123:saml-provider/my-idp --aws-iam-role arn:aws:iam::294719231913:role/s3 --open-browser

Execute follow-on process

okta-aws-cli can execute a process after it has collected credentials. It will do so with any existing env vars prefaced by AWS_ such as AWS_REGION and also append the env vars for the new AWS credentials AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN. Use noop format so aws-aws-cli doesn't emit credentials to stdeout itself but passes them to the process it executes. The output from the process will be printed to the screen properly to STDOUT, and also STDERR if the process also writes to STDERR.

Example 1

$ okta-aws-cli m2m --format noop --oidc-client-id 0oabc --org-domain my-org.okta.com --exec -- printenv
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=ASIAUJHVCS6UYRTRTSQE
AWS_SECRET_ACCESS_KEY=TmvLOM/doSWfmIMK...
AWS_SESSION_TOKEN=FwoGZXIvYXdzEF8aDKrf...

Example 2

$ okta-aws-cli m2m --format noop --oidc-client-id 0oabc --org-domain my-org.okta.com --exec -- aws s3 ls s3://example
                           PRE aaa/
2023-03-08 16:01:01          4 a.log

Example 3 (process had error and also writes to STDERR)

$ okta-aws-cli m2m --format noop --oidc-client-id 0oabc --org-domain my-org.okta.com --exec -- aws s3 mb s3://no-access-example
error running process
aws s3 mb s3://yz-nomad-og
make_bucket failed: s3://no-access-example An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied

Error: exit status 1

Collect all roles for all AWS Fed Apps (IdP) at once

okta-aws-cli web will collect all available AWS IAM Roles for all Okta AWS Federation apps (IdP) at once. This is a feature specific to writing the $HOME/.aws/credentials file. Roles will be AWS account alias name (if STS list aliases is available on the given role) then - then abbreviated role name.

# Two Okta "AWS Account Federation" apps, one on AWS alias "prod-org", the other
# on alias "dev-org". Includes short name for the actual IAM IdPs and IAM Roles
# on the Fed App.

$ okta-aws-cli web \
    --org-domain my-org.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --write-aws-credentials \
    --all-profiles

? Choose an IdP: AWS Account Federation
Updated profile "dev-org-s3ops-read" in credentials file "/Users/me/.aws/credentials".
Updated profile "dev-org-s3ops-write" in credentials file "/Users/me/.aws/credentials".
Updated profile "prod-org-containerops-ec2-full" in credentials file "/Users/me/.aws/credentials".
Updated profile "prod-org-containerops-eks-full" in credentials file "/Users/me/.aws/credentials".

Alternative open browser command

okta-aws-cli web can have it's open browser command customized.

OSX / MacBook

# OSX examples, the device authorization URL is appended to the browser args.

$ okta-aws-cli web \
  --oidc-client-id 0oabc \
  --org-domain my-org.okta.com \
  --open-browser-command "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --profile-directory=\"Profile\ 1\""

$ okta-aws-cli web \
  --oidc-client-id 0oabc \
  --org-domain my-org.okta.com \
  --open-browser-command "open -na \"Google\ Chrome\" --args --incognito"

Windows

REM Windows examples, the device authorization URL is appended to the browser
REM args using cmd.exe with the run command flag /C used to spawn the browser
REM that is installed on the host OS e.g. msedge, chrome, firefox . Additional
REM arguments can be passed on to the browser command that are valid for it.

> okta-aws-cli web \
  --oidc-client-id 0oabc \
  --org-domain my-org.okta.com \
  --open-browser-command "cmd.exe /C start msedge"

> okta-aws-cli web \
  --oidc-client-id 0oabc \
  --org-domain my-org.okta.com \
  --open-browser-command "cmd.exe /C start chrome"

> okta-aws-cli web \
  --oidc-client-id 0oabc \
  --org-domain my-org.okta.com \
  --open-browser-command "cmd.exe /C start chrome --incognito"

> okta-aws-cli web \
  --oidc-client-id 0oabc \
  --org-domain my-org.okta.com \
  --open-browser-command "cmd.exe /C start chrome --profile-directory=\"Profile\ 1\""

Help

$ okta-aws-cli --help

Version

$ okta-aws-cli --version

Comparison

Nike gimme-aws-creds

There are a number of differences in terms of operation and functionality between Okta AWS CLI and Nike's gimme-aws-creds.

The Okta AWS CLI is native to the Okta Identity Engine. No matter what kinds of authentication flows (multi-factors, assigned users, etc.) have been applied to the Native OIDC application, the CLI works within those constraints naturally. The Okta CLI is OIE only and will not work with Classic orgs.

A simple URL is given to the operator to open in a browser and from there the CLI's authentication and authorization is initiated. The Okta AWS CLI doesn't prompt for passwords or any other user credentials itself, or offers to store user credentials on a desktop keychain.

The configuration of the Okta AWS CLI is minimal with only two required values: Okta org domain name, and OIDC app id.

The Okta CLI is CLI flag and environment variable oriented and its default output is as environment variables. It can also write to AWS credentials file. The default writing option is an append operation and can be explicitly set to overwrite previous values for a profile with the --write-aws-credentials flag.

Versent saml2aws

The comparison between Okta AWS CLI and Versent saml2aws are identical to the comparison between Okta AWS CLI and Nike gimme-aws-creds.

Development

Run source code locally

go run cmd/okta-aws-cli/main.go

Install tools that the Makefile uses like gofumpt and golint

make tools

Building

make build

Testing

make test

Run golang code quality control tools on the codebase (go vet, golint, etc.)

make qc

Contributing

We're happy to accept contributions and PRs! Please see the contribution guide to understand how to structure a contribution.

References