So looks like this utility calls SAML to Okta via API call. Then parses the html for the assertion. Then uses the aws_auth.get_sts_token python library to exchange that for a AWS token that you then set via enviroment variables and continue to use the AWS cli. Glancing at https://github.com/okta-awscli/okta-awscli/blob/main/oktaawscli/okta_awscli.py
This helps because everyone sticks to the ForgeRock IDP and does not start creating local AWS accounts for this. Local accounts easily get out of control and hard to track and manage.
So looks like this utility calls SAML to Okta via API call. Then parses the html for the assertion. Then uses the aws_auth.get_sts_token python library to exchange that for a AWS token that you then set via enviroment variables and continue to use the AWS cli. Glancing at https://github.com/okta-awscli/okta-awscli/blob/main/oktaawscli/okta_awscli.py
This helps because everyone sticks to the ForgeRock IDP and does not start creating local AWS accounts for this. Local accounts easily get out of control and hard to track and manage.