search

rockcarver / frodo-cli

A CLI to manage ForgeRock platform deployments supporting Identity Cloud tenants, ForgeOps deployments, and classic deployments.
MIT License
17 stars 14 forks source link

Get temporary AWS CLI credentials using ForgeRock SSO. i.e. gimme-aws-creds or okta-aws-cli. #290

Open chicodeme opened 11 months ago

chicodeme commented 11 months ago

So looks like this utility calls SAML to Okta via API call. Then parses the html for the assertion. Then uses the aws_auth.get_sts_token python library to exchange that for a AWS token that you then set via enviroment variables and continue to use the AWS cli. Glancing at https://github.com/okta-awscli/okta-awscli/blob/main/oktaawscli/okta_awscli.py

    """ Outputs STS credentials to console """
    exports = "\n".join([
        "export AWS_ACCESS_KEY_ID=%s" % access_key_id,
        "export AWS_SECRET_ACCESS_KEY=%s" % secret_access_key,
        "export AWS_SESSION_TOKEN=%s" % session_token
    ])

This helps because everyone sticks to the ForgeRock IDP and does not start creating local AWS accounts for this. Local accounts easily get out of control and hard to track and manage.