Authenticates a user against Okta and then uses the resulting SAML assertion to retrieve temporary STS credentials from AWS.
This project is largely inspired by https://github.com/nimbusscale/okta_aws_login, but instead uses a purely API-driven approach, instead of parsing HTML during the authentication phase.
Parsing the HTML is still required to get the SAML assertion, after authentication is complete. However, since we only need to look for the SAML assertion in a single, predictable tag,
<input name="SAMLResponse"..., the results are a lot more stable across any changes that Okta may make to their interface.
This project is written for Python 3. Running it with Python 2 may work, but it is not supported. Since Python 2 is end-of-life (as of 2020-JAN-01), feature requests and PRs to add Python 2 support will likely not be accepted, outside of extreme circumstances.
pip3 install okta-awscli
pip3 install "okta-awscli[U2F]"
~/.okta-awsfile with the following parameters:
[default] base-url = <your_okta_org>.okta.com ## The remaining parameters are optional. ## You may be prompted for them, if they're not included here. username = <your_okta_username> password = <your_okta_password> # Only save your password if you know what you are doing! factor = <your_preferred_mfa_factor> # Current choices are: GOOGLE or OKTA role = <your_preferred_okta_role> # AWS role name (match one of the options prompted for by "Please select the AWS role" when this parameter is not specified profile = <aws_profile_to_store_credentials> # Sets your temporary credentials to a profile in `.aws/credentials`. Overridden by `--profile` command line flag app-link = <app_link_from_okta> # Found in Okta's configuration for your AWS account. duration = 3600 # duration in seconds to request a session token for, make sure your accounts (both AWS itself and the associated okta application) allow for large durations. default: 3600
okta-awscli --profile <aws_profile> <awscli action> <awscli arguments>
defaultwill be used.
~/.okta-awsfile. Removing the
rolefields will enable the prompts for these selections.
okta-awscli --profile my-aws-account iam list-users
If no awscli commands are provided, then okta-awscli will simply output STS credentials to your credentials file, or console, depending on how
--profile is set.
-pSets your temporary credentials to a profile in
.aws/credentials. If omitted and not configured in
~/.okta-aws, credentials will output to console.
-fIgnores result of STS credentials validation and gets new credentials from AWS. Used in conjunction with
-vMore verbose output.
-dVery verbose output. Useful for debugging.
-cCache the acquired credentials to ~/.okta-credentials.cache (only if --profile is unspecified)
-oUse a Okta profile, other than
.okta-aws. Useful for multiple Okta tenants.
-tPass in the TOTP token from your authenticator
-rRefresh the AWS role to be assumed. Previously incorporated in
-lLookup and return the AWS Account Alias for each role, instead of returning the raw ARN.
iam:ListAccountAliaseson every account that you have access to via Okta. This is important for two reasons:
-VOutputs version number then exits.
This process is taken from gimme-aws-creds and adapted
docker build -t okta-awscli .
docker run -it --rm -v ~/.aws/credentials:/root/.aws/credentials -v ~/.okta-aws:/root/.okta-aws --profile default okta-awscli iam list-users
alias okta-awscli='docker run -it --rm -v ~/.aws:/root/.aws -v ~/.okta-aws:/root/.okta-aws okta-awscli'
and just type
you can add this to you .bashrc
source <PATH TO GIT REPO>/set-alias.bash