New to Amazon Web Services with Okta? **Start with the Configuring AWS in Okta.
This tool has been verified to work on macOS Sierra, High Sierra, Windows Server 2012 R2, Windows 10, and Ubuntu 16.04 LTS, and is expected to work on other Linux systems as well.
- Installation
- Usage
- Compiling the application
- Configuring AWS in Okta
- Configuring the application
- History
- Troubleshooting
- Getting help
- License
- Copy the following PowerShell bootstrap script into your clipboard:
Invoke-RestMethod https://raw.githubusercontent.com/oktadeveloper/okta-aws-cli-assume-role/master/bin/Install-OktaAwsCli.ps1 | clip.exe
- Open a PowerShell console (regular user, NOT admin it will break)
- Right-click once the paste the bootstrap script into the session
- Right-click a second time to paste and run the install script
- Customize %userprofile%\.okta\config.properties to reflect your Okta and Amazon Web Services setup
- Run the following in a Terminal:
curl 'https://raw.githubusercontent.com/oktadeveloper/okta-aws-cli-assume-role/master/bin/install.sh' | bash
- Customize ~/.okta/config.properties to reflect your Okta and Amazon Web Services setup
Create a .okta
directory in your home directory. For example, ~/.okta
.
Download the latest release JAR and put it in .okta
:
https://github.com/oktadeveloper/okta-aws-cli-assume-role/releases
Copy config.properties
to .okta/config.properties
and set
OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,
OKTA_ORG=acmecorp.oktapreview.com
OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137
Copy scripts from .okta/bin
to somewhere on your PATH.
Verify your setup with a simple command:
aws test sts get-caller-identity
This will prompt for Okta credentials, log you into AWS, let you pick a role, and store a session profile called test for you.
Run the program again to see session resumption (you won't be asked for Okta credentials until the session expires):
aws test sts get-caller-identity
The application was built and compiled with JetBrains' IntelliJ IDEA. Note that you don't have to compile the application in order to be able to execute it, since the compiled executable (a JAR file) is available on GitHub.
First of all, it goes without saying that you will need to install the Java SE 8x or the Java JDK 8x.
Then you will need Maven 2 or later to run the build.
Get a single JAR with all dependencies:
Use git clone https://github.com/oktadeveloper/okta-aws-cli-assume-role.git
to clone the repository locally. Then, build with Maven:
mvn package
cp target/okta-aws-cli-*.jar out/oktaawscli.jar
- Open the IntelliJ Idea IDE and browse to the
okta-aws-cli-assume-role
folder you have cloned from GitHub inside theProjects
folder. - Go to
File => Project Structure
and in the Libraries menu, fix the Java references that don't match your local setup. - Go to
Build => Make Project
in order to compile the project. - The project also builds the JAR artifact, so if you browse to the
out
sub-folder, you will see theoktaawscli.jar
JAR artifact. - Make sure the
awscli.command
file is in theout
sub-folder.
Integrating the Amazon Web Services Command Line Interface Using Okta.
Here is the list of parameters that can be environment variables or settings in the ~/.okta/config.properties
file:
-
OKTA_ORG
which is the url of your Okta org (starting with https://). -
OKTA_AWS_APP_URL
is the url link of your Okta AWS application url (see below for more info) -
OKTA_USERNAME
is the username to use. If present will skip username input. -
OKTA_PASSWORD
is the password to use. If present will skip password input. -
OKTA_BROWSER_AUTH
set to true to use integrated web browser for authentication (default: false) -
OKTA_PROFILE
is the name of the AWS profile to create/reuse. May also be specified on the commandline by--profile
. (default: get AWS profile name based on per-session STS user name) -
OKTA_AWS_REGION
is the default AWS region to store with the created profile. -
OKTA_AWS_ROLE_TO_ASSUME
is the role to use. If present will try to match okta account's retrieved role list and use it. Will still prompt if no match found. -
OKTA_STS_DURATION
is the duration the role will be assumed, in seconds. The maximum session duration allowed by AWS is 12 hours and this needs to be set on the role as well. Defaults to 1hr. -
OKTA_PROFILE_PREFIX
is the text to prepend to the section name in ~/.aws/config for a named profile. Defaults to "profile " (necessary for use with AWS CLI). -
OKTA_CREDENTIALS_SUFFIX
is the text to append to the section name in ~/.aws/credentals for a named profile. Defaults to "_source" (necessary for use with AWS Tools for Windows PowerShell). -
Obtaining the AWS app url
- Navigate to the
Admin Dashboard
of you Okta organization - Select the
Applications
tab and click on your AWS Application - Under the
General
menu, scroll down to find theApp Embed Link
section - Your link is located under
EMBED LINK
- Navigate to the
-
Replace the example values in
config.properties
with your values
Note: environment variables take precedence over the config file.
This means that MFA is enforced, but you have no factors enrolled on your user.
You should enrol a CLI-supported factor (all except Duo as far as I know).
If you are using Duo Push, consider setting OKTA_BROWSER_AUTH=true in the configuration.
This means that MFA is enforced, but none of the factors you have enrolled are supported.
Okta's integration with Duo requires an iframe which isn't practical to interact with from a CLI context.
If you see an error like this:
User arn:aws:iam::123456789012:assumed-role/RoleName/[email protected] is not authorized to perform:
sts:AssumeRole on resource: arn:aws:iam::123456789012:role/RoleName
Then you will need to attach an inline policy like this to the role to allow the role to assume itself:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/RoleName"
]
}
]
}
Have a question or see a bug? Post a question on the Okta Dev Forums or email [email protected]. For feature requests, feel free to open an issue on this repo.
If you find a security vulnerability, please follow our Vulnerability Reporting Process.
Copyright 2017 Okta, Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.