AWS CLI Okta credentials¶
Archived (pre-2022)
Preserved for reference only -- likely outdated. View original | Last updated: September 2020
Prerequisites¶
- Access to one or more AWS apps(accounts) in Okta (requested from Office IT).
- Installed AWS CLI (Installation instructions).
Gimme AWS Creds installation¶
The following tool is used to generate creds: gimme-aws-creds (Github)
To install gimme-aws-creds:
For other installation options please refer to github project if needed.
Gimme AWS Creds configuration¶
Before gimme-aws-creds script can be used it needs to be configured by generating/changing config file.
The config file .okta_aws_login_config should located in home directory( ~/.okta_aws_login_config ).
The following is example of config file that allows to use several AWS accounts at the same time:
[DEFAULT]
okta_org_url = https://fyber.okta-emea.com
okta_auth_server =
client_id =
gimme_creds_server = appurl
aws_appname =
aws_rolename =
write_aws_creds = True
cred_profile = saml
okta_username = <First Name . Surname>@fyber.com
app_url =
resolve_aws_alias = False
include_path = False
preferred_mfa_type = token:software:totp
remember_device = False
aws_default_duration = 3600
device_token =
output_format = json
[production]
app_url = https://fyber.okta-emea.com/home/amazon_aws/0oa3u2rsb4RIl3qDA0i7/272
aws_rolename = arn:aws:iam::767648288756:role/ADFS-Admin
cred_profile = production
[staging]
app_url = https://fyber.okta-emea.com/home/amazon_aws/0oa45dlcsnIruYO8s0i7/272
aws_rolename = arn:aws:iam::399797994004:role/ADFS-Admin
cred_profile = staging
[itops]
app_url = https://fyber.okta-emea.com/home/amazon_aws/0oa45drhl3VtefTzl0i7/272
aws_rolename = arn:aws:iam::399422659513:role/ADFS-PROD-ADMIN # or arn:aws:iam::399422659513:role/ADFS-PROD-DEV
cred_profile = itops
As can be seen gimme-aws-creds supports profiles in config file with inheritance from DEFAULT section.
app_url - Okta AWS app URL, can be obtained from OIT
aws_rolename - AWS IAM role assigned to you in Okta(done by OIT).
cred_profile - AWS CLI profile to save temporary credentials to ( the profile name in ~/.aws/credentials ).
Thus by choosing appropriate profile one can override DEFAULT setting with profile specified ones.
For example:
$ gimme-aws-creds --profile staging
Using password from keyring for sergii.slobodianiuk@fyber.com
Multi-factor Authentication required.
token:software:totp( GOOGLE ) : sergii.slobodianiuk@fyber.com selected
Enter verification code: ******
Saving arn:aws:iam::399797994004:role/ADFS-Admin as staging
Written profile staging to /Users/sslobodianiuk/.aws/credentials
If aws_rolename configuration parameter is left blank in config file, then gimme-aws-creds will ask you to choose a role (can be convenient if you don't know role ARN).
For example:
$ gimme-aws-creds --profile staging
Using password from keyring for sergii.slobodianiuk@fyber.com
Multi-factor Authentication required.
token:software:totp( GOOGLE ) : sergii.slobodianiuk@fyber.com selected
Enter verification code: ******
Pick a roles:
[0] arn:aws:iam::399797994004:role/ADFS-Developer
[1] arn:aws:iam::399797994004:role/ADFS-Admin
Selections (comma separated): 1
Saving arn:aws:iam::399797994004:role/ADFS-Admin as staging
Written profile staging to /Users/sslobodianiuk/.aws/credentials
In order to verify freshly generated credentials use AWS CLI.
For example:
$ aws sts get-caller-identity --profile staging
{
"UserId": "AROAICHDSU44EBHXFZGFK:sergii.slobodianiuk@fyber.com",
"Account": "399797994004",
"Arn": "arn:aws:sts::399797994004:assumed-role/ADFS-Admin/sergii.slobodianiuk@fyber.com"
}
Note
Do not confuse gimme-aws-creds profiles in ~/.okta_aws_login_config with AWS CLI profiles in ~/.aws/credentials