Overview

This repository has configuration files to set up an open-source tool named Okta AWS CLI Assume Role Tool (https://github.com/oktadeveloper/okta-aws-cli-assume-role) for SSO of AWS CLI with Kubernetes' kubectl and eksctl. Using these configuration files, you can create a Docker image named okta-eks-image with Okta AWS CLI Assume Role Tool (https://github.com/oktadeveloper/okta-aws-cli-assume-role), kubectl, and eksctl installed and configured.

You can follow these directions on AWS Cloud9 IDE or MacOS. Read the accompanying blog here http:///blog.url

Clone this repository

Let's get started by cloning this repository.

mkdir ~/environment
cd ~/environment 
git clone https://github.com/hnaqvi01/Okta-EKS.git

Build the docker image

docker build -t okt-eks-image .

Edit Okta properties file

Edit the okta_eks_role.properties file, you can use VIM editor or your favorite editor

cd ~/environment/Okta-EKS
vi okta_eks_role.properties

okta_eks_role.properties has several place holders, replace with valid values

OKTA_ORG=dev-111111.okta.com
OKTA_AWS_APP_URL=https://dev-111111.okta.com/home/amazon_aws/1111aaa111/111
OKTA_USERNAME=user.email@company.com
OKTA_AWS_ROLE_TO_ASSUME=arn:aws:iam::11111:role/OktaEKSRole
OKTA_AWS_REGION=us-west-2
OKTA_PROFILE=default

Run the docker image and connect to it

docker run -v ~/environment/Okta-EKS/okta_eks_role.properties:/root/.okta/config.properties  -v /var/run/docker.sock:/var/run/docker.sock -v ~/environment/Okta-EKS/aftifacts/:/root/artifacts/ -it okta-eks-image /bin/bash

Verify okta-aws-cli-assume-role setup

The docker image okta-eks-image has the okta-aws-cli-assume-role installed configured. This open source tool (https://github.com/oktadeveloper/okta-aws-cli-assume-role%20okta-aws-cli-assume-role) creates a shell function named okta-aws. This function supports bash and fish and it can run AWS CLI commands with Okta SSO. Let's verify its setup by getting the current AWS identity.

okta-aws default sts get-caller-identity

It will prompt you for your Okta password, username will be pre-filled with the value you provided in the okta_eks_role.properties file. Enter your Okta password and the response will be similar to this

{
    "Account": "xxxxx", 
    "UserId": "sssssd:xxxxx@xxxx.com", 
    "Arn": "arn:aws:sts::xxxxxxx:assumed-role/OktaEKSRole/xxxxx@xxxx.com"
}

You are all set to use Okta SSO with kubectl, read this blog for more details http:///blog.url.