Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



59 Commits

Repository files navigation

Docker image for AWS Single Sign-On with Okta.

Dockerized (devopsinfra/docker-okta-aws-sso) Single Sign-On solution for Amazon Web Services via Okta.

Okta is one of the leaders of SSO solutions, but lacks native CLI tools.

The best, in my humble opinion, tool that fixes that problem is gimme-aws-creds made by Nike Inc.. More of their interesting work can be found on Nike-Inc.

Currently, supporting v2.3.4 of gimme-aws-creds.

For details information about gimme-aws-creds's configuration please refer to
Docker's entrypoint is the binary of gimme-aws-creds and can accept any parameters, even when running as an alias, or a function (check usage below).
It supports Multi Factor Authentication. Not only with authenticator app but even with Yubikey (without PIN).

This Docker image just packs the tool to quickly reuse it without the need of installing with Python.
It should have access only to following configuration files:

Badge swag

GitHub GitHub code size in bytes GitHub last commit Push to master Push to other
DockerHub Image size Docker Pulls


  • Operating system: MacOS, Linux or Windows Subsystem for Linux.
  • Software: Docker
  • AWS: IAM roles prepared for users to assume. IAM user for Okta properly configured.
  • Okta: Okta connected via SAML with AWS. Users having assigned AWS application and chosen proper roles.


For ease of reuse create alias or a function in your shell. For example in ~/.profile enter following:

function okta-aws() {
    docker run --rm \
        --user $(id -u):$(id -g) \
        --volume $(pwd)/.okta_aws_login_config:/.okta_aws_login_config \
        --volume $(pwd)/.aws/credentials:/.aws/credentials \
        -it devopsinfra/docker-okta-aws-sso:latest "$@";

Run the interactive installer by executing: okta-aws --action-configure.

For more information run okta-aws --help.

Simplest configuration file:

okta_username =
aws_rolename =
cred_profile = default
aws_default_duration = 3600
okta_org_url =
app_url =
preferred_mfa_type = token:software:totp
device_token =
gimme_creds_server = appurl
write_aws_creds = True
resolve_aws_alias = True
remember_device = True
output_format = json

Parameters, like password, can be also passed via environment variables for reuse. But keep in mind security concerns.


Depending on the configuration (above) new AWS credentials can be obtained by running:

  • for a default action: okta-aws
  • for a selected profile okta-aws --profile Administrator