Skip to content

Releases: okta/okta-aws-cli

v2.3.1

03 Sep 22:45
v2.3.1
d2a6722
Compare
Choose a tag to compare

2.3.1 (September 03, 2024)

BUG FIXES

  • Fix buggy retry error loop that causes operator confusion. #237, thanks @monde!
  • Clean up the non-admin user experience. #235, thanks @monde!
  • Don't warn if okta.yaml doesn't exist. #232, thanks @monde!
  • Correct Classic Org error and expected exit. #231, thanks @monde!

v2.3.0

12 Jul 16:54
v2.3.0
2fb64ee
Compare
Choose a tag to compare

2.3.0 (July 12, 2024)

ENHANCEMENTS

  • New command okta-aws-cli list-profiles helper to inspect profiles in okta.yaml #222, thanks @pmgalea!
  • GH releases publish Windows artifact to Chocolatey #215, thanks @monde!
  • Better retry for when the cached access token has been invalidated outside of okta-aws-cli's control. #220, thanks @monde!
  • Print a warning at first run if otka.yaml is malformed. #220, thanks @monde!

BUG FIXES

  • Correct "default" profile flaw introduced in 2.2.0 release #220, thanks @monde!
  • Continue polling instead of exit on a 400 "slow_down" API error #220, thanks @monde!

v2.2.0

03 Jul 19:11
v2.2.0
2063ec9
Compare
Choose a tag to compare

2.2.0 (July 3, 2024)

ENHANCEMENTS

  • Seamless support for non-Admin users if OIDC app has okta.users.read.self grant. Issue #66, PR #213, thanks @monde!
  • Improve README with note about device state in policy #205, thanks @ramgandhi-okta!
  • Correct m2m typo in README #201, thanks @stefan-lsx!

BUG FIXES

  • Paginating more than 200 apps on GET /api/v1/apps not implemented #212, thanks @pmgalea!
  • Respect OKTA_AWSCLI_AWS_REGION env var value when saving to the profile #203, thanks @sudolibre!
  • Default profile value not correctly set to default #200, thanks @mantoine96!

v2.1.2

27 Feb 18:55
v2.1.2
f0d6b31
Compare
Choose a tag to compare

2.1.2 (February 27, 2024)

BUG FIXES

  • Additional fix for bug dealing with multiple profiles in okta.yaml #196, thanks @MatthewJohn!

v2.1.1

23 Feb 21:14
v2.1.1
3981a31
Compare
Choose a tag to compare

2.1.1 (February 23, 2024)

BUG FIXES

  • Fix bug dealing with multiple profiles in okta.yaml #187, thanks @MatthewJohn!

v2.1.0

15 Feb 16:37
v2.1.0
fd36644
Compare
Choose a tag to compare

2.1.0 (February 15, 2024)

ENHANCEMENTS

BUG FIXES

  • Fix bug where all flags were not being set on the config object. #177, thanks @monde!
  • Process credentials format was not emitting JSON correctly when --write-aws-credentials flag is present #173, thanks @monde!
  • Open browser and open browser command behavior was fouled in v2 release #172, thanks @monde!

v2.0.1

31 Jan 17:24
v2.0.1
e2896b2
Compare
Choose a tag to compare

Note: We are not publishing a Windows amd64 binary due to many AVs falsely signaling binaries built with the Go language having viruses

2.0.1 (January 31, 2024)

ENHANCEMENTS

  • Packaged binary's don't have postfix version value on file name #154

BUG FIXES

  • Binaries produced by golang for Windows amd64 runtimes are triggering AVs so we will not publish this for the OS/Arch #166
  • CLI version incorrectly rev'd on previous release #164

v2.0.0

25 Jan 18:52
v2.0.0
27b5cb0
Compare
Choose a tag to compare

Changelog

2.0.0 (January 25, 2024)

V2 GA Release 🎉🎉

New commands

okta-aws-cli's functions are encapsulated as (sub)commands e.g. $ okta-aws-cli [sub-command]

Command Description
web Human oriented retrieval of temporary IAM credentials through Okta authentication and device authorization. Note: if okta-aws-cli is not given a command it defaults to this original web command.
m2m Machine/headless oriented retrieval of temporary IAM credentials through Okta authentication with a private key.
debug Debug okta.yaml config file and exit.

Environment variable name changes

A small number of environment variable names have been renamed to be consistent
in the naming convention for okta-aws-cli specific names.

old name new name
OKTA_ORG_DOMAIN OKTA_AWSCLI_ORG_DOMAIN
OKTA_OIDC_CLIENT_ID OKTA_AWSCLI_OIDC_CLIENT_ID
OKTA_AWS_ACCOUNT_FEDERATION_APP_ID OKTA_AWSCLI_AWS_ACCOUNT_FEDERATION_APP_ID

Process credential provider output as JSON

Emits IAM temporary credentials as JSON in process
credentials

format.

# In $/.aws/config
[default]
  # presumes OKTA_AWSCLI_* env vars are set
  credential_process = okta-aws-cli m2m --format process-credentials

Execute follow-on command

Instead of scripting and/or eval'ing okta-aws-cli into a shell and then
running another command have okta-aws-cli run the command directly passing
along the IAM credentials as environment variables.

# CLI exec's anything after the double dash "--" arguments terminator as another command.
$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --exec -- aws ec2 describe-instances

Collect all roles for all AWS Fed Apps (IdP) at once

okta-aws-cli web will collect all available AWS IAM Roles for all Okta AWS
Federation apps (IdP) at once. This is a feature specific to writing the
$HOME/.aws/credentials file. Roles will be AWS account alias name (if STS list
aliases is available on the given role) then - then abbreviated role name.

# AWS account alias "myorg", given IdP associated with "AWS Account Federation"
# and an app associated with two roles.

$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --write-aws-credentials \
    --all-profiles

Web browser will open the following URL to begin Okta device authorization for the AWS CLI

https://test.okta.com/activate?user_code=QHDMVQTZ

Updated profile "devorg-idp1-role1" in credentials file "/Users/me/.aws/credentials".
Updated profile "devorg-idp1-role2" in credentials file "/Users/me/.aws/credentials".
Updated profile "devorg-idp2-role1" in credentials file "/Users/me/.aws/credentials".
Updated profile "prodorg-idp1-role1" in credentials file "/Users/me/.aws/credentials".

Alternate web browser open command

The web command will open the system's default web browser when the
--open-browser flag is present. It is convenient to have the browser open on a
separate profile. If the command to open the browser is known for the host
system an alternate open command can be specified.

# Use macOS open to open browser in Chrome incognito mode
$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --open-browser-command "open -na \"Google\ Chrome\" --args --incognito"
# Open browser in Chrome "Profile 1" on macOS calling the Chrome executable directly
$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --open-browser-command "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --profile-directory=\"Profile\ 1\""

Windows examples

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start msedge"

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start chrome"

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start chrome --incognito"

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start chrome --profile-directory=\"Profile\ 1\""

Friendly label matching with regular expressions

Friendly label matching for IdPs and Roles with $HOME/.okta/okta.yaml file can
be regular expressions.

Example: your organization uses the same role naming convention across many
different AWS accounts:

---
awscli:
  idps:
    "arn:aws:iam::123456789012:saml-provider/company-okta-idp": "Data Production"
    "arn:aws:iam::012345678901:saml-provider/company-okta-idp": "Data Development"
    "arn:aws:iam::901234567890:saml-provider/company-okta-idp": "Marketing Production"
    "arn:aws:iam::890123456789:saml-provider/company-okta-idp": "Marketing Development"
  roles:
    "arn:aws:iam::.*:role/admin": "Admin"
    "arn:aws:iam::.*:role/operator": "Ops"
? Choose an IdP:  
> Data Production
  Data Development
  Marketing Production
  Marketing Development

? Choose a Role:  [Use arrows to move, type to filter]
> Admin
  Ops

v1.2.2

31 Aug 16:40
v1.2.2
46fedfd
Compare
Choose a tag to compare

1.2.2 (August 31, 2023)

  • Ensure evaluation of CLI flag for profile is in the same order as the other flags #124
  • Retry cached access token if it isn't expired by but receives API error #127

v1.2.1

15 Aug 18:14
v1.2.1
7e7bb0c
Compare
Choose a tag to compare

1.2.1 (August 15, 2023)

  • Friendly IdP and Role labels don't also print out ARN value (less text clutter in the UI)