Updating to use the AWS 2.0 SDK

[DavidTanner]

Problem Statement

The AWS SDK was significantly out of date. Also, the withokta script made it difficult to use when not actually sending an aws --profile command.

Solution

Updated to the Java 2 SDK and removed the obfuscation around profile.

[mraible]

@DavidTanner Can you please resolve conflicts in this PR?

[DavidTanner]

@mraible Sorry, I missed your message.

[DavidTanner]

@mraible @aaronpk @rdegges or @robert-chiniquy I'd really like to get this merged so we can start using it. I've been using it locally for months.

[bdemers]

@DavidTanner great PR!

Looks good!

• lots of package name changes
• fluent method's drop the with
• region is no longer a simple string
• minor regex change to add -gov (plus a test ❤️)

Longer-term question:
It's been a while since I've looked at this project, so forgive me for asking.
Is this tool still needed now that the v2 version of the AWS CLI supports SSO directly

IIRC, The AWS CLI v2 uses an OAuth Device Grant (e.g. similar to login /w Netflix using a code on your TV), which will pop a browser if possible. Then AWS does the SAML dance with Okta.

Either way, getting this in and released would help folks in the short term 😄

[DavidTanner]

@bdemers It looks like SSO isn't available in GovCloud yet which is why we still need it. Is there anything else I need to add to this PR to get it merged?

[bdemers]

@DavidTanner Thanks for the note about SSO in GovCloud!

I'll chat with the other maintainers about cutting a release early next week.

Thanks again!!

[dangeReis]

@DavidTanner @bdemers while they may have fixed things for those not using a profile, it broke things when actually using a profile.

#374 #375 #376

Can we either roll this back, or fix the other issues? This is unusable in the current state if you are using a profile.

[DavidTanner]

@dangeReis The changes I made are breaking. I updated the Readme accordingly. You should start using the OKTA_PROFILE to set the profile name.

[dangeReis]

@DavidTanner which Readme did you update? I'm not seeing anything relevant here:
https://github.com/oktadev/okta-aws-cli-assume-role/blob/master/Readme.MD

Specifically, commands like this don't currently work properly:

okta-aws test sts get-caller-identity

[DavidTanner]

I see the issue. Would the preferred functionality be then to force the okta profile to match the aws one? At my company one OKTA_PROFILE gives us access to multiple aws profiles. I can put up a PR to fix the scripts.

[dangeReis]

At my company, once you authenticate with OKTA, it locks you into an AWS role. If you want a different role/account, you need to use a different okta profile or clear our some session files. Not quite sure how you are using this.

We currently associate the okta profile with the appropriate role/account that we want and just reauthenticate when the timeout expires. This allows us to use multiple profiles at the same time if we needed to.

[DavidTanner]

~/.aws/config

[profile company-dev]
region = SOME_REGION
role_arn = SOME_ARN
source_profile = SOME_OKTA_PROFILE

BASH_PROFILE="SOME_OKTA_PROFILE" AWS_PROFILE="company-dev" AWS_SDK_LOAD_CONFIG="1" withOkta aws ...

~/.aws/credentials

[SOME_OKTA_PROFILE]
...