A CLI tool that uses SAML assertions generated by Okta's IdP portal to obtain temporary AWS CLI credentials via AWS STS.
Originally written by Joe Keegan - joe@nimbusscale.com
Updated by Benjamin Knauss - racter@racter.com
This software is distributed under the MIT license. Please see the file LICENSE.txt for terms of use and redistribution.
Based off https://github.com/nimbusscale/okta_aws_login
The okta_aws_login tool, written in Python 3, was developed to help solve the issue of needing to generate and store long lived AWS Access and Secret Keys on systems to be able to utilize AWS's CLI tools.
Okta is a leading Identity Provider and is often used by organizations to federate user credentials and provide Single Sign On access to the AWS console. While using Okta resolves the issue of providing federated access to the AWS console it does not provide an "out-of-the-box" solution for federated access when using AWS's CLI tools.
The okta_aws_login tool will prompt the user for the necessary credentials needed to authenticate with the Okta IdP and then utilize the SAML assertion generation by Okta to retrieve temporary AWS Access and Secret Keys and an AWS Session Token. The AWS credentials will then be written to the local AWS credentials file to be utilized by aws cli.
get_aws_keys.py supports both password only and Multi-Factor Authentication (MFA). The following MFA options are supported:
- Okta Verify
- Okta Verify (Push)
- Google Authenticator
- SMS Authentication
- Voice Call
- Multiple Account Support
- Multiple Role Support
- Username is provided as a default
- Role is selectable via command line
- Supports more authentication factors
- Fully Okta API Compliant, no more screen scraping
- returns usefull error codes
Before running okta_aws_login you must create a configuration file, this file is expected to be named "~/.aws/okta" and must follow the format:
[masteraccount_dev]
provider_url = https://mycompany.okta.com/home/amazon_aws/0oa11v5lxcd1X3pDr1e8/272
sso_url = https://mycompany.okta.com/app/amazon_aws/exk11v5lxccqsdwor1e8/sso/saml
region = us-west-2
[masteraccount_qa]
provider_url = https://mycompany.okta.com/home/amazon_aws/3oa11v5lxcd1X3pDr1e8/272
sso_url = https://mycompany.okta.com/app/amazon_aws/exk13v5lxccqsdwor1e8/sso/saml
region = us-west-2
[masteraccount_prod]
provider_url = https://mycompany.okta.com/home/amazon_aws/0oa12v5lxcd1X3pDr1e8/272
sso_url = https://mycompany.okta.com/app/amazon_aws/exk12v5lxccqsdwor1e8/sso/saml
region = us-west-2
...
-
provider_url - You must enter the URL for the AWS app within Okta that is configured to provide access to AWS with the desired role. This is the EMBED LINK URL found on the General tab of the Okta AWS App. Access to this link is only available to an Okta user with admin rights. If you are not an admin then you will need to have an admin provide you the URL.
-
region - This will be AWS region included in the AWS CLI profile created by okta_aws_login.
The simplest usage is to just call okta_aws_login.py from the command line. You will be prompted for the necessary credentials, including MFA credentials.
$ get_aws_keys.py -p masteraccount_prod
Okta Authentication Tool
Username [bknauss] :
Password for bknauss:
Select which MFA method would you like to use?:
1 ) SMS
2 ) Google Authenticator
3 ) Okta Verify
4 ) Okta Verify (push)
5 ) Okta Call
Factor number : 1
sms> Enter your sms code: 641938
Select which role in the move_dev account :
1 ) ReadOnly
2 ) Move-SE
3 ) User
4 ) Admin
Role number : 3
Role: arn:aws:iam::860429940966:role/User
Credentials for the profile move_dev have been set. They will expire in 60 minutes.
Once okta_aws_login.py successfully runs, your Okta session ID will be cached and will be used to retrieve future temporary AWS credentials. The temporary AWS credentials will typically expired in 60 minutes, while an Okta session will, by default, expire after 120 minutes of inactivity. Simply running to tool again at any time before the Okta session expires will refresh your AWS credentials and extend their life for another 60 minutes. Since the session ID is used for authentication you will not be prompted for credentials by okta_aws_login.py.
The Okta username can be specified in two other ways, one is via a command line argument using the --username option or by setting the username in the OKTA_USERNAME environment variable.
Additional options exist and others may be added in the future. Running get_aws_keys.py --help will show you all the
options.
Additional details and examples can be found at this blog post - AWS User Federation with Okta – Part 3: CLI Access.
Thanks to Joe Keegan for V1 of this script
Thanks to Quint Van Deman who published the blog post "How to Implement a General Solution for Federated API/CLI Access Using SAML 2.0". Without his example code the development of okta_aws_login.py would have been way more difficult.