-
Notifications
You must be signed in to change notification settings - Fork 227
Can't authenticate if App-level MFA is turned on #63
Comments
We are just starting to trial Okta with AWS and hit this issue today too. We use Okta for a bunch of apps and don't want to enable MFA globally, rather on a per-app basis. I have tested that aws-okta works if we enforce MFA globally for all apps and it works nicely with Google Authenticator, Okta Verify etc. However, if we enforce MFA only on the AWS Application itself, aws-okta fails with the same error as @ostankin describes. |
Okta APIs don't support app-level MFA. Even the [documentation for their own AWS CLI tool][1] says: > Note: At this time, per-app MFA is not supported in this integration. Only organization-level MFA is supported. This provides an alternative to the SAML client, that works better with MFA being enabled only for a specific Okta application. With SAML it's difficult to get the control back to the CLI program once the user has finished authentication. With OIDC it's easier and we can then force the OS to focus the window from which the CLI program is run, creating a reasonable smooth flow. It's not ideal - not as good as being able to input the MFA information through the CLI, but the best I could come up with given the APIs. Setup instructions are included in the readme. Fixes segmentio#63 [1]: https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta#Execution1
Okta APIs don't support app-level MFA. Even the [documentation for their own AWS CLI tool][1] says: > Note: At this time, per-app MFA is not supported in this integration. Only organization-level MFA is supported. This provides an alternative to the SAML client, that works better with MFA being enabled only for a specific Okta application. With SAML it's difficult to get the control back to the CLI program once the user has finished authentication. With OIDC it's easier and we can then force the OS to focus the window from which the CLI program is run, creating a reasonable smooth flow. It's not ideal - not as good as being able to input the MFA information through the CLI, but the best I could come up with given the APIs. Setup instructions are included in the readme. Fixes segmentio#63 [1]: https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta#Execution1
I proposed a solution in #83. If anybody wants to try it out before it's merged, then I've released a macOS binary that supports app-level MFA if you follow these instructions. |
Okta APIs don't support app-level MFA. Even the [documentation for their own AWS CLI tool][1] says: > Note: At this time, per-app MFA is not supported in this integration. Only organization-level MFA is supported. This provides an alternative to the SAML client, that works better with MFA being enabled only for a specific Okta application. With SAML it's difficult to get the control back to the CLI program once the user has finished authentication. With OIDC it's easier and we can then force the OS to focus the window from which the CLI program is run, creating a reasonable smooth flow. It's not ideal - not as good as being able to input the MFA information through the CLI, but the best I could come up with given the APIs. Setup instructions are included in the readme. Fixes segmentio#63 [1]: https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta#Execution1
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Sad to see this one die on the vine. We were going to switch all our AWS access from local IAM access and assuming roles with MFA to this. The lack of support for application MFA has blocked us. |
#83 was pretty close to being accepted and merged. If you wanna take some time to spruce it up, we can get it in. Also, I'd love to have a non-Segment volunteer to maintain it, since we wouldn't be using it ourselves, and it's a substantial chunk of code. |
Fair enough. The python solution from https://github.com/Nike-Inc/gimme-aws-creds works with app-level MFA and SAML, so it'd be worth seeing if there could a solution there. Switching away from SAML isn't something we can take on right now. |
Any chance for supporting app level MFA. This feature will certainly be very useful. |
Summary
If the profile is connected to an Okta application that has Application Level MFA enabled, authentication fails.
OS: OS X 10.13.6
aws-okta version: aws-okta-v0.19.0-darwin-amd64 binary
Details
Prerequisites:
john.doe@example.com
, and both provide full read-only access to an AWS account with ID1234567891011
.~/.aws/config
for both applications:Run results:
The text was updated successfully, but these errors were encountered: