Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time


CredSummoner is a tool that developers can use to generate temporary AWS credentials. It works by integrating with your identity provider for user authentication and AWS role access. As of now, the only supported identity provider is Okta.


First, CredSummoner must be configured to use the proper Okta embed link for AWS access:

credsummoner config okta_aws_embed_link

Once configured, credsummoner get may be used like so:

credsummoner get your-okta-username

CredSummoner will prompt for a password and TOTP token. Upon successful authentication, CredSummoner will prompt for the AWS account and IAM role to assume. A new shell process is then created with the following environment variables configured with a fresh set of temporary AWS credentials:


There are several other ways to invoke credsummoner get. For example, if you know the AWS account alias and IAM role name, you can skip the prompts like so:

credsummoner get your-okta-username --account=foo --role=Developer

You can also tell CredSummoner to spawn an arbitrary program rather than a shell:

credsummoner get your-okta-username -- rails server

Or, you can skip spawning another program altogether and just print out environment variables for easy copy/pasting elsewhere:

credsummoner get your-okta-username --env

By default, CredSummoner tries to generate credentials that are valid for 12 hours, the maximum currently allowed by AWS STS. If an IAM role has a lower maximum session duration, then the --duration flag must be used to set the desired session duration (in seconds) without exceeding the limit.


CredSummoner is a Ruby gem, and thus can be easily installed with the gem program:

gem install credsummoner