aws-okta provides a wrapper that manages SSO into AWS via Okta.
Adding an Okta account
You'll need to know:
- The Okta account name.
- Which Okta region it's in.
- The domain for the Okta User Home, which will be generated based on the above.
Configuring AWS accounts
Once logged in you'll need to make a note of the path portion of each of the AWS Okta apps. URLs like the following initiate the SAML SSO process:
There are two ways to configure access to multiple AWS accounts from Okta:
- If you're assuming IAM roles after logging in to AWS you may have access to multiple AWS accounts through a single Okta app.
- Otherwise you may have one Okta app for each account.
To configure it, install a profile into
~/.aws/config that looks something like the following:
[profile NAME] okta_account_name = OKTA_ACCOUNT okta_session_cookie_key = OKTA_ACCOUNT aws_saml_url = SAML_URL role_arn = arn:aws:iam::AWS_ACCOUNT_ID:role/ROLE
OKTA_TENANT is the name of the account specified during
aws-okta add, and
SAML_URL is the path to the Okta app from the dashboard (inspect the button on the Okta dashboard and look for a URL like
https://OKTA_TENANT.OKTA_DOMAIN/home/amazon_aws/XXXXXXXXXXXXXXXXXXXX/XXX?fromHome=true and extract the
To determine the value of
role_arn, log in to the AWS Console via the Okta app and look at the role information in the upper right. Look up the ARN of the role in the IAM dashboard -> Roles and paste it.
List configured accounts:
The argument separator (
--) is required:
aws-okta exec ACCOUNT -- aws sts get-caller-identity