aws-okta

aws-okta provides a wrapper that manages SSO into AWS via Okta.

Adding an Okta account

You'll need to know:

  1. The Okta account name.
  2. Which Okta region it's in.
  3. The domain for the Okta User Home, which will be generated based on the above.
aws-okta add

Configuring AWS accounts

Once logged in you'll need to make a note of the path portion of each of the AWS Okta apps. URLs like the following initiate the SAML SSO process: home/amazon_aws/XXXXXXXXXXXXXXXXXXXX/XXX.

There are two ways to configure access to multiple AWS accounts from Okta:

  1. If you're assuming IAM roles after logging in to AWS you may have access to multiple AWS accounts through a single Okta app.
  2. Otherwise you may have one Okta app for each account.

To configure it, install a profile into ~/.aws/config that looks something like the following:

[profile NAME]
okta_account_name = OKTA_ACCOUNT
okta_session_cookie_key = OKTA_ACCOUNT
aws_saml_url = SAML_URL
role_arn = arn:aws:iam::AWS_ACCOUNT_ID:role/ROLE

OKTA_TENANT is the name of the account specified during aws-okta add, and SAML_URL is the path to the Okta app from the dashboard (inspect the button on the Okta dashboard and look for a URL like https://OKTA_TENANT.OKTA_DOMAIN/home/amazon_aws/XXXXXXXXXXXXXXXXXXXX/XXX?fromHome=true and extract the home/amazon_aws/XXXXXXXXXXXXXXXXXXXX/XXX bit).

To determine the value of role_arn, log in to the AWS Console via the Okta app and look at the role information in the upper right. Look up the ARN of the role in the IAM dashboard -> Roles and paste it.

Query configuration

List configured accounts:

aws-okta list

Run commands

The argument separator (--) is required:

aws-okta exec ACCOUNT -- aws sts get-caller-identity