Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

m2m configurable iam role session name #165

Open
monde opened this issue Jan 29, 2024 · 1 comment
Open

m2m configurable iam role session name #165

monde opened this issue Jan 29, 2024 · 1 comment

Comments

@monde
Copy link
Collaborator

monde commented Jan 29, 2024
edited

In M2M okta-aws-cli hard codes the IAM role session name to "okta-aws-cli"
https://github.com/okta/okta-aws-cli/blob/master/internal/m2mauth/m2mauth.go#L126

Make this customizable for m2m operators to append meta info into the resulting IAM userId.

Current:

eval `go run cmd/okta-aws-cli/main.go m2m --private-key-file mypk.pem` && aws sts get-caller-identity

{
    "UserId": "abcdefg:okta-aws-cli",
    "Account": "1234",
    "Arn": "arn:aws:sts::1234:assumed-role/S3_Read/okta-aws-cli"
}

Something like --aws-iam-role-session-name

eval `go run cmd/okta-aws-cli/main.go m2m --private-key-file mypk.pem --aws-iam-role-session-name="person@example.com"` && aws sts get-caller-identity

{
    "UserId": "abcdefg:person@example.com",
    "Account": "1234",
    "Arn": "arn:aws:sts::1234:assumed-role/S3_Read/okta-aws-cli"
}

Notes from PM:

Or, not overloading the session role name, put the okta client id and application name in as the role session name:

eval `go run cmd/okta-aws-cli/main.go m2m --private-key-file mypk.pem` && aws sts get-caller-identity

{
    "UserId": "abcdefg:0oaa4htg72TNrkTDr1d7-our-oidc-app",
    "Account": "1234",
    "Arn": "arn:aws:sts::1234:assumed-role/S3_Read/okta-aws-cli"
}
@monde
Copy link
Collaborator Author

monde commented Feb 14, 2024

In the m2m mode there are only two API calls being made:

  • Get access token from Okta POST /oauth2/{id}/v1/token
  • Present access token from Okta to AWS STS to get temp IAM creds POST /

We don't ever fetch anything from the Okta Management API about the application name or make any kinds of information gathering queries to the AWS API other than presetting the Okta Access token. So for m2m the only option that makes sense here is to allow the operator to set the role session name to something meaningful in their runtime.

Currently:

$ okta-aws-cli m2m --format noop --exec -- aws sts get-caller-identity

{
    "UserId": "ABCXYX:okta-aws-cli",
    "Account": "123",
    "Arn": "arn:aws:sts::123:assumed-role/S3_Read/okta-aws-cli"
}

And role session name parameter

$ okta-aws-cli m2m --role-session-name myValue --format noop --exec -- aws sts get-caller-identity

{
    "UserId": "ABCXYX:myValue",
    "Account": "123",
    "Arn": "arn:aws:sts::123:assumed-role/S3_Read/myValue"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@monde