v2.3.0

2.3.0 (July 12, 2024)

ENHANCEMENTS

• New command okta-aws-cli list-profiles helper to inspect profiles in okta.yaml #222, thanks @pmgalea!
• GH releases publish Windows artifact to Chocolatey #215, thanks @monde!
• Better retry for when the cached access token has been invalidated outside of okta-aws-cli's control. #220, thanks @monde!
• Print a warning at first run if otka.yaml is malformed. #220, thanks @monde!

BUG FIXES

• Correct "default" profile flaw introduced in 2.2.0 release #220, thanks @monde!
• Continue polling instead of exit on a 400 "slow_down" API error #220, thanks @monde!

v2.2.0

2.2.0 (July 3, 2024)

ENHANCEMENTS

• Seamless support for non-Admin users if OIDC app has okta.users.read.self grant. Issue #66, PR #213, thanks @monde!
• Improve README with note about device state in policy #205, thanks @ramgandhi-okta!
• Correct m2m typo in README #201, thanks @stefan-lsx!

BUG FIXES

• Paginating more than 200 apps on GET /api/v1/apps not implemented #212, thanks @pmgalea!
• Respect OKTA_AWSCLI_AWS_REGION env var value when saving to the profile #203, thanks @sudolibre!
• Default profile value not correctly set to default #200, thanks @mantoine96!

v2.1.2

2.1.2 (February 27, 2024)

BUG FIXES

• Additional fix for bug dealing with multiple profiles in okta.yaml #196, thanks @MatthewJohn!

v2.1.1

2.1.1 (February 23, 2024)

BUG FIXES

• Fix bug dealing with multiple profiles in okta.yaml #187, thanks @MatthewJohn!

v2.1.0

2.1.0 (February 15, 2024)

ENHANCEMENTS

• Multiple okta-aws-cli configurations in okta.yaml by AWS profile name.
  #162, thanks @MatthewJohn!

• Explicitly set AWS Region with CLI flag --aws-region #174, thanks @euchen-circle, @igaskin!

• --aws-iam-idp and --aws-iam-role arguments can be ARN or friendly label #178, thanks @monde!

BUG FIXES

• Fix bug where all flags were not being set on the config object. #177, thanks @monde!
• Process credentials format was not emitting JSON correctly when --write-aws-credentials flag is present #173, thanks @monde!
• Open browser and open browser command behavior was fouled in v2 release #172, thanks @monde!

v2.0.1

Note: We are not publishing a Windows amd64 binary due to many AVs falsely signaling binaries built with the Go language having viruses

2.0.1 (January 31, 2024)

ENHANCEMENTS

• Packaged binary's don't have postfix version value on file name #154

BUG FIXES

• Binaries produced by golang for Windows amd64 runtimes are triggering AVs so we will not publish this for the OS/Arch #166
• CLI version incorrectly rev'd on previous release #164

v2.0.0

Changelog

2.0.0 (January 25, 2024)

V2 GA Release 🎉🎉

New commands

okta-aws-cli's functions are encapsulated as (sub)commands e.g. $ okta-aws-cli [sub-command]

Command	Description
web	Human oriented retrieval of temporary IAM credentials through Okta authentication and device authorization. Note: if okta-aws-cli is not given a command it defaults to this original web command.
m2m	Machine/headless oriented retrieval of temporary IAM credentials through Okta authentication with a private key.
debug	Debug okta.yaml config file and exit.

Environment variable name changes

A small number of environment variable names have been renamed to be consistent
in the naming convention for okta-aws-cli specific names.

old name	new name
OKTA_ORG_DOMAIN	OKTA_AWSCLI_ORG_DOMAIN
OKTA_OIDC_CLIENT_ID	OKTA_AWSCLI_OIDC_CLIENT_ID
OKTA_AWS_ACCOUNT_FEDERATION_APP_ID	OKTA_AWSCLI_AWS_ACCOUNT_FEDERATION_APP_ID

Process credential provider output as JSON

Emits IAM temporary credentials as JSON in process
credentials
format.

# In $/.aws/config
[default]
  # presumes OKTA_AWSCLI_* env vars are set
  credential_process = okta-aws-cli m2m --format process-credentials

Execute follow-on command

Instead of scripting and/or eval'ing okta-aws-cli into a shell and then
running another command have okta-aws-cli run the command directly passing
along the IAM credentials as environment variables.

# CLI exec's anything after the double dash "--" arguments terminator as another command.
$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --exec -- aws ec2 describe-instances

Collect all roles for all AWS Fed Apps (IdP) at once

okta-aws-cli web will collect all available AWS IAM Roles for all Okta AWS
Federation apps (IdP) at once. This is a feature specific to writing the
$HOME/.aws/credentials file. Roles will be AWS account alias name (if STS list
aliases is available on the given role) then - then abbreviated role name.

# AWS account alias "myorg", given IdP associated with "AWS Account Federation"
# and an app associated with two roles.

$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --write-aws-credentials \
    --all-profiles

Web browser will open the following URL to begin Okta device authorization for the AWS CLI

https://test.okta.com/activate?user_code=QHDMVQTZ

Updated profile "devorg-idp1-role1" in credentials file "/Users/me/.aws/credentials".
Updated profile "devorg-idp1-role2" in credentials file "/Users/me/.aws/credentials".
Updated profile "devorg-idp2-role1" in credentials file "/Users/me/.aws/credentials".
Updated profile "prodorg-idp1-role1" in credentials file "/Users/me/.aws/credentials".

Alternate web browser open command

The web command will open the system's default web browser when the
--open-browser flag is present. It is convenient to have the browser open on a
separate profile. If the command to open the browser is known for the host
system an alternate open command can be specified.

# Use macOS open to open browser in Chrome incognito mode
$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --open-browser-command "open -na \"Google\ Chrome\" --args --incognito"

# Open browser in Chrome "Profile 1" on macOS calling the Chrome executable directly
$ okta-aws-cli web \
    --org-domain test.okta.com \
    --oidc-client-id 0oa5wyqjk6Wm148fE1d7 \
    --open-browser-command "/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --profile-directory=\"Profile\ 1\""

Windows examples

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start msedge"

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start chrome"

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start chrome --incognito"

> okta-aws-cli web \
  --oidc-client-id abc \
  --org-domain test.okta.com \
  --open-browser-command "cmd.exe /C start chrome --profile-directory=\"Profile\ 1\""

Friendly label matching with regular expressions

Friendly label matching for IdPs and Roles with $HOME/.okta/okta.yaml file can
be regular expressions.

Example: your organization uses the same role naming convention across many
different AWS accounts:

---
awscli:
  idps:
    "arn:aws:iam::123456789012:saml-provider/company-okta-idp": "Data Production"
    "arn:aws:iam::012345678901:saml-provider/company-okta-idp": "Data Development"
    "arn:aws:iam::901234567890:saml-provider/company-okta-idp": "Marketing Production"
    "arn:aws:iam::890123456789:saml-provider/company-okta-idp": "Marketing Development"
  roles:
    "arn:aws:iam::.*:role/admin": "Admin"
    "arn:aws:iam::.*:role/operator": "Ops"

? Choose an IdP:  
> Data Production
  Data Development
  Marketing Production
  Marketing Development

? Choose a Role:  [Use arrows to move, type to filter]
> Admin
  Ops

v1.2.2

1.2.2 (August 31, 2023)

• Ensure evaluation of CLI flag for profile is in the same order as the other flags #124
• Retry cached access token if it isn't expired by but receives API error #127

v1.2.1

1.2.1 (August 15, 2023)

• Friendly IdP and Role labels don't also print out ARN value (less text clutter in the UI)

v1.2.0

1.2.0 (August 15, 2023)

• Friendly Role menu labels for long ARN values can be set in $HOME/.okta/okta.yaml