This program authenticates with Okta, assumes a provided role, and pulls a temporary key with STS to support the role assumption built into the aws
cli.
Grab a binary for your OS from the latest release, and put it somewhere in your PATH. Only supports Windows and MacOS for now!
First, create an ~/.oktaws/<OKTA ACCOUNT>.toml
file with the following information:
username = '<USERNAME>'
role = '<DEFAULT ROLE>'
[profiles]
profile1 = '<OKTA APPLICATION NAME>'
profile2 = { application = '<OKTA APPLICATION NAME>', role = '<ROLE OVERRIDE>' }
The role
value above is the name (not ARN) of the role you would like to log in as. This can be found when logging into the AWS console through Okta.
The ~/.aws/config
file is read for information, but not modified. It should look similar to the following to link the profile section with the temporary credentials.
See Assuming a Role for information on configuring the AWS CLI to assume a role.
[default]
output = json
region = us-east-1
[profile profile1]
role_arn = arn:aws:iam::MY_ACCOUNT_ID:role/final_role
source_profile = profile1
With those set up, you can run oktaws profile1
to generate keys for a single profile, or just oktaws
to generate keys for all profiles.
$ oktaws [AWS profile]
$ aws --profile [AWS profile] [command]
for example
$ oktaws production
$ aws --profile production ec2 describe-instances
Login didn't work? Use the -v
flag to emit more verbose logs. Add more -v
s for increased verbosity:
$ oktaws production -vv
- Jonathan Morley [@jonathanmorley]