Authenticates a user against Okta and then uses the resulting SAML assertion to retrieve temporary STS credentials from AWS.
This project is largely inspired by https://github.com/nimbusscale/okta_aws_login, but instead uses a purely API-driven approach, instead of parsing HTML during the authentication phase.
Parsing the HTML is still required to get the SAML assertion, after authentication is complete. However, since we only need to look for the SAML assertion in a single, predictable tag, <input name="SAMLResponse"...
, the results are a lot more stable across any changes that Okta may make to their interface.
pip install okta-awscli
- To install with U2F support (Yubikey):
pip install "okta-awscli[U2F]"
- To install with U2F support (Yubikey):
- Configure okta-awscli via the
~/.okta-aws
file with the following parameters:
[default]
base-url = <your_okta_org>.okta.com
## The remaining parameters are optional.
## You will be prompted for them, if they're not included here.
username = <your_okta_username>
password = <your_okta_password> # Only save your password if you know what you are doing!
factor = <your_preferred_mfa_factor> # Current choices are: GOOGLE or OKTA
role = <your_preferred_okta_role> # AWS role name (match one of the options prompted for by "Please select the AWS role" when this parameter is not specified
app-link = <app_link_from_okta> # Found in Okta's configuration for your AWS account.
duration = 3600 # duration in seconds to request a session token for, make sure your accounts (both AWS itself and the associated okta application) allow for large durations. default: 3600
- Tenant wide MFA support
- Per-application MFA support (added in version 0.4.0)
- Okta Verify Play Store | App Store
- Okta Verify Push Support
- Google Authenticator Play Store | App Store
- YubiKey (Requires library python-u2flib-host) HomePage
okta-awscli --profile <aws_profile> <awscli action> <awscli arguments>
- Follow the prompts to enter MFA information (if required) and choose your AWS app and IAM role.
- Subsequent executions will first check if the STS credentials are still valid and skip Okta authentication if so.
- Multiple Okta profiles are supported, but if none are specified, then
default
will be used. - Selections for AWS App and AWS Role are saved to the
~/.okta-aws
file. Removing theapp-link
androle
fields will enable the prompts for these selections.
okta-awscli --profile my-aws-account iam list-users
If no awscli commands are provided, then okta-awscli will simply output STS credentials to your credentials file, or console, depending on how --profile
is set.
Optional flags:
--profile
Sets your temporary credentials to a profile in.aws/credentials
. If omitted, credentials will output to console.--force
Ignores result of STS credentials validation and gets new credentials from AWS. Used in conjunction with--profile
.--verbose
More verbose output.--debug
Very verbose output. Useful for debugging.--cache
Cache the acquired credentials to ~/.okta-credentials.cache (only if --profile is unspecified)--okta-profile
Use a Okta profile, other thandefault
in.okta-aws
. Useful for multiple Okta tenants.--token
or-t
Pass in the TOTP token from your authenticator