• Stars
    star
    337
  • Rank 125,272 (Top 3 %)
  • Language
    HTML
  • License
    Apache License 2.0
  • Created over 8 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Okta AWS CLI Assume Role Tool

Okta AWS CLI Assume Role tool

ℹ️ Disclaimer: This tool is community-supported and is maintained by members of the Okta team for developers and IT professionals. This tool is not an official Okta product and does not qualify for any Okta support. Anyone who chooses to use this tool must ensure that their implementation meets any applicable legal obligations including any Okta terms and conditions.

New to Amazon Web Services with Okta? Start with the Configuring AWS in Okta.

This tool has been verified to work on macOS Sierra, High Sierra, Windows Server 2012 R2, Windows 10, and Ubuntu 16.04 LTS, and is expected to work on other Linux systems as well.

Installation

Windows

  1. Run the following in a PowerShell console
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy unrestricted -Force; Invoke-Expression ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/oktadev/okta-aws-cli-assume-role/master/bin/Install-OktaAwsCli.ps1')); .$profile
  2. Customize %userprofile%\.okta\config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,
    OKTA_ORG=acmecorp.oktapreview.com
    OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137

macOS/Linux

  1. Run the following in a Terminal, optionally setting a custom PREFIX value (default: ~/.okta):

    PREFIX=~/.okta bash <(curl -fsSL https://raw.githubusercontent.com/oktadev/okta-aws-cli-assume-role/master/bin/install.sh) -i
  2. Customize ~/.okta/config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,

    OKTA_ORG=acmecorp.oktapreview.com
    OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137
  3. Make sure /usr/local/bin (or whatever $PREFIX/bin is) is in your PATH

Docker

  1. Create ~/.okta/config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,

    OKTA_ORG=acmecorp.oktapreview.com
    OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137
  2. Run this command:

    docker run -v ~/.okta/config.properties:/root/.okta/config.properties -it tomsmithokta/okta-awscli-java

Read more at @tom-smith-okta's okta-awscli-java Docker repo.

Manual install

Create a .okta directory in your home directory. For example, ~/.okta.

Download the latest release JAR and put it in .okta: https://github.com/oktadev/okta-aws-cli-assume-role/releases

Create ~/.okta/config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,

OKTA_ORG=acmecorp.oktapreview.com
OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137

Create ~/.okta/logging.properties with the following content,

com.amazonaws.auth.profile.internal.BasicProfileConfigLoader = NONE

Copy scripts from .okta/bin to somewhere on your PATH.

Usage

Verify your setup with a simple command:

okta-aws test sts get-caller-identity

This will prompt for Okta credentials, log you into AWS, let you pick a role, and store a session profile called test for you.

Run the program again to see session resumption (you won't be asked for Okta credentials until the session expires):

okta-aws test sts get-caller-identity

NOTE: okta-aws is a function loaded from your shell profile, not a typical program or command stored in a file.

NOTE: On a *nix platform the withokta wrapper script will attempt to parse $https_proxy as a URI. If successful the host and port values will be passed to the JVM. User credentials in the proxy configuration are not currently used. This allows the okta-aws tool to be used in an environment where internet access for the servers is mediate via a proxy, e.g an EC2 instance inside a restricted VPC.

The proxy URI must be of the form http://host:port/. Both the host and port are mandatory.

Reference

Compiling the application

The application was built and compiled with JetBrains' IntelliJ IDEA. Note that you don't have to compile the application in order to be able to execute it, since the compiled executable (a JAR file) is available on GitHub.

Prerequisites

First of all, it goes without saying that you will need to install the Java SE 11x or the Java JDK 11x.

Then you will need Maven 2 or later to run the build.

Building on the command line

Get a single JAR with all dependencies:

Use git clone https://github.com/oktadev/okta-aws-cli-assume-role.git to clone the repository locally. Then, build with Maven:

mvn package
cp target/okta-aws-cli-*.jar ~/.okta/okta-aws-cli.jar

Configuring AWS in Okta

See for details on setting up Amazon Web Services Account Federation to allow logging into AWS through Okta and this tool.

An alternative integration can be found in Integrating the Amazon Web Services Command Line Interface Using Okta, which allows logging into AWS / Okta through the AWS CLI. The okta-aws-cli is not compatible with this integration.

Configuring the application

Here is the list of parameters that can be environment variables or settings in the ~/.okta/config.properties file:

  • OKTA_ORG which is the url of your Okta org (starting with https://).

  • OKTA_AWS_APP_URL is the url link of your Okta AWS application url (see below for more info)

  • OKTA_USERNAME is the username to use. If present will skip username input.

  • OKTA_PASSWORD_CMD is the command to fetch your password instead of showing a password prompt. Read more...

  • OKTA_ENV_MODE set to true to run sub-command with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN env vars set. Temporary credentials are shared in memory and kept off disk in this mode. (default: false)

  • OKTA_BROWSER_AUTH set to true to use integrated web browser for authentication (default: false)

  • OKTA_COOKIES_PATH is directory path to store cookies.properties for Okta. This is particularly useful when running this tool in many concurrent processes like you might with OKTA_ENV_MODE (default: ~/.okta)

  • OKTA_PROFILE is the name of the AWS profile to create/reuse. (default: get AWS profile name based on per-session STS user name)

  • OKTA_AWS_REGION is the default AWS region to store with the created profile.

  • OKTA_AWS_ROLE_TO_ASSUME is the IAM Role ARN to use. If present will try to match okta account's retrieved role list and use it. Will still prompt if no match found. (ex: arn:aws:iam::123456789012:role/EC2-Admins)

  • OKTA_STS_DURATION is the duration the role will be assumed, in seconds. The maximum session duration allowed by AWS is 12 hours and this needs to be set on the role as well. Defaults to 1hr.

  • OKTA_MFA_CHOICE is the provider and factor type to use if prompted for MFA. Example: OKTA.push. See Factors documentation for values. (default: use single factor or prompt user to select from usable factors).

  • OKTA_IGNORE_SAML_REQ_CONTAIN is an optional parameter that allow users to ignore parsing SAML requests, where the URL contains a specific string . This is relevant when using the custom IdP factor, which adds additional SAML requests to users authentication flow. See Custom IdP Factor Authentication for more details. Defaults to an empty string.

  • Obtaining the AWS app url

    • Navigate to the Admin Dashboard of you Okta organization
    • Select the Applications tab and click on your AWS Application
    • Under the General menu, scroll down to find the App Embed Link section
    • Your link is located under EMBED LINK
  • Replace the example values in ~/.okta/config.properties with your values

You can specify configuration overrides for each profile by creating a ~/.okta/config.{profilename}.properties file. The base settings will be loaded first and the profile-specific settings will be loaded after, allowing you to only override specific settings that need to be different. For example, if you want the prod profile to connect to a different Okta org, create a ~/.okta/config.prod.propertiesfile and set OKTA_ORG to something different.

Note: environment variables take precedence over any config file.

Troubleshooting

I get "You have no factors enrolled"

This means that MFA is enforced, but you have no factors enrolled on your user.

You should enrol a CLI-supported factor (all except Duo as far as I know).

If you are using Duo Push, consider setting OKTA_BROWSER_AUTH=true in the configuration.

I have Duo, but I get "None of your factors are supported"

This means that MFA is enforced, but none of the factors you have enrolled are supported.

Okta's integration with Duo requires an iframe which isn't practical to interact with from a CLI context.

Getting help

Have a question or see a bug? Post a question on the Okta Dev Forums or email [email protected]. For feature requests, feel free to open an issue on this repo.

If you find a security vulnerability, please follow our Vulnerability Reporting Process.

License

Copyright 2017 Okta, Inc. All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

java-microservices-examples

Java Microservices: Spring Boot, Spring Cloud, JHipster, Spring Cloud Config, and Spring Cloud Gateway
Java
498
star
2

spring-boot-microservices-example

Bootiful Microservices with Spring Boot
TypeScript
307
star
3

okta-spring-boot-react-crud-example

Simple CRUD with React and Spring Boot 3
Java
252
star
4

okta-spring-boot-2-angular-5-example

A Cool Cars Example that showcases Spring Boot 2, Angular 5, and Okta's Support for both.
TypeScript
131
star
5

jhipster-microservices-example

JHipster Microservices Example using Spring Cloud, Spring Boot, Angular, Docker, and Kubernetes
Java
126
star
6

spring-boot-react-example

Example app showing how to build a Spring Boot REST API and React UI
TypeScript
109
star
7

spring-boot-angular-example

Example app showing how to build a Spring Boot REST API and Angular UI
TypeScript
94
star
8

okta-vue-node-example

Example of a Basic CRUD App with Vue.js and Node
JavaScript
90
star
9

okta-spring-boot-2-angular-7-example

A Cool Cars Example that showcases Spring Boot 2.1, Angular 7, and Okta's support for both.
TypeScript
86
star
10

schematics

Schematics for adding Okta and Auth0 Auth to your projects
TypeScript
69
star
11

okta-node-express-typescript-vue-example

Example Node.js API using TypeScript, Express, and Vue
TypeScript
66
star
12

native-java-examples

Native Java Apps with Micronaut, Quarkus, and Spring Boot
HTML
61
star
13

okta-react-node-example

A simple React.js + Node.js example app.
JavaScript
58
star
14

okta-spring-boot-authz-server-example

Spring Security OAuth 2.0 Guide
Java
58
star
15

okta-spring-boot-saml-example

Spring Boot, SAML, and Okta
Java
57
star
16

okta-oidc-flows-example

JavaScript
56
star
17

okta-spring-boot-2-angular-8-example

Angular 8 + Spring Boot 2.2 = ❀️
TypeScript
53
star
18

python-flask-react-crud-example

Build a simple CRUD application with Python, Flask, and React.
JavaScript
51
star
19

okta-php-core-rest-api-example

PHP
49
star
20

okta-go-vue-example

An Okta example app built with Go + Vue.
Go
47
star
21

okta-nodejs-sql-server-example

JavaScript
47
star
22

okta-scim-beta

Python
44
star
23

okta-kong-origin-example

Kong Gateway Example with OIDC and Okta
Java
44
star
24

okta-spring-boot-vue-crud-example

A Todo App that showcases Spring Boot, Vue.js, and Okta's support for both.
Vue
42
star
25

okta-blog

The Okta developer blog.
SCSS
41
star
26

okta-spring-boot-2-angular-9-example

CRUD Example with Angular 9.0 and Spring Boot 2.2
TypeScript
40
star
27

okta-dac

Okta Delegated Admin Console
Vue
38
star
28

okta-aspnetcore-vue-crud-example

CRUD Application with ASP.NET Core and Vue.js
JavaScript
37
star
29

okta-php-symfony-vue-crud-example

Build a Basic CRUD App with Symfony 4 and Vue
PHP
31
star
30

okta-node-sql-server-example

Build a Node.js App with SQL Server Tutorial
JavaScript
30
star
31

okta-jhipster-microservices-oauth-example

A microservices architecture built with JHipster, OAuth 2.0, and Okta
Java
30
star
32

okta-react-native-app-auth-example

React Native Example that Authenticates with Okta using App Auth
JavaScript
29
star
33

auth0-java-microservices-examples

Java Microservice Examples
Java
29
star
34

okta-wordpress-sign-in-widget

Replaces the WordPress login screen with the Okta sign-in widget
PHP
29
star
35

okta-vue-auth-example

A Vue.js Example with Okta for Authentication
JavaScript
29
star
36

okta-aspnet-mvc-example

ASP.NET 4.x MVC + Okta example
JavaScript
28
star
37

spring-boot-ionic-example

Example app that shows how to develop a mobile app with Ionic, Angular, and Spring Boot
TypeScript
28
star
38

auth0-full-stack-java-example

πŸ”₯ Full Stack Java Example
Java
28
star
39

auth0-java-oauth-examples

Java
27
star
40

okta-react-native-spring-boot-example

React Native + Spring Boot + OIDC
Java
27
star
41

auth0-spring-boot-angular-crud-example

Angular and Spring Boot CRUD Example
Java
27
star
42

ionic-jhipster-starter

Starter Template for Ionic Apps with JHipster
TypeScript
27
star
43

spring-boot-angular-pwa-example

Spring Boot API with Angular PWA
TypeScript
24
star
44

okta-angular-microfrontend-example

Starter code + completed project for micro-frontends using Webpack 5 and Module Federation plugin in Angular and sharing authenticated state
TypeScript
24
star
45

byob-dashboard

Vue
24
star
46

auth0-micro-frontends-jhipster-example

Micro Frontends for Java Microservices
Java
24
star
47

okta-ionic-auth-example

Example showing Ionic Authentication with Okta
TypeScript
23
star
48

spring-boot-vue-example

Bootiful Spring Boot + Vue Example
Vue
23
star
49

okta-cli-mfa-example

Shell
23
star
50

shiro-spring-boot-example

Java
23
star
51

auth0-java-rest-api-examples

Java REST API Examples
HTML
23
star
52

okta-aspnetcore-mvc-example

ASP.NET Core 2.0 MVC + Okta example
C#
22
star
53

okta-php-laravel-vue-crud-example

PHP
22
star
54

okta-angular-openid-connect-example

Angular + Angular CLI with Authentication from OpenID Connect and Okta
TypeScript
22
star
55

okta-react-photo-gallery-example

A Photo Gallery Example with React, Spring Boot, and JHipster 5 + Auth by Okta
TypeScript
22
star
56

crypto-invoicer

A personal web portal for invoicing clients with Bitcoin.
JavaScript
21
star
57

gatsby-netlify-okta-example

Gatsby, Netlify, and Okta Example App
JavaScript
21
star
58

okta-spring-boot-oauth-example

Spring Boot, OAuth 2.0, and Okta Example
Groovy
21
star
59

okta-smartfhir-docs

Documentation for using Okta as a SMART/FHIR authorization server.
20
star
60

api-security-book

CSS
20
star
61

okta-angular-material-login-example

Angular Material Login Example
TypeScript
20
star
62

okta-graphql-react-express-example

Web App with Express, React and GraphQL
JavaScript
20
star
63

okta-microservice-security-examples

Demos from Oktane18: API and Microservices Best Practices
Java
18
star
64

okta-spring-security-5-example

Authentication with Spring Security 5 and Okta OIDC
Java
18
star
65

okta-angular-sign-in-widget-example

Angular + Okta Sign-In Widget Example
TypeScript
18
star
66

okta-node-express-example

A simple sample application built using Node and Express that contains user login, registration, and password reset functionality.
JavaScript
17
star
67

okta-smartfhir-demo

Example of using Okta as an authorization server as part of a SMART on FHIR deployment.
JavaScript
16
star
68

okta-express-graphql-example

JavaScript
16
star
69

okta-spring-boot-oidc-sso-example

JavaScript
15
star
70

okta-openidconnect-appauth-android

Android Application with Okta as the IdP and AppAuth as the OpenID Connect mobile library
Java
14
star
71

example-maven-plugin

A simple example Apache Maven plugin
Java
14
star
72

okta-dotnetcore-react-example

C#
14
star
73

okta-node-express-typescript-react-example

Node.js API with TypeScript
TypeScript
14
star
74

okta-node-rest-api-example

Simple REST API with Node and OAuth 2.0
JavaScript
14
star
75

okta-angular-spring-boot-docker-example

Angular + Spring Boot Docker Example
TypeScript
14
star
76

okta-socket-io-chat-example

A simple chat application based on Socket.IO, React, and Express.
JavaScript
14
star
77

okta-spring-security-roles-example

Okta + Groups with Spring Security
Java
14
star
78

okta-ionic-4-login-example

Ionic 4 User Login and Registration Example
TypeScript
13
star
79

okta-nestjs-postgres-example

Sample application using NestJS and Postgres
TypeScript
13
star
80

okta-angular-node-example

Basic CRUD Example with Angular and Node
TypeScript
13
star
81

terraform-provider-oktaasa

Terraform Okta ASA provider
Go
13
star
82

okta-android-kotlin-crud-example

The source code for the Okta Kotlin Android CRUD tutorial.
Kotlin
13
star
83

okta-angular-mysql-timeline-example

An Angular + MySQL Timeline Example
TypeScript
13
star
84

okta-kotlin-typescript-notes-example

Kotlin and TypeScript! πŸŽ‰
TypeScript
13
star
85

auth0-spring-boot-passkeys-demo

A passkeys demo using Spring Boot and Auth0 as IdP
Java
13
star
86

okta-openidconnect-appauth-ios

iOS Sample Application with AppAuth
Swift
12
star
87

okta-angular-electron-example

TypeScript
12
star
88

spring-boot-client-credentials-example

Shell
12
star
89

okta-spring-jx-example

CI/CD for Spring Boot with Jenkins X and Kubernetes
Java
12
star
90

okta-react-docker-example

React + Docker Example
JavaScript
12
star
91

okta-oauth2-proxy-example

Java
12
star
92

okta-spring-jwt-and-opaque-token-example

Java
12
star
93

okta-spring-boot-angular-auth-code-flow-example

Package Angular and Spring Boot into a single JAR!
Java
12
star
94

okta-vanilla-js-example

A Vanilla JavaScript App with Authentication
JavaScript
12
star
95

rockstar

rockstar Chrome extension - enhance Okta
JavaScript
11
star
96

okta-php-symfony-angular-crud-example

Example CRUD App with Symfony and Angular
PHP
11
star
97

okta-appauth-xamarin-example

Xamarin.Forms authentication with OpenID Connect and Okta
C#
10
star
98

okta-node-cli-example

A command-line applications using Node.js
JavaScript
10
star
99

okta-node-express-15-minute-auth-example

Secure Authentication with Express and Okta
Handlebars
10
star
100

okta-php-trivia-react

PHP
10
star