Master branch:
Develop branch:
Authenticates a user against Okta and then uses the resulting SAML assertion to retrieve temporary STS credentials from AWS.
This project is largely inspired by https://github.com/nimbusscale/okta_aws_login, but instead uses a purely API-driven approach, instead of parsing HTML during the authentication phase.
See AstroTools: New Engineer Setup - Amplify Okta AWS CLI
- Tenant wide MFA support
- Okta Verify Play Store | App Store
- Okta Verify Push Support
- Google Authenticator Play Store | App Store
- Per application MFA support
okta-awscli --profile <aws_profile> <awscli action> <awscli arguments>
- Follow the prompts to enter MFA information (if required) and choose your AWS app and IAM role.
- Multiple Okta profiles are supported, but if none are specified, then
defaultwill be used.
okta-awscli --profile cfer-dev
This command will simply output STS credentials to cfer-dev in your credentials file.
okta-awscli --profile my-aws-account iam list-users
If no awscli commands are provided, then okta-awscli will simply output STS credentials to your credentials file, or console, depending on how --profile is set.
Optional flags:
--profileSets your temporary credentials to a profile in.aws/credentials. If omitted, credentials will output to console.--exportOutputs credentials to console instead of writing to ~/.aws/credentials.--resetResets default values in ~/.okta-aws for the okta-profile being used.--forceIgnores result of STS credentials validation and gets new credentials from AWS. Used in conjunction with--profile.--verboseMore verbose output.--debugVery verbose output. Useful for debugging.--cacheCache the acquired credentials to ~/.okta-credentials.cache (only if --profile is unspecified)--okta-profileUse a Okta profile, other thandefaultin.okta-aws. Useful for multiple Okta tenants.--tokenor-tPass in the TOTP token from your authenticator