Configure Okta as IdP for AWS CLI

The AWS Command Line Interface (AWS CLI) is an open-source tool that enables users to interact with AWS services using the command-line shell. You can integrate Okta as the Identity Provider (IdP) for the CLI to enhance the security of your AWS environments by allowing developers to use Okta for Single Sign-on.

How it works

You integrate the Okta AWS CLI integration in the Admin Console by connecting an OIDC native app to the SAML-based AWS Account Federation app. The CLI handles authentication through Okta, which then interacts with the AWS Security Token Service (STS) to collect a proper role for the developer using the AWS CLI.

Prerequisites

Procedure

This setup consists of three separate tasks:

Configure an OIDC native app

Connect the OIDC app to an AWS Account Federation app

Test the Okta AWS CLI integration

Configure an OIDC native app

  1. In the Admin Console, go to ApplicationsApplications.

  2. Click Create App Integration.

  3. Select OIDC - OpenID Connect as the Sign-in method.

  4. Select Native Application as the Application type.

  5. Click Next. The New Native App Integration page opens.

  6. On the page, specify the App integration name and a logo (optional).

  7. Select the following Grant types:

    • Authorization Code

    • Device Authorization

    • Token Exchange

  8. Skip Sign-in redirect URIs and Sign-out redirect URIs.

    The AWA CLI app doesn't use these.

  9. In AssignmentsControlled access, select Skip group assignment for now.

  10. Click Save. This creates the app and opens the General tab for editing or configuring more options. No changes are required.

  11. On the General tab under Client Credentials, copy the Client ID.

  12. On the Assignments tab, assign the app to groups or individuals who use the AWS CLI. See User management.

Connect the OIDC app to an AWS Account Federation app

  1. In the Admin Console, go to ApplicationsApplications.

  2. Select a configured AWS Account Federation app.

  3. On the Sign On tab, click Edit.

  4. Under Advanced Sign-on Settings, scroll to Allowed Web SSO Client.

  5. Enter the Client ID for the OIDC app that you copied in the previous task.

  6. Click Save.

  7. Repeat these steps for all other AWS Account Federation apps that you want to connect to the OIDC Native app.

  8. Optional. Assign apps to custom authentication policies. See Add apps to an authentication policy.

Test the Okta AWS CLI integration

Ensure that the integration is working by testing it in the AWS CLI.

  1. In AWS CLI, enter the following command:

    $ okta-aws-cli

    The following prompt appears:

    Open the following URL to begin Okta device authorization for the AWS CLI.

    https://your-org.okta.com/activate?user_code=<usercode>

  2. Open the URL in a web browser and follow the prompt.

  3. In the AWS CLI, choose an Identity Provider:

    ? Choose an IdP: arn:aws:iam::123456789012:saml-provider/My_IdP

    Select from the displayed list of SAML IdPs available for the user.

  4. Choose an IAM role.

    ? Choose a Role: arn:aws:iam::456789012345:role/My_Role

    Select from the list of AWS IAM roles associated with the IdP you chose.

The following AWS credentials are loaded (examples):

export AWS_ACCESS_KEY_ID=<key-id>

export AWS_SECRET_ACCESS_KEY=<key-code>

export AWS_SESSION_TOKEN=<token-id>

This indicates that you're successfully signed in to your AWS account.