Configure Okta as IdP for AWS CLI

The AWS Command Line Interface (AWS CLI) is an open-source tool that enables users to interact with AWS services using the command-line shell. You can integrate Okta as the Identity Provider (IdP) for the CLI . This enhances the security of your AWS environments by allowing developers to use Okta for Single Sign-On.

How it works

Integrate the Okta AWS CLI integration in the Admin Console by connecting an OIDC native app to the SAML-based AWS Account Federation app. The CLI handles authentication through Okta. Okta then interacts with the AWS Security Token Service (STS) to collect a proper role for the developer using the AWS CLI.

Prerequisites

• Integrate Okta with your AWS accounts. See Amazon Web Services Account Federation.

• Install the AWS CLI for testing the integration. See Getting started with the AWS CLI.

Procedure

This setup consists of three separate tasks:

Configure an OIDC native app

Connect the OIDC app to an AWS Account Federation app

Test the Okta AWS CLI integration

Configure an OIDC native app

1. In the Admin Console, go to ApplicationsApplications.

2. Click Create App Integration.

3. Select OIDC - OpenID Connect as the Sign-in method.

4. Select Native Application as the Application type.

5. Click Next. The New Native App Integration page opens.

6. On the page, specify the App integration name and a logo (optional).

7. Select the following Grant types:

   • Authorization Code

   • Device Authorization

   • Token Exchange

8. Skip Sign-in redirect URIs and Sign-out redirect URIs.

   The AWS CLI app doesn't use these.

9. In AssignmentsControlled access, select Skip group assignment for now.

10. Click Save. This creates the app and opens the General tab for editing or configuring more options. No changes are required.

11. On the General tab under Client Credentials, copy the Client ID.

12. On the Assignments tab, assign the app to groups or individuals who use the AWS CLI. See User management.

Connect the OIDC app to an AWS Account Federation app

1. In the Admin Console, go to ApplicationsApplications.

2. Select a configured AWS Account Federation app.

3. On the Sign On tab, click Edit.

4. Under Advanced Sign-on Settings, scroll to Allowed Web SSO Client.

5. Enter the Client ID for the OIDC app that you copied in the previous task.

6. Click Save.

7. Repeat these steps for all other AWS Account Federation apps that you want to connect to the OIDC Native app.

8. Optional. Assign apps to custom authentication policies. See Add apps to an authentication policy.

Test the Okta AWS CLI integration

Ensure that the integration is working by testing it in the AWS CLI.

1. In AWS CLI, enter the following command:

   $ okta-aws-cli

   The following prompt appears:

   Open the following URL to begin Okta device authorization for the AWS CLI.

   https://your-org.okta.com/activate?user_code=<usercode>

2. Open the URL in a web browser and follow the prompt.

3. In the AWS CLI, choose an Identity Provider:

   ? Choose an IdP: arn:aws:iam::123456789012:saml-provider/My_IdP

   Select an IdP from the list of SAML IdPs available for the user.

4. Choose an IAM role.

   ? Choose a Role: arn:aws:iam::456789012345:role/My_Role

   Select an IAM role from the list of AWS IAM roles associated with the IdP you chose.

The following AWS credentials load (examples):

export AWS_ACCESS_KEY_ID=<key-id>

export AWS_SECRET_ACCESS_KEY=<key-code>

export AWS_SESSION_TOKEN=<token-id>

This indicates that you're successfully signed in to your AWS account.