Configure Okta as IdP for AWS CLI
The AWS Command Line Interface (AWS CLI) is an open-source tool that enables users to interact with AWS services using the command-line shell. You can integrate Okta as the Identity Provider (IdP) for the CLI . This enhances the security of your AWS environments by allowing developers to use Okta for Single Sign-On.
How it works
Integrate the Okta AWS CLI integration in the Admin Console by connecting an OIDC native app to the SAML-based AWS Account Federation app. The CLI handles authentication through Okta. Okta then interacts with the AWS Security Token Service (STS) to collect a proper role for the developer using the AWS CLI.
Prerequisites
- Integrate Okta with your AWS accounts. See Amazon Web Services Account Federation.
- Install the AWS CLI for testing the integration. See Getting started with the AWS CLI.
- Get okta-aws-cli, either from GitHub or through a package manager like Homebrew or Chocolatey.
Procedure
This setup consists of three separate tasks:
Connect the OIDC app to an AWS Account Federation app
Test the Okta AWS CLI integration
Configure an OIDC native app
-
In the Admin Console, go to .
- Click Create App Integration.
- Select OIDC - OpenID Connect as the Sign-in method.
- Select Native Application as the application type.
- Click Next. The New Native App Integration page opens.
- On the page, specify the App integration name and a logo (optional).
- Select the following grant types:
- Authorization Code
- Device Authorization
- Token Exchange (located in the Advanced options)
- Skip Sign-in redirect URIs and Sign-out redirect URIs.
- In Skip group assignment for now. , select
- Click Save. This creates the app and opens the General tab for editing or configuring more options. No changes are required.
- On the General tab under Client Credentials, copy the Client ID.
- On the Assignments tab, assign the app to groups or individuals who use the AWS CLI. See User management.
Connect the OIDC app to an AWS Account Federation app
-
In the Admin Console, go to .
- Select a configured AWS Account Federation app.
- On the Sign On tab, click Edit.
- Under Advanced Sign-on Settings, scroll to Allowed Web SSO Client.
- Enter the Client ID for the OIDC app that you copied in the previous task.
- Click Save.
- Repeat these steps for all other AWS Account Federation apps that you want to connect to the OIDC Native app.
- Optional. Assign apps to custom authentication policies. See Assign apps to an app sign-in policy.
Test the Okta AWS CLI integration
Ensure that the integration is working by testing it in the AWS CLI.
- In AWS CLI, enter the following command:
$ okta-aws-cli
The following prompt appears:
Open the following URL to begin Okta device authorization for the AWS CLI. https://your-org.okta.com/activate?user_code=<usercode>
- Open the URL in a web browser and follow the prompt.
- In the AWS CLI, choose an Identity Provider:
? Choose an IdP: arn:aws:iam::123456789012:saml-provider/My_IdP
Select an IdP from the list of SAML IdPs available for the user.
- Choose an IAM role.
? Choose a Role: arn:aws:iam::456789012345:role/My_Role
Select an IAM role from the list of AWS IAM roles associated with the IdP you chose.
The following AWS credentials load (examples):
export AWS_ACCESS_KEY_ID=<key-id>
export AWS_SECRET_ACCESS_KEY=<key-code>
export AWS_SESSION_TOKEN=<token-id>
This indicates that you're successfully signed in to your AWS account.