AWS cli assume role and Okta authentication.
If you login to AWS via Okta SAML federation and assume an IAM role, this tool will help you easily achieve pragmatic access to AWS via the aws cli and SDKs. Also helpful for running terraform/terragrunt, packer, and credstash with iam roles.
NOTICE: This project is still in rapid development phase. You can subscribe to new release notifications via github. Upgrade to the most recent release via
pip install --upgrade --no-cache-dir pyokta-aws-cli-assume-role.
Table of Contents
- Why a new tool?
- Getting Started
- How it works
- MFA: SMS
- MFA: Okta mobile app
- All major operating systems (Linux, Windows, Mac).
Please create an issue for bugs or feature requests (if not already mentioned in roadmap or other issues).
Why a new tool?
Benefits over existing tool
- No PATH changes or overriding aws executables - you're still using native awscli.
- Supports multiple tenants.
- One consistent config file for all tenants.
- Env var changes are 100% optional.
- Cleaner https error output.
- Easy to install.
- JVM not required.
Existing tool features missing in this tool
These features are planned to be supported in the near future. See roadmap.
Interactively select from multiple mfa options.
Set desired mfa option via cli args, env vars, or config file.
Support Okta mobile app mfa (currently only sms is verified to work).
- [ ] Okta token caching/refresh.
- python 3.5+
pip install --upgrade awscli
pip install --upgrade --no-cache-dir pyokta-aws-cli-assume-role
To check the install and output the current version, run:
Configuration can be input via cli args, env vars, or the pyokta-aws config file described above. Configuration takes presidence as follows:
cli args > env vars > config file. For all supported args and env vars, run
pyokta-aws --help and
pyokta-aws [COMMAND] --help.
pyokta-aws configure for interactive configuration (WIP).
Default configuration file location is
Example config file:
[my-aws-profile] region = us-east-1 okta_org = example.okta.com okta_aws_app_url = https://example.okta.com/home/amazon_aws/123456789 aws_role_to_assume = arn:aws:iam::987654321:role/AWSAdmin aws_idp = arn:aws:iam::987654321:saml-provider/Okta username = johnsmith sts_duration = 14400 mfa_choice = sms
- region: Target AWS region. (Will override default region in target aws cli profile)
- okta_org: Base domain for okta org.
- okta_aws_app_url: Okta app url (can be found by hovering over aws app chiclet).
- aws_role_to_assume: Found in AWS console under
IAM > Roles > <role_id>. Look for
- aws_idp: Found in AWS console under
IAM > Identity Providers > <provider_id>. Look for
- username: (optional) Okta username.
- password: (optional) it is recommended to omit or leave it blank and enter it interactively.
- sts_duration: (optional) Duration (in seconds) to keep token alive. Max duration found in
IAM > Identity Providers > <provider_id>.
- mfa_choice: (optional) If you have multiple MFA factors registered, you can skip interactive factor selection by setting preferred mfa choice. Current options are
app(i.e. Okta mobile app).
To authenticate via okta and assume an aws profile, run:
pyokta-aws auth --profile <aws_profile>
For all supported auth args, run
pyokta-aws auth --help.
For all supported commands, run
How it works
pyokta-aws auth command authenticates with Okta and aquires a temporary set of credentials from AWS STS. These credentials get written to your local aws credentials file. This allows the aws cli and other tools like terraform/terragrunt, packer, and credstash to run as expected without needing to override the awscli executable or export environment variables.
Before auth happens, your local aws cli config profile is updated via the profile and region set in the pyokta-aws config. Treat your pyokta-aws config file as the single source of truth for aws cli config when authenticating with Okta.
cli and settings loaders
support multi-tenant settings
ci (testing) :construction_worker:
okta 2fa (sms)
get saml from okta app
aws auth via okta auth
aws config if not previously setup
basic documentation :pencil:
support multiple 2fa methods
- [ ] interactive initial config :children_crossing:
- [ ] readthedocs :pencil:
- [ ] many more tests
windows support :checkered_flag:
- [ ] ci/cd (deploy to pypi)?
- [ ] aws role list selection in interactive mode :children_crossing:
okta 2fa (okta mobile app)
- [ ] push notification 2fa
- [ ] use context managers to auto-cancel okta verifications on cancel
- [ ] okta token cache/refresh to speedup multiple logins :children_crossing:
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size pyokta_aws_cli_assume_role-0.3.0-py2.py3-none-any.whl (29.5 kB)||File type Wheel||Python version py2.py3||Upload date||Hashes View|
|Filename, size pyokta-aws-cli-assume-role-0.3.0.tar.gz (27.2 kB)||File type Source||Python version None||Upload date||Hashes View|
Hashes for pyokta_aws_cli_assume_role-0.3.0-py2.py3-none-any.whl
Hashes for pyokta-aws-cli-assume-role-0.3.0.tar.gz