Accessing AWS CLI through okta


We have 17 AWS accounts. I am going to setup 17 different okta applications and assign different people to each app they need for console access. This is working fine. But I have several users who need to use the AWS CLI. I tried following the doc, but got hung up in a few places:

  1. The support team informed me that the java tool was not officially supported
  2. When I create the user in appendix A, what resource ARN do I use. The doc is not clear on this.
  3. For the custom tool, the directory structure you provide in docs does not match what is in Git, so I had to hunt around a bit for where awscli.command was. It’s actually in out and not in lib. is in root and not in out. There are a few more examples of this.
  4. If a user has access to multiple AWS apps configured in okta is there a command line argument to connect to a certain AWS app?

Thanks, Brent


2: Most AWS setups are sufficiently different that giving specific details here are hard. Can you explain more about which ARN you are looking for? Are you asking about the ARN to use when you create the in the CLI tool, or for the cross-account IAM User?

3: Noted, thank you. I’ll make a request that the document gets fixed.

4: Can you explain what you are trying to accomplish? In your setup, do you have more than one AWS app icon in Okta? Or are you asking about apps hosted in AWS?

  1. In appendix A: How to create an IAM user for role introspection. I am creating an inline policy and I need to enter a valid ARN, but I’m not sure what ARN to enter here? See attached.

  2. Thanks

  3. We will have 17 separate AWS apps in Okta with different roles/users assigned to each app. Some users need to use the CLI against multiple accounts. Since there is only one instance of the tool, is there a command line argument to specify what account to run the tool against so that the user gets the correct API keys


Not intuitive, but you can specify “*” (without the quotes) here. Then you need to select the “Add Statement” button to populate the policy.


We have 100 AWS accounts. We use Okta for federated identity with AD. Each AWS role has an AD/Okta group
As an administrator, I would like a CLI tool that works in a similar fashion to the Okta IdP portal.
(1) After authentication I am presented with the list of AWS accounts I have access to
(2) I choose an AWS account, which then presents a list of roles I have access to in that account
(3) I choose/assume a role in that account and login

The okta-aws-cli-assume-role java tool provides the basic assume role funtionality, but it does not have a wizard to drill down to the role, which makes it a bit clunky

There are number of okta assume-role alternatives out on github, but the tool that comes closest to the above requirements is gimme-aws-creds. This tool uses an AWS API_gateway instance to proxy to the Okta Apps API, which is required for the wizard. Unfortunately there are no details on the API gateway/lambda config.

I am currently building something similar to the gimme-aws-creds using a fork of okta-sdk-python



Currently I have AD syncing to Okta servicing my AWS Console logins and that appears to be working. My question is focused on the Okta AWS CLI assume role tool. I seem to have it up and running and testing, but when I get to selecting an AWS role they are listed correctly, but I also have an entry below each one stating no match. Is this normal behavior or is something not configured correctly? Screenshot below

Thank you,