Automated AWS Access/Secret Key Rotation for AWS QuickSight Federation

Per the process outlined in Tutorial: Amazon QuickSight and IAM identity federation - Amazon QuickSight, Okta requires AWS access keys (which consist of an access key ID and a secret access key) tied to an IAM User in the target AWS account. Changing access keys on a regular schedule is a well-known security best practice for any AWS environment. Furthermore, this process is commonly automated, as it should be.

As I understand, there is currently no supported API endpoint (or any mechanism) to update the access keys within Okta from an automated perspective. The closest thing I’m able to find is Apps | Okta Developer, which is only supported for Org2Org apps. I would like to inquire on whether there is a solution I’m unaware of, or if there are any plans to support what I’ve described here. Below is the snippet from the process I linked above that describes what I need to achieve in automated fasion:

  • Choose the Provisioning tab, and at the lower part of the tab, choose Configure API Integration .
  • Turn on Enable API integration to display the settings.
  • For Access Key and Secret Key , provide the access key and secret key that you downloaded previously to a file named OktaSSOUser _credentials.csv .
  • Choose Test API Credentials . Look above the Enable API integration setting for a message confirming that " AWS Account Federation was verified successfully ".

Any advice or insight on the matter would be greatly appreciated. Thanks.

1 Like