I am attempting to use the Okta AWS CLI Assume Role Tool and its not clear to me how to get the tool to give me the option to list role policies to assume for cross account access. The documentation provided by the previous engineer here was using an older version of the tool and it worked, but now I’m not sure what other configuration to add with the newer version.
Here is the output I’m getting for establishing a session:
➜ ~ awscli sts get-caller-identity
Username: my.email@company.com
Password:
Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : Google Authenticator
GOOGLE Token Factor Authentication
Enter ‘change factor’ to use a different factor
Token:
111111
Auto select role as only one is available : arn:aws:iam::012345678901:role/Okta_Role
{
“UserId”: “AROAJ5OC4W6ZCTQ36HTZA:botocore-session-1522943057”,
“Account”: “012345678901”,
“Arn”: “arn:aws:sts::012345678901:assumed-role/Okta_Role/botocore-session-0123456789”
}
➜ ~
I was expecting to see a list of role policies to choose from after auth-ing like such:
Please select a role policy:
[ 1 ]: Policy 1
[ 2 ]: Policy 2
etc
I apologize for the non-technical question, but I’m not understanding why I don’t get offered a role policy to use after authorization.
It sounds like you might have only one AWS role assigned to this user. Can you log in to the Okta dashboard and see if you get different results via the UI?
When I log into the Okta dashboard and login to the AWS console, I have no issue using this Chrome extension to switch Accounts. I guess thats actually what I’m having difficulty with using: once I get logged in, I need to switch accounts using one of our cross account accounts.
Have you configured your cross account roles in AWS with assumable policy permissions ? If so, you may need to refresh the applications data in Okta to pick up role changes (More button on Application admin/apps/active). When this failed to work for me, I edited the OKTA to AWS SAML configuration by changing a setting and switch it right back to original value to force Okta to reconnect to AWS and retrieve the latest definitions.
So, I’ve figured out that I just needed to add the profiles that contain the roles to my aws cli config file. I’m now able to auth and use the cross account roles. Sorry for any confusion everyone. Still seems like the awscli tool should ask you which profile you’d like to use after initial auth. I’ll make a feature request on the Github repo.