I’ve been able to successfully follow and piece together all of the documentation on the support site to get the Okta-AWS-CLI function to work, however i’m struggling a bit with the user experience, which will ultimately make or break this tool.
Here is the workflow that i’m currently experiencing.
1. Connect to AWS using Okta with MFA to select one of several roles assigned to a user
- awscli sts get-caller-identity
2. Get list of the available roles via MFA
Please choose the role you would like to assume:
Account: accountname_1 (XXXXXXXXX)
[ 1 ]: AdminRole
Account: accountname_2(XXXXXXXXX)
[ 2 ]: AdminRole
[ 3 ]: RestrictedDevRole
Account: accountname_3 (XXXXXXXXX)
[ 4 ]: AdminRole
Account: accountname_4 (XXXXXXXXX)
[ 5 ]: AdminRole
Account: accountname_5 (XXXXXXXXX)
[ 6 ]: AdminRole
[ 7 ]: RestrictedDevRole
Account: accountname_6 (XXXXXXXXX)
[ 8 ]: AdminRole
Selection:
3. Select role you want to use
Selection: 2
{
“Account”: “XXXXXXXXX”,
“UserId”: "ASDFGHJKLOIUYTRDFGHJKIUYT:username@company.com",
“Arn”: “arn:aws:sts::XXXXXXXXX:assumed-role/AdminRole/username@company.com”
}
~/.okta$
- Run simple aws cli command
~/.okta$ aws s3 ls
Unable to locate credentials. You can configure credentials by running “aws configure”.
realize there is no default aws creds in ~/.aws/credentials
-
run the same simple aws cli command with --profile
~/.okta$ aws --profile AdminRole_XXXXXXXXX:assumed s3 ls -
see list of available s3 bucket’s.
Challenge:
if a user has multiple roles assigned to them like the one in this example they will need to pass the correct profile/account ID to run the aws cli command, which is not a great user experience. I would like this to be seamless to the users so that the role they assumed in step 2 is used as the default for all subsequent CLI operations. Is this possible? How?
Thanks!!