I have successfully configured the Okta/AWS web console SAML integration where one Okta tile for an AWS identity account takes me to a list of all of our AWS accounts that I can then select from. I accomplished this via cross account roles. I have been fighting with the Okta AWS CLI integration this week and have finally gotten it to work. I have a question as to whether or not this is expected behavior for the CLI integration:
For the web console integration, when configuring the role to assume in the target account, my Okta instance is setup as the trusted source. This works fine from the web interface, but I could not get it to work in the CLI. I had to modify the role to assume in the target account to include the AWS identity account as a trust along with no conditions.
Is that expected or should I still be able to assume a role in a target AWS account via the CLI with my Okta instance as the only trusted source?
Here is what I ended up with for the trust relationship in for the target role:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Federated”: “arn:aws:iam::my Okta instance External ID:saml-provider/Okta”
},
“Action”: “sts:AssumeRoleWithSAML”,
“Condition”: {
“StringEquals”: {
“SAML:aud”: “https://signin.aws.amazon.com/saml”
}
}
},
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::ID of my AWS Identity Account:role/role name”
},
“Action”: “sts:AssumeRole”,
“Condition”: {}
}
]
}