Okta + AWS - Cloudtrail

Hey everyone! I need to set up some way to enable logging in cloudtrail for Okta users. Basically some way that an okta user can assume an aws role transparently.
To clarify with a use case:

Jane Doe logs in to Okta dashboard and chooses XApp that was programmed by me. This app is a simple React SPA. Jane then gets redirected to xapp.xdomain.com where she can upload txt files that go to a lambda and then get deposited on an s3 bucket. This triggers another lambda that processes the first files and creates csv files with results, which get deposited on a second s3 bucket that gets listed on XApp.

Right now this gets done thanks to a user created for our serverless backend, but we want a way to log everything an Okta user does without having to put a bunch of console.log("user X did Y") everywhere. We’ve been racking our heads a lot and trying different stuff until we stumbled across this link which looked promising but couldn’t make it work. We don’t even know if this is what we need.
What we need (or we think we need) is a way to assume a role into an AWS account from an okta user so that every action gets logged into cloudtrail without needing any “manual” logging.
Is there a way to do this?
We think that AssumeRoleWithWebIdentity can be the answer but we haven’t found information on how to achieve it.
Thanks everyone for any information you can provide :slight_smile: