Okta_aws_login_config

karrthik · March 24, 2023, 5:59pm

When used with gimme-aws-creds , there are different profile set in the file okta_aws_login_config

What is the equivalent for okta-aws-cli

erik · March 24, 2023, 9:56pm

Hello,

Currently this is not supported,

There is a current issue open which I believe will be part of release not too far in the future that will cache the access_token from the initial authentication. This way if you need to assume a different role you won’t need to go through the entire authentication process again assuming the token is still valid.

github.com/okta/okta-aws-cli

Cache access token for improved user experience

opened 07:47PM - 03 Mar 23 UTC

cvchavez2

Each time a user runs a CLI command they are required to verify a device code vi…a the browser. This translates to a very poor experience when a user is assigned to multiple AWS accounts/multiple roles, due to the user having to verify a new device code each time they need to move accounts or roles. Desired Behavior: Cache/store the OIDC access token from the native application and reuse it each time a user needs to switch between AWS accounts/roles. Potentially this could be achieved via: 1. After an access token has been issued, from the first okta-aws-cli command, cache/store the access token. 2. Each subsequent command, check to see if a token is available to use. - Verify the access token is still valid via the exp date on the JWT. - if token is valid, continue without prompting user to verify user code in the browser. 3. If the token is invalid, prompt user to verify user code to retrieve a new device token via the browser. Also, I noticed that the expiration time of an access token is set to 300s even though in my access policy I have specified a longer lifetime. Not sure where the 300 is coming from. ![access-token](https://user-images.githubusercontent.com/49293386/222812344-cc57b98b-2776-4db9-9a89-60b018b4d2ee.png)

Thank You,