gimme-aws-creds is a CLI that utilizes an Okta IdP via SAML to acquire temporary AWS credentials via AWS STS.
Okta is a SAML identity provider (IdP), that can be easily set-up to do SSO to your AWS console. Okta does offer an OSS java CLI tool to obtain temporary AWS credentials, but I found it needs more information than the average Okta user would have and doesn't scale well if have more than one Okta App.
With gimme-aws-creds all you need to know is your username, password, Okta url and MFA token, if MFA is enabled. gimme-aws-creds gives you the option to select which Okta AWS application and role you want credentials for. Alternatively, you can pre-configure the app and role name by passing -c or editing the config file. This is all covered in the usage section.
Okta SAML integration to AWS using the AWS App
Python 3
Gimme-creds-lambda can be used as a proxy to the Okta APIs needed by gimme-aws-creds. This removes the requirement of an Okta API key. Gimme-aws-creds authenticates to gimme-creds-lambda using OpenID Connect and the lambda handles all interactions with the Okta APIs. Alternately, you can set the OKTA_API_KEY
environment variable and the gimme_creds_server
configuration value to 'internal' to call the Okta APIs directly from gimme-aws-creds.
This is a Python 3 project.
Install/Upgrade from PyPi:
pip3 install --upgrade gimme-aws-creds
OR
Install/Upgrade the latest gimme-aws-creds package direct from GitHub:
pip3 install --upgrade git+git://github.com/Nike-Inc/gimme-aws-creds.git
OR
Install the gimme-aws-creds package if you have already cloned the source:
python3 setup.py install
OR
Build the docker image locally:
docker build -t gimme-aws-creds .
To make it easier you can also create an alias for the gimme-aws-creds command with docker:
# make sure you have the "~/.okta_aws_login_config" locally first!
touch ~/.okta_aws_login_config && \
alias gimme-aws-creds="docker run -it --rm \
-v ~/.aws/credentials:/root/.aws/credentials \
-v ~/.okta_aws_login_config:/root/.okta_aws_login_config \
gimme-aws-creds"
With this config, you will be able to run further commands seamlessly!
To set-up the configuration run:
gimme-aws-creds --action-configure
You can also set up different Okta configuration profiles, this useful if you have multiple Okta accounts or environments you need credentials for. You can use the configuration wizard or run:
gimme-aws-creds --action-configure --profile profileName
A configuration wizard will prompt you to enter the necessary configuration parameters for the tool to run, the only one that is required is the okta_org_url
. The configuration file is written to ~/.okta_aws_login_config
, but you can change the location with the environment variable OKTA_CONFIG
.
- conf_profile - This sets the Okta configuration profile name, the default is DEFAULT.
- okta_org_url - This is your Okta organization url, which is typically something like
https://companyname.okta.com
. - okta_auth_server - Okta API Authorization Server used for OpenID Connect authentication for gimme-creds-lambda
- client_id - OAuth client ID for gimme-creds-lambda
- gimme_creds_server
- URL for gimme-creds-lambda
- 'internal' for direct interaction with the Okta APIs (
OKTA_API_KEY
environment variable required) - 'appurl' to set an aws application link url. This setting removes the need of an OKTA API key.
- write_aws_creds - True or False - If True, the AWS credentials will be written to
~/.aws/credentials
otherwise it will be written to stdout. - cred_profile - If writing to the AWS cred file, this sets the name of the AWS credential profile.
- The reserved word
role
will use the name component of the role arn as the profile name. i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [okta-1234-role] in the aws credentials file - The reserved word
acc-role
will use the name component of the role arn prepended with account number (or alias ifresolve_aws_alias
is set to y) to avoid collisions, i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [123456789012-okta-1234-role], or ifresolve_aws_alias
[-okta-1234-role] in the aws credentials file - If set to
default
then the temp creds will be stored in the default profile - Note: if there are multiple roles, and
default
is selected it will be overwritten multiple times and last role wins. The same happens whenrole
is selected and you have many accounts with the same role names. Consider usingacc-role
if this happens.
- The reserved word
- aws_appname - This is optional. The Okta AWS App name, which has the role you want to assume.
- aws_rolename - This is optional. The ARN of the role you want temporary AWS credentials for. The reserved word 'all' can be used to get and store credentials for every role the user is permissioned for.
- aws_default_duration = This is optional. Lifetime for temporary credentials, in seconds. Defaults to 1 hour (3600)
- app_url - If using 'appurl' setting for gimme_creds_server, this sets the url to the aws application configured in Okta. It is typically something like https://something.okta[preview].com/home/amazon_aws/app_instance_id/something
- okta_username - use this username to authenticate
- preferred_mfa_type - automatically select a particular device when prompted for MFA:
- push - Okta Verify App push
- token:software:totp - OTP using the Okta Verify App
- token:hardware - OTP using hardware like Yubikey
- call - OTP via Voice call
- sms - OTP via SMS message
- resolve_aws_alias - y or n. If yes, gimme-aws-creds will try to resolve AWS account ids with respective alias names (default: n). This option can also be set interactively in the command line using
-r
or--resolve
parameter - include_path - (optional) Includes full role path to the role name in AWS credential profile name. (default: n). If
y
:<acct>-/some/path/administrator
. Ifn
:<acct>-administrator
- remember_device - y or n. If yes, the MFA device will be remembered by Okta service for a limited time. This option can also be set interactively in the command line using
-m
or--remember-device
- output_format -
json
orexport
, determines default credential output format, can be also specified by--output-format FORMAT
and-o FORMAT
.
The config file follows a configfile format. By default, it is located in $HOME/.okta_aws_login_config
Example file:
[myprofile]
client_id = myclient_id
Configurations can inherit from other configurations to share common configuration parameters.
[my-base-profile]
client_id = myclient_id
[myprofile]
inherit = my-base-profile
aws_rolename = my-role
If you are not using gimme-creds-lambda nor using appurl settings, make sure you set the OKTA_API_KEY environment variable.
After running --action-configure, just run gimme-aws-creds. You will be prompted for the necessary information.
$ ./gimme-aws-creds
Username: [email protected]
Password for [email protected]:
Authentication Success! Calling Gimme-Creds Server...
Pick an app:
[ 0 ] AWS Test Account
[ 1 ] AWS Prod Account
Selection: 1
Pick a role:
[ 0 ]: OktaAWSAdminRole
[ 1 ]: OktaAWSReadOnlyRole
Selection: 1
Multi-factor Authentication required.
Pick a factor:
[ 0 ] Okta Verify App: SmartPhone_IPhone: iPhone
[ 1 ] token:software:totp: [email protected]
Selection: 0
Okta Verify push sent...
export AWS_ACCESS_KEY_ID=AQWERTYUIOP
export AWS_SECRET_ACCESS_KEY=T!#$JFLOJlsoddop1029405-P
You can automate the environnement variable creation by running $(gimme-aws-creds)
on linux or iex (gimme-aws-creds)
using Windows Powershell
You can run a specific configuration profile with the --profile
parameter:
./gimme-aws-creds --profile profileName
The username and password you are prompted for are the ones you login to Okta with. You can predefine your username by setting the OKTA_USERNAME
environment variable or using the -u username
parameter.
If you have not configured an Okta App or Role, you will prompted to select one.
If all goes well you will get your temporary AWS access, secret key and token, these will either be written to stdout or ~/.aws/credentials
.
You can always run gimme-aws-creds --help
for all the available options.
Alternatively, you can overwrite values in the config section with environment variables for instances where say you may want to change the duration of your token. A list of values of to change with environment variables are:
AWS_DEFAULT_DURATION
- corresponds toaws_default_duration
configurationAWS_SHARED_CREDENTIALS_FILE
- file to write credentials to, points to~/.aws/credentials
by defaultGIMME_AWS_CREDS_CLIENT_ID
- corresponds toclient_id
configurationGIMME_AWS_CREDS_CRED_PROFILE
- corresponds tocred_profile
configurationGIMME_AWS_CREDS_OUTPUT_FORMAT
- corresponds tooutput_format
configuration and--output-format
CLI optionOKTA_AUTH_SERVER
- corresponds tookta_auth_server
configurationOKTA_DEVICE_TOKEN
- corresponds todevice_token
configuration, can be used in CIOKTA_MFA_CODE
- corresponds to--mfa-code
CLI optionOKTA_PASSWORD
- provides password during authentication, can be used in CIOKTA_USERNAME
- corresponds tookta_username
configuration and--username
CLI option
Example: GIMME_AWS_CREDS_CLIENT_ID='foobar' AWS_DEFAULT_DURATION=12345 gimme-aws-creds
For changing variables outside of this, you'd need to create a separate profile altogether with gimme-aws-creds --action-configure --profile profileName
gimme-aws-creds --action-list-profiles
will go to your okta config file and print out all profiles created and their settings.
gimme-aws-creds --action-list-roles
will print all available roles to STDOUT without retrieving their credentials.
gimme-aws-creds -o json
will print out credentials in JSON format - 1 entry per line
gimme-aws-creds --action-store-json-creds
will store JSON formatted credentials from stdin
to
aws credentials file, eg: gimme-aws-creds -o json | gimme-aws-creds --action-store-json-creds
.
Data can be modified by scripts on the way.
Configuration and interactions can be configured using gimme_aws_creds.ui
,
UserInterfaces support all kind of interactions within library including: asking for input, sys.argv
and os.environ
overrides.
import sys
import gimme_aws_creds.main
import gimme_aws_creds.ui
account_ids = sys.argv[1:] or [
'123456789012',
'120123456789',
]
pattern = "|".join(sorted(set(account_ids)))
pattern = '/:({}):/'.format(pattern)
ui = gimme_aws_creds.ui.CLIUserInterface(argv=[sys.argv[0], '--roles', pattern])
creds = gimme_aws_creds.main.GimmeAWSCreds(ui=ui)
# Print out all selected roles:
for role in creds.aws_selected_roles:
print(role)
# Generate credentials overriding profile name with `okta-<account_id>`
for data in creds.iter_selected_aws_credentials():
arn = data['role']['arn']
account_id = None
for piece in arn.split(':'):
if len(piece) == 12 and piece.isdigit():
account_id = piece
break
if account_id is None:
raise ValueError("Didn't find aws_account_id (12 digits) in {}".format(arn))
data['profile']['name'] = 'okta-{}'.format(account_id)
creds.write_aws_creds_from_data(data)
gimme-aws-creds works both on FIDO1 enabled org and WebAuthN enabled org
Note that FIDO1 will probably be deprecated in the near future as standards moves forward to WebAuthN
WebAuthN support is only available for usb security keys (gimme-aws-creds relies on the yubico fido2 lib). Authenticator such as Windows Hello or Touch ID are not yet supported. Actually it has only been tested with USB U2F keys & yubikeys.
You can run all the unit tests using nosetests. Most of the tests are mocked.
nosetests --verbosity=2 tests/
This project is maintained by Ann Wallace, Eric Pierce, and Justin Wiley.
I came across okta_aws_login written by Joe Keegan, when I was searching for a CLI tool that generates AWS tokens via Okta. Unfortunately it hasn't been updated since 2015 and didn't seem to work with the current Okta version. But there was still some great code I was able to reuse under the MIT license for gimme-aws-creds. I have noted in the comments where I used his code, to make sure he receives proper credit.
AWS - How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
Gimme AWS Creds is released under the Apache License, Version 2.0