4

We have set up IAM roles that allow federated users that are authenticated with Okta to gain access to the AWS Console.

Some of the users need temporary AWS access keys to use the AWS command line tools locally.

Is there any way for those users to create temporary access keys in the AWS console or a shell script?

thesamet
  • 317
  • 1
  • 2
  • 7
  • Thanks for confirming this use case btw.: we have been contemplating to add this very feature to our (commercial) [Identity Federation for AWS](http://utoolity.net/products/identity-federation-for-aws) solution for the Atlassian platform for a while, but had never encountered demand for it outside of our own - not any longer :) – Steffen Opel Dec 16 '14 at 17:37
  • You ever happen to find a solution here? I'm having the same challenge right now. – TrackZero Jan 23 '15 at 22:41
  • No luck so far. I guess I'll have to code my own solution for this :/ if I end up writing something generally useful I'll post here. – thesamet Jan 24 '15 at 05:01
  • @TrackZero here is my first stab at solving this https://github.com/trueaccord/aws-saml-broker – thesamet Jan 25 '15 at 09:53

4 Answers4

2

In a recent project I needed to be able to have users utilize Okta to access both the AWS console and use the AWS CLI. So, I wrote a tool that will generate temporary AWS credentials (from STS) using a SAML assertion generated from an Okta login that can be used with the CLI.

This allows for all AWS access to be brokered via Okta and allows for MFA login to be required for both console and CLI access.

The tool, okta_aws_login.py, can be found at GitHub and additional details can be found at this blog post on a series I wrote about setting up user federation with Okta and AWS.

NimbusScale
  • 297
  • 1
  • 2
  • 10
0

If I understand your use case correctly, this is not possible as such, because the resulting temporary credentials from the backing GetFederationToken API action cannot itself be used to call these STS APIs, see the table Comparing Features of AWS STS APIs for details.

This functionality would need to be provided by the entity in charge of the long-term AWS credentials (Okta), which could offer handing out the resulting temporary credentials triplet for copy/paste into the AWS CLI scenarios.

Steffen Opel
  • 5,560
  • 35
  • 55
0

I have ended up creating a small webapp we run internally that will issue temporary AWS credentials for our users ussing AssumeRole. It has two modes of operation:

  • Using SSO: user visits a url and get to see credentials that he can copy.

  • Command line client: makes an https request to the webapp (with Okta username and password). If authentication with Okta is successful, the client writes the credentials to ~/.aws/credentials.

thesamet
  • 317
  • 1
  • 2
  • 7
0

I have a solution for this; https://github.com/nathan-v/aws_okta_keyman

Support for most MFA factors comes out of the box and it's built to be easy to use and deploy on developer workstations without needing any additional services or crazy dependencies. You can start using it today with just a Python and pip.

This tool allows developers where their AWS access is federated with Okta to pull keys via STS that are written out to ~/.aws/credentials for them under a profile name they choose (optionally) so you can easily manage keys from multiple accounts or roles.

Nathan V
  • 711
  • 5
  • 16