Giter VIP home page Giter VIP logo

okta-aws-cli-assume-role's Introduction

Okta AWS CLI Assume Role tool

ℹ️ Disclaimer: This tool is community-supported and is maintained by members of the Okta team for developers and IT professionals. This tool is not an official Okta product and does not qualify for any Okta support. Anyone who chooses to use this tool must ensure that their implementation meets any applicable legal obligations including any Okta terms and conditions.

New to Amazon Web Services with Okta? Start with the Configuring AWS in Okta.

This tool has been verified to work on macOS Sierra, High Sierra, Windows Server 2012 R2, Windows 10, and Ubuntu 16.04 LTS, and is expected to work on other Linux systems as well.

Installation

Windows

  1. Run the following in a PowerShell console
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy unrestricted -Force; Invoke-Expression ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/oktadev/okta-aws-cli-assume-role/master/bin/Install-OktaAwsCli.ps1')); .$profile
  2. Customize %userprofile%\.okta\config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,
    OKTA_ORG=acmecorp.oktapreview.com
    OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137

macOS/Linux

  1. Run the following in a Terminal, optionally setting a custom PREFIX value (default: ~/.okta):

    PREFIX=~/.okta bash <(curl -fsSL https://raw.githubusercontent.com/oktadev/okta-aws-cli-assume-role/master/bin/install.sh) -i
  2. Customize ~/.okta/config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,

    OKTA_ORG=acmecorp.oktapreview.com
    OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137
  3. Make sure /usr/local/bin (or whatever $PREFIX/bin is) is in your PATH

Docker

  1. Create ~/.okta/config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,

    OKTA_ORG=acmecorp.oktapreview.com
    OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137
  2. Run this command:

    docker run -v ~/.okta/config.properties:/root/.okta/config.properties -it tomsmithokta/okta-awscli-java

Read more at @tom-smith-okta's okta-awscli-java Docker repo.

Manual install

Create a .okta directory in your home directory. For example, ~/.okta.

Download the latest release JAR and put it in .okta: https://github.com/oktadev/okta-aws-cli-assume-role/releases

Create ~/.okta/config.properties and set OKTA_ORG and OKTA_AWS_APP_URL appropriately. For example,

OKTA_ORG=acmecorp.oktapreview.com
OKTA_AWS_APP_URL=https://acmecorp.oktapreview.com/home/amazon_aws/0oa5zrwfs815KJmVF0h7/137

Create ~/.okta/logging.properties with the following content,

com.amazonaws.auth.profile.internal.BasicProfileConfigLoader = NONE

Copy scripts from .okta/bin to somewhere on your PATH.

Usage

Verify your setup with a simple command:

okta-aws test sts get-caller-identity

This will prompt for Okta credentials, log you into AWS, let you pick a role, and store a session profile called test for you.

Run the program again to see session resumption (you won't be asked for Okta credentials until the session expires):

okta-aws test sts get-caller-identity

NOTE: okta-aws is a function loaded from your shell profile, not a typical program or command stored in a file.

NOTE: On a *nix platform the withokta wrapper script will attempt to parse $https_proxy as a URI. If successful the host and port values will be passed to the JVM. User credentials in the proxy configuration are not currently used. This allows the okta-aws tool to be used in an environment where internet access for the servers is mediate via a proxy, e.g an EC2 instance inside a restricted VPC.

The proxy URI must be of the form http://host:port/. Both the host and port are mandatory.

Reference

Compiling the application

The application was built and compiled with JetBrains' IntelliJ IDEA. Note that you don't have to compile the application in order to be able to execute it, since the compiled executable (a JAR file) is available on GitHub.

Prerequisites

First of all, it goes without saying that you will need to install the Java SE 11x or the Java JDK 11x.

Then you will need Maven 2 or later to run the build.

Building on the command line

Get a single JAR with all dependencies:

Use git clone https://github.com/oktadev/okta-aws-cli-assume-role.git to clone the repository locally. Then, build with Maven:

mvn package
cp target/okta-aws-cli-*.jar ~/.okta/okta-aws-cli.jar

Configuring AWS in Okta

See for details on setting up Amazon Web Services Account Federation to allow logging into AWS through Okta and this tool.

An alternative integration can be found in Integrating the Amazon Web Services Command Line Interface Using Okta, which allows logging into AWS / Okta through the AWS CLI. The okta-aws-cli is not compatible with this integration.

Configuring the application

Here is the list of parameters that can be environment variables or settings in the ~/.okta/config.properties file:

  • OKTA_ORG which is the url of your Okta org (starting with https://).

  • OKTA_AWS_APP_URL is the url link of your Okta AWS application url (see below for more info)

  • OKTA_USERNAME is the username to use. If present will skip username input.

  • OKTA_PASSWORD_CMD is the command to fetch your password instead of showing a password prompt. Read more...

  • OKTA_ENV_MODE set to true to run sub-command with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN env vars set. Temporary credentials are shared in memory and kept off disk in this mode. (default: false)

  • OKTA_BROWSER_AUTH set to true to use integrated web browser for authentication (default: false)

  • OKTA_COOKIES_PATH is directory path to store cookies.properties for Okta. This is particularly useful when running this tool in many concurrent processes like you might with OKTA_ENV_MODE (default: ~/.okta)

  • OKTA_PROFILE is the name of the AWS profile to create/reuse. (default: get AWS profile name based on per-session STS user name)

  • OKTA_AWS_REGION is the default AWS region to store with the created profile.

  • OKTA_AWS_ROLE_TO_ASSUME is the IAM Role ARN to use. If present will try to match okta account's retrieved role list and use it. Will still prompt if no match found. (ex: arn:aws:iam::123456789012:role/EC2-Admins)

  • OKTA_STS_DURATION is the duration the role will be assumed, in seconds. The maximum session duration allowed by AWS is 12 hours and this needs to be set on the role as well. Defaults to 1hr.

  • OKTA_MFA_CHOICE is the provider and factor type to use if prompted for MFA. Example: OKTA.push. See Factors documentation for values. (default: use single factor or prompt user to select from usable factors).

  • OKTA_IGNORE_SAML_REQ_CONTAIN is an optional parameter that allow users to ignore parsing SAML requests, where the URL contains a specific string . This is relevant when using the custom IdP factor, which adds additional SAML requests to users authentication flow. See Custom IdP Factor Authentication for more details. Defaults to an empty string.

  • Obtaining the AWS app url

    • Navigate to the Admin Dashboard of you Okta organization
    • Select the Applications tab and click on your AWS Application
    • Under the General menu, scroll down to find the App Embed Link section
    • Your link is located under EMBED LINK
  • Replace the example values in ~/.okta/config.properties with your values

You can specify configuration overrides for each profile by creating a ~/.okta/config.{profilename}.properties file. The base settings will be loaded first and the profile-specific settings will be loaded after, allowing you to only override specific settings that need to be different. For example, if you want the prod profile to connect to a different Okta org, create a ~/.okta/config.prod.propertiesfile and set OKTA_ORG to something different.

Note: environment variables take precedence over any config file.

Troubleshooting

I get "You have no factors enrolled"

This means that MFA is enforced, but you have no factors enrolled on your user.

You should enrol a CLI-supported factor (all except Duo as far as I know).

If you are using Duo Push, consider setting OKTA_BROWSER_AUTH=true in the configuration.

I have Duo, but I get "None of your factors are supported"

This means that MFA is enforced, but none of the factors you have enrolled are supported.

Okta's integration with Duo requires an iframe which isn't practical to interact with from a CLI context.

Getting help

Have a question or see a bug? Post a question on the Okta Dev Forums or email [email protected]. For feature requests, feel free to open an issue on this repo.

If you find a security vulnerability, please follow our Vulnerability Reporting Process.

License

Copyright 2017 Okta, Inc. All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

okta-aws-cli-assume-role's People

Contributors

alainodea avatar bdemers avatar bogeylnj avatar boyvanduuren avatar connorthomasmccabe avatar dangereis avatar davidtanner avatar dependabot-support avatar dependabot[bot] avatar douglaswth avatar ev-psaad avatar jeremyplichtafc avatar jimlawton avatar jmackay-godaddy avatar johngronberg-okta avatar johnhammerlund avatar jones2026 avatar junkangli avatar loopingz avatar naxhh avatar nbarbettini avatar raphaellondner-okta avatar rdegges avatar sbrandtb avatar slmingol avatar smashling avatar tahoward avatar thoward-godaddy avatar tom-smith-okta avatar zer0beat avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

okta-aws-cli-assume-role's Issues

Add support Cross-account roles linked to more than one account

Currently the tool supports only one linked account and doesn't get token when multiple accounts are linked:

14:30:12 [main] DEBUG com.okta.tools.awscli - Statement node: {"Effect":"Allow","Action":"sts:AssumeRole","Resource":["arn:aws:iam::<REDACTED_ACCOUNT_ID>:role/<REDACTED_ROLE>","arn:aws:iam::<REDACTED_ACCOUNT_ID>:role/<REDACTED_ROLE>","arn:aws:iam::<REDACTED_ACCOUNT_ID>:role/<REDACTED_ROLE>"]}
14:30:12 [main] DEBUG com.okta.tools.awscli - Statement is NOT array
14:30:12 [main] DEBUG com.okta.tools.awscli - Resource node: ["arn:aws:iam::<REDACTED_ACCOUNT_ID>:role/<REDACTED_ROLE>","arn:aws:iam::<REDACTED_ACCOUNT_ID>:role/<REDACTED_ROLE>","arn:aws:iam::<REDACTED_ACCOUNT_ID>:role/<REDACTED_ROLE>"]
14:30:12 [main] DEBUG com.okta.tools.awscli - Role to assume: null
14:30:12 [main] TRACE com.okta.tools.awscli - Role to assume ARN: null

Can't seem to run on Windows

Hi,

I have an issue when trying to run this on a Windows 7 box, here is the error I'm getting:

\java -classpath oktaawscli.jar:../lib/aws-java-sdk-1.11.27.jar com.okta.tools.awscli
Error: Could not find or load main class com.okta.tools.awscli

I have a feeling it's a syntax error but not sure, help would be appreciated.

NoClassDefFoundError: com/amazonaws/AmazonClientException

When executing the prebuilt Jar, it throws a NoClassDefFoundError: com/amazonaws/AmazonClientException error.

Executing the code in IntelliJ does not produce the same output, rather, it works as intended.

This is due to a dependency reference missing that points at the lib folder in the iml file.

Add Duo support or describe a Duo workaround

I'm moving to Duo from SMS for MFA, but I'm blocked on lack of Duo support in the cli. What is preventing support for Duo? I'm happy to contribute if it just takes some programming effort. Alternatively, can you offer a workaround for AWS CLI/API access when using Duo?

macOS specific command in Readme.MD

The following line in Readme.MD is macOS specific. It should probably note that, and if there is an equivalent command for Windows, that should probably be added.

In Terminal, run defaults write com.apple.finder AppleShowAllFiles YES if you want to be able to inspect the ~/.aws/credentials and ~/.aws/config files.

Enhancement Request

I just got this tool working, thanks for putting this up here. I was using a Python based tool we wrote internally that was using requests, but doesn't work now that the login page is JavaScript enabled. I think the ability to pass in command line arguments, such as profile save name, IdP app url, region, output format (for the credentials file) would be awesome. Just wanted to pass that on.

Great work!

Enhancement request: Proxy Support

First off, thanks for this great tool. It greatly simplifies the AWS STS interaction.

Our company uses an explicit proxy to access the Internet. I can't find a way to have this program use the proxy, and thus it simply fails when running on our internal network.

I've tried setting the proxy in the traditional way via environment variables, as well as via the traditional JAVA way with -Dhttps.proxyHost directives and neither approach seems to work.

export http_proxy="http://usrname:passwrd@host:port"

java -Dhttps.proxyHost=proxy.global.dish.com -Dhttps.proxyPort=8080 -Dhttps.proxyUser=firstname.lastname -Dhttps.proxyPassword=Dish1234! -classpath .:oktaawscli.jar:../lib/aws-java-sdk-1.11.37.jar com.okta.tools.awscli

Is Proxy Support built-in and I'm just missing it? If it's not built-in, what are the chances it could be incorporated?

Consolidate/Finalize portable package building

There are a number of outstanding/closed PRs and issues around artifact building. Is there any interest from the maintainers on integrating this? If there is, I would be happy to try to shepherd those changes into a single PR with the help from the original submitters.

Related:

Error Encountered After MFA Prompt

After being prompted for your MFA code, so far having tested both SMS and Google Authenticator, you'll be greeted with an error. Here's a stacktrace:

./awscli.command
Username: <my username>
Password: <my password>

Multi-Factor authentication is required. Please select a factor to use.
Factors:
[ 1 ] : Google Authenticator

GOOGLE Token Factor Authentication
Enter 'change factor' to use a different factor
Token:
xxxxxx
Exception in thread "main" java.lang.RuntimeException: You do not have access to AWS through Okta.
Please contact your administrator.
	at com.okta.tools.OktaAwsCliAssumeRole.getSamlResponseForAws(OktaAwsCliAssumeRole.java:358)
	at com.okta.tools.OktaAwsCliAssumeRole.getSamlResponse(OktaAwsCliAssumeRole.java:125)
	at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:111)
	at com.okta.tools.awscli.main(awscli.java:31)

Having checked this across multiple users, and accounts, and verifying we do indeed have access to AWS through Okta - my conclusion has to be that this is a bug or regression.

Here are some related issues in the past with similar problems:
#2
#61

Enhancement request: Show account name/alias instead of account number

Right now when selecting a role to assume, we are shown account numbers instead of the account name/alias if it exists. Since most of our users won't recognize the account number immediately, this means we have to make which account each role is part of clear in the role name itself. Wouldbe nice to have the account names listed instead so we could avoid that.

Unable to use latest release

Hi,

I was using an older version quite some time ago with success, I was able to run ./awscli, get prompted for username and password, choose my okta role and then the AWS role policy I wanted to assume. From there I was able to use the profile as expected (primary use is with Terraform) and assume roles in other accounts.

Since that version it looks like quite a bit has changed.

Now when running awscli, I no longer get prompted to assume a role policy, and when I run ./awscli sts get-caller-identity a second time, I get:

Exception in thread "main" java.lang.NullPointerException
        at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:109)
        at com.okta.tools.awscli.main(awscli.java:31)

Is there something I'm missing? I was getting the not authorized to perform: sts:AssumeRole on resource but fixed that with the suggested inline policy.

Not practically install-able

The program is currently not really install-able.

Attempts to move it and its script into a bin directory on the PATH don't work as it needs config.properties in the current working directory.

Accepting properties from ~/.okta/config.properties is one step in that direction. The Gradle application plugin is another option.

Either way, it would be useful for this to be install-able so it can be rolled out to a large team efficiently.

@smashling can you look into this?

Does MFA in this app work with current versions of Okta?

The article published here seems to indicate that MFA works but that doesn't seem to be the case in my testing. I get this result every time I try to use it with MFA required in my sign on policy:

You do not have access to AWS through Okta. Please contact your administrator.

When I test access through the browser I get prompted for MFA and it works as expected.

Cross-Account roles do not work

Has support for cross-account roles, implemented in this pr been removed?

The app doesn't present a choice of roles that the main role can switch to and assumes main account role automatically.

Symantec VIP Support

@alamir1 I'm moving this conversation to a new issue.

Symantec VIP has a distinct factorType that I didn't account for. The same thing happened to Yubikey support, but I had a user who I could test with and who works in a desk beside me so I was particularly motivated 😁

https://github.com/oktadeveloper/okta-aws-cli-assume-role/blob/master/src/main/java/com/okta/tools/OktaAwsCliAssumeRole.java#L476-L477

I think this an easy fix:
https://developer.okta.com/docs/api/resources/factors#supported-factors-for-providers

I think I can add token as another fallthru case and Symantec VIP should work again:

                case ("token):
                case ("token:hardware"):
                case ("token:software:totp"): {

CLI fails on Multiple Roles

first run works fine. But, if I run the commands again to get keys for a different role it fails unless I remove the session file ~/.okta-aws-cli-session
./awscli sts get-caller-identity
Exception in thread "main" java.lang.NullPointerException
at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:109)
at com.okta.tools.awscli.main(awscli.java:31)

Allow user to pick default region

Hi guys,

Is there any way to allow user to pick the region that is populated in the config file?

if not anyway we can get it added to the config.properties ?

Thanks

Tool uses different home directory than AWS sdk/powershell config process

I believe that the aws sdk and powershell module put their configuration in %home%.aws. This tool uses the java variable user.home, which returns the windows variable for %userprofile%.

I'm no java developer otherwise I would figure out how to get this working and submit the code changes my self.

java.net.UnknownHostException

After running './awscli sts get-caller-identity' and entering username and password, i then receive the following:

Exception in thread "main" java.net.UnknownHostException: https: nodename nor servname provided, or not known
at java.base/java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
at java.base/java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:924)
at java.base/java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1504)
at java.base/java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:843)
at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1494)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1353)
at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1287)
at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:111)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at com.okta.tools.OktaAwsCliAssumeRole.logInToOkta(OktaAwsCliAssumeRole.java:205)
at com.okta.tools.OktaAwsCliAssumeRole.getAuthnResponse(OktaAwsCliAssumeRole.java:142)
at com.okta.tools.OktaAwsCliAssumeRole.getOktaSessionToken(OktaAwsCliAssumeRole.java:125)
at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:86)
at com.okta.tools.awscli.main(awscli.java:27)

What to do when there is no AWS configuration

Recently #48 was merged. These changes make sure default profiles will not be overwritten.
However, I was wondering what we should do when there aren't any $HOME/.aws/config and $HOME/.aws/credentials configuration files yet.

Maybe we should write the newly created profile as a default profile in case there is no previous aws-cli credentials configuration, and add/update it if there is.
That way people that use only this tool to set up aws-cli configuration will have a usable default profile, and people that had already setup aws-cli configuration will have their default profile kept intact.

The current version will just write an empty (unusable) default profile in addition to the newly generated profile if there is no previous aws-cli config.

awscli results in `aws' command error, no credentials

$ ./awscli
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: too few arguments
$

config.properties contains OKTA_ORG and OKTA_AWS_APP_URL. I was prompted once for credentials but removed the credential file to test something. Ever since then I haven't been prompted for auth on run of the jar, and ~/.aws/credentials is not repopulated. Repo cloned and built Feb 2, approximately 11:30 AM CST. Don't know if there's a 'stable' branch I should be cloning instead or if there's a known defect.

Null Pointer Exception in Main

Great tool, little clunky to setup but it works and it's really smooth once you get there.

I am getting an issue, though it's actually working so I'm a bit confused.

Environment:

This output has been scrubbed a little for security

[3|2:04 PM|+1ms] [...\okta-aws-cli\out]
> .\awscli.bat

C:\users\jbruett\Documents\okta-aws-cli\out>java -classpath oktaawscli.jar;../lib/aws-java-sdk-1.11.37.jar com.okta.tool
s.awscli
ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console.
Username: <username>
Password: <password>

Please choose the role you would like to assume:
[ 1 ]: arn:aws:iam::###########:role/<role1>
[ 2 ]: arn:aws:iam::###########:role/<role2>
Selection: 1
Exception in thread "main" java.lang.NullPointerException
        at com.okta.tools.awscli.GetRoleToAssume(awscli.java:493)
        at com.okta.tools.awscli.main(awscli.java:133)

regardless of the error, i have a valid session and the credentials are successfully written to file. I'm thinking that this is something to do with the ERROR about log4j2, but it's there, so i'm not sure

Logging in when Okta MFA enabled does not work

This worked great for me when Okta MFA was turned off in my organization. Since we enabled it, this process seems to fail, giving me the message: You do not have access to AWS through Okta. None of my AWS settings have changed.

At first glance, the Document received from the launchOktaAwsApp method is a redirect page and does not contain the SAML token in the form expected to use to call AWS. Things work fine if I disable MFA, but that is not a acceptable workaround.

Error when assuming role in current organisation

I am using this tool to assume a role in the same organisation as the user I use to access was via okta, when I run the tool I get an error.

My config looks like:

OKTA_ORG=domain.oktapreview.com
OKTA_AWS_APP_URL=https://domain.oktapreview.com/home/amazon_aws/0ia84r1fghTqB61ZR9h7/137
AWS_IAM_KEY=MYKEY
AWS_IAM_SECRET=MYSECRET

When I run the tool I get:

Username: my_okta_name
Password: my_okta_password

Please choose the role you would like to assume: 
[ 1 ]: arn:aws:iam::124546611879:role/Role_I_want_to_assume_in_same_org
Selection: 1
Exception in thread "main" com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException: The security token included in the request is invalid. (Service: AmazonIdentityManagement; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: 140d6651-c6a3-11e6-973b-81205f56c3d6)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1545)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1183)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:964)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:676)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:650)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:633)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$300(AmazonHttpClient.java:601)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:583)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:447)
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.doInvoke(AmazonIdentityManagementClient.java:6882)
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.invoke(AmazonIdentityManagementClient.java:6858)
	at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.getRole(AmazonIdentityManagementClient.java:3670)
	at com.okta.tools.awscli.GetRoleToAssume(awscli.java:435)
	at com.okta.tools.awscli.main(awscli.java:119)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)

If I comment out line #119 GetRoleToAssume(crossAccountRoleName); in awscli.java, then the tool works correctly and generates temporary credentials that allow the aws cli to connect.

The issue seems to be that variable crossAccountRoleName gets set to the role name [1] selected above, which results in an attempt to assume a cross account role that does not exist, as this role is in the same organisation as the user.

Is there some additional config I can define to prevent the attempt to assume a cross account role?

Windows 10 Error - Cannot run program "aws"

After installing the aws cli through python, I attempt to run awscli.bat, and get the following error:

Exception in thread "main" java.io.IOException: Cannot run program "aws": CreateProcess error=2, The system cannot find the file specified
        at java.lang.ProcessBuilder.start(Unknown Source)
        at com.okta.tools.awscli.main(awscli.java:36)
Caused by: java.io.IOException: CreateProcess error=2, The system cannot find the file specified
        at java.lang.ProcessImpl.create(Native Method)
        at java.lang.ProcessImpl.<init>(Unknown Source)
        at java.lang.ProcessImpl.start(Unknown Source)
        ... 2 more

My initial guess was an issue with the way my PATH variable was setup, but running aws from the command line resolves correctly, and it also looks like the correct directory C:\Program Files\Python36\Scripts has been added to the PATH.

Can you all identify anything that I may have missed in order to execute this command correctly?

Below is execution of aws from Powershell with Admin access. The same result also occurs from my user-level account.

PS C:\> aws
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: the following arguments are required: command

This is a snapshot of my system-level environment variables. I have included the Python paths in both User and System.

image

AssumeRoleWithSAMLRequest doesn't seem to work with China (Beijing) region or GovCloud

From the AWS docs:

The default AWS Security Token Service (STS) endpoint ("sts.amazonaws.com") works for all accounts that are not for China (Beijing) region or GovCloud. You only need to change the endpoint to "sts.cn-north-1.amazonaws.com.cn" when you are requesting session credentials for services in China(Beijing) region or "sts.us-gov-west-1.amazonaws.com" for GovCloud.

source

A quick fix, I think, would be to add the (deprecated) withServiceEndpoint builder to the code below:

https://github.com/oktadeveloper/okta-aws-cli-assume-role/blob/4dbfb4a7d7ddfb85e5567781d55e3736421c9282/src/main/java/com/okta/tools/awscli.java#L419-L423

Longer term, we should move the code to use to the AWSSecurityTokenServiceClientBuilder

User assigned to only one SAML User Role results in No Selection Present

From within Okta, a user is assigned to only one SAML User Role. This results in no selections being present yet the prompt to make a selection is still presented.

Looking at the code it appears to parse the AWL SAML role selection page to determine what to present in that selection. As the user is only assigned to one SAML User Role this selection page isn't presented and the user is dropped right into the Identity account.

JNI error has occured

Hello, I've followed the instructions in the readme, but I'm not able to log in.

⇒  ./awscli.command
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.NoClassDefFoundError: com/amazonaws/auth/AWSCredentials
	at java.lang.Class.getDeclaredMethods0(Native Method)
	at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
	at java.lang.Class.privateGetMethodRecursive(Class.java:3048)
	at java.lang.Class.getMethod0(Class.java:3018)
	at java.lang.Class.getMethod(Class.java:1784)
	at sun.launcher.LauncherHelper.validateMainClass(LauncherHelper.java:544)
	at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:526)
Caused by: java.lang.ClassNotFoundException: com.amazonaws.auth.AWSCredentials
	at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	... 7 more

Executing the awscli throws NullPointerException on subsequent calls after login

When executing the awscli with the following properties:
OKTA_ORG=[okta tenant]
OKTA_AWS_APP_URL=[application url]
OKTA_USERNAME=
OKTA_PASSWORD=
OKTA_AWS_ROLE_TO_ASSUME=

I am prompted to authenticate as expected. When I execute the awscli a second time I get the following Exception:
Exception in thread "main" java.lang.NullPointerException
at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:109
)
at com.okta.tools.awscli.main(awscli.java:31)

At this point. From the code there is a check for oktaProfile.isEmpty()
if (session.isPresent() && sessionIsActive(startInstant, session.get()) && oktaProfile.isEmpty())

Since this property is not defined a NullPointerException is thrown. When I add the property to the config.properties. The exception goes away and everything works as expected. Except for logout.

Logout throws the following exception:
Exception in thread "main" java.lang.NullPointerException
at org.ini4j.BasicProfile.remove(BasicProfile.java:139)
at com.okta.tools.aws.settings.MultipleProfile.deleteProfile(MultipleProfile.java:47)
at com.okta.tools.OktaAwsCliAssumeRole.logoutMulti(OktaAwsCliAssumeRole.java:158)
at com.okta.tools.OktaAwsCliAssumeRole.logoutSession(OktaAwsCliAssumeRole.java:144)
at com.okta.tools.awscli.main(awscli.java:25)

If I remove the property from the config then logout works, so I am in a catch 22 scenario.

Cannot setup and execute on Mac

I am using MacBook Pro 10.12.6 and not being able to set up the cli correctly.
Here is the step by step setup.

  1. Install JDK from http://www.oracle.com/technetwork/java/javase/downloads/index.html
% java --version                                                                                    
java 9.0.4
Java(TM) SE Runtime Environment (build 9.0.4+11)
Java HotSpot(TM) 64-Bit Server VM (build 9.0.4+11, mixed mode)
  1. % brew install maven
  2. % git clone https://github.com/oktadeveloper/okta-aws-cli-assume-role.git
  3. % vim config.properties (Edit OKTA_ORG and OKTA_AWS_APP_URL)
  4. % mv config.properties out
  5. % mvn package
  6. % cp target/okta-aws-cli-1.0-SNAPSHOT.jar out/oktaawscli.jar
  7. % cd out

Now, I executed ./awscli sts get-caller-identity and it gives me following error.

[ksuzuki@A-M-201711-003] ~/workspace/okta-aws-cli-assume-role/out
% ./awscli sts get-caller-identity                                                                              (git)-[master]
Username: ksuzuki (or [email protected])
Password:
Exception in thread "main" java.net.UnknownHostException: https: nodename nor servname provided, or not known
	at java.base/java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
	at java.base/java.net.InetAddress$PlatformNameService.lookupAllHostAddr(InetAddress.java:924)
	at java.base/java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1504)
	at java.base/java.net.InetAddress$NameServiceAddresses.get(InetAddress.java:843)
	at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1494)
	at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1353)
	at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1287)
	at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:111)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
	at com.okta.tools.OktaAwsCliAssumeRole.logInToOkta(OktaAwsCliAssumeRole.java:224)
	at com.okta.tools.OktaAwsCliAssumeRole.getAuthnResponse(OktaAwsCliAssumeRole.java:161)
	at com.okta.tools.OktaAwsCliAssumeRole.getOktaSessionToken(OktaAwsCliAssumeRole.java:144)
	at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:99)
	at com.okta.tools.awscli.main(awscli.java:29)
[ksuzuki@A-M-201711-003]

I am not sure what I am missing at this point. Any suggestion will be helpful.

Question: I have multiple roles but if I want to select to one role and then another before my okta session expires

Thanks for putting up nice tool and I got it working. I have multiple roles but if I want to select to one role and then I want to select another role before my orginal okta session expires, right now if I do this (before expiring old session) ./awscli sts get-caller-identity, it shows me details for old session rather than prompting a new session.

Please let me know if I'm missing something.

Thanks

Missing license file

What is the license for this project? Could you please update the repository with the license file?
Thank you.

Runs super-slowly now even for quick commands

Doing nothing (running true, a trivial program that exits with code 0) with this is now surprisingly slow, suggesting that there is a major performance regression somewhere:

$ time true

real	0m0.000s
user	0m0.000s
sys	0m0.000s
$ time env OKTA_PROFILE=dev ./withokta true

real	0m4.252s
user	0m7.162s
sys	0m0.355s

Using the oktaawscli.jar from 8af9de9, I get this dramatically faster experience:

$ time env OKTA_PROFILE=dev ./withokta true

real	0m0.884s
user	0m1.825s
sys	0m0.153s

The regression was introduced by #83, so I suspect it has something to do with refreshing the Okta session. It looks like refreshing the session costs over 3 seconds, which adds up to a huge cost if withokta is used to wrap every line in a script.

I think a different strategy for session refresh (possibly paying the session refresh price once every 5 minutes, or doing it in a second background task) might be worthwhile.

@smashling we'll take a look at this some time soon, but #88 is definitely a bigger immediate issue.

Error when selecting Role to assume

Okta implemented new method to console login to child accounts. This new method uses a fixed role: Okta-Idp-cross-account-role

I don;t believe the cli takes this into account. AWS credentials being used is from account 2222222222 which works because the cli uses the GetRole command. But fails when selecting 1234567890, possibly because it is running the GetRole command but the role is not in 2222222222 account and is not switching roles to the 1234567890 account via Okta-Idp-cross-account-role before doing the GetRole
sdk-1.11.165.jar com.okta.tools.awscli
Username: myuser
Password:

Please choose the role you would like to assume:
[ 1 ]: arn:aws:iam::1234567890:role/Testing1
[ 2 ]: arn:aws:iam::2222222222:role/Testing2
Selection: 1
13:46:27 [main] DEBUG com.okta.tools.awscli - Cross-account role is Testing1
13:46:28 [main] DEBUG com.okta.tools.awscli - Creating the AWS Identity Management client
13:46:28 [main] DEBUG com.okta.tools.awscli - Getting role: Testing1
Exception in thread "main" com.amazonaws.services.identitymanagement.model.NoSuchEntityException: Role not found for Testing1 (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 052303fa-7098-11e7-9234-1707482cd147)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1587)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1257)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1029)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:741)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:715)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:697)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:665)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:647)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:511)
at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.doInvoke(AmazonIdentityManagementClient.java:8275)
at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.invoke(AmazonIdentityManagementClient.java:8251)
at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.executeGetRole(AmazonIdentityManagementClient.java:4390)
at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.getRole(AmazonIdentityManagementClient.java:4367)
at com.okta.tools.awscli.GetRoleToAssume(awscli.java:437)
at com.okta.tools.awscli.main(awscli.java:119)

Setup for Spoke/Hub Model

Hello, I wanted to ask if this tool supports Spoke/Hub model?

When pointing OKTA_AWS_APP_URL, OKTA_ORG to the HUB, it works.When changing this variables to the Spoke I get:
16:55:28.957 [main] ERROR com.okta.tools.awscli - You do not have access to AWS through Okta. Please contact your administrator.

AWS Application nevertheless is working on fine in the Browser.

Best regards,
Joaquín

IAM Role inside a "folder"

I have an iam role that looks like:

arn:aws:iam::XXXXXXX:role/aplp/Role-IT-PlatformTeam

Noticed i used "aplp" as a "folder" to store all our roles moving forward. The issue I'm having is the cli seems to not like the fact that it sees it as aplp/Role-IT-PlatformTeam now, that by design or???

http://i.imgur.com/jIJNnti.png

Two AWS account token

I have a use case where I have two AWS accounts, one for prod and one for non-prod.
Both accounts are configured to talk to Okta.How can i use two Embed links in the config file to get temporary credentials from both the AWS accounts?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.