redventures / oktad Goto Github PK

View Code? Open in Web Editor NEW

31.0 5.0 16.0 6.59 MB

okta-aws, but go

License: Apache License 2.0

Go 100.00%

owner-access-only no-active-admins b010 no-push-730-days

oktad's Introduction

This application is deprecated as of whenever this gets committed!

It'll still continue to work, but I'm not planning on maintaining it!

Please consider using segmentio/aws-okta instead! It does everything oktad ever officially did and more, like allowing you to adjust your AssumeRole session length per call!

oktad

okta-aws, but in go. This program authenticates with Okta and then assumes role twice in Amazon.

Installation

Grab a binary for your OS from the latest release, and put it somewhere in your PATH. Only supports Linux and OSX for now!

If you're on OSX like me, this might be all you need...

curl -L -o /usr/local/bin/oktad https://github.com/RedVentures/oktad/releases/download/`curl -v 'https://github.com/RedVentures/oktad/releases/latest' 2>&1 | grep Location | grep -E -o 'v[0-9]+\.[0-9]+\.[0-9]+'`/oktad-darwin-amd64 && chmod +x /usr/local/bin/oktad

Setup

First, create an ~/.okta-aws/config file with your Ookta base URL and app URL, like below:

[okta]
baseUrl=https://mycompany.okta.com/
appUrl=https://mycompany.okta.com/app/YOUR_APP/OKTA_MAGIC/sso/saml

Third, set up an AWS CLI config file. You need to create ~/.aws/config and fill it with a profile containing the ARN for a role you ultimately want to get temporary credentials for. This file might look like the following:

[default]
output = json
region = us-east-1

[profile my_subaccount]
role_arn = arn:aws:iam::MY_ACCOUNT_ID:role/wizards

With those things set up, you should be able to run oktad my_subaccount -- [command] to run whatever [command] is with a set of temporary credentials from Amazon.

Usage

$ oktad [AWS profile] -- [command]

for example

$ oktad production -- aws ec2 describe-instances

Debugging

$ DEBUG=oktad* oktad production -- aws ec2 describe-instances

Contributors

Dimitrios Arethas [[email protected]]
Thomas Hopkins [[email protected]]
Todd Lunter [@tlunter]
Gildas Le Nadan [@endemics]
Lee Standen [@lstanden]

oktad's People

Contributors

Stargazers

Watchers

Forkers

darethas hopkinsth lstanden akoetsier tlunter etsangsplk bmacauley endemics pdalinis bennydtown mike-dunton jimsmith jhutchings1 ghas-results

oktad's Issues

Login successful, No output after

Hello, Thank you for the tool, it appears to be the best around for Okta/AWS but I'm having an issue running the command after the utility. Should there be more debug logs after the successful login?

$ DEBUG=* oktad dp -- aws s3 ls
18:21:57.206 86us   86us   oktad:main - loading configuration data
18:21:57.206 148us  148us  oktad:config - trying to load from config param file
18:21:57.206 4us    4us    oktad:config - trying to load from CWD
18:21:57.206 5us    5us    oktad:config - trying to load from home dir
18:21:57.206 10us   10us   oktad:config - loading /Users/ianmo/.okta-aws/config
18:21:57.234 28ms   28ms   oktad:credStore - no credentials found for supplied profile: dp
18:21:57.234 28ms   28ms   oktad:main - cred load err credentials not found!
Username: [email protected]
Password: 
18:22:04.630 7s     7s     oktad:okta - let the login dance begin
18:22:05.906 1s     1s     oktad:okta - login response body {"expiresAt":"2017-06-12T18:27:07.000Z","status":"SUCCESS","sessionToken":"000000fake","_embedded":{"user":{"id":"000000fake","profile":{"login":"[email protected]","firstName":"Guy","lastName":"Guy","locale":"en","timeZone":"America/Los_Angeles"}}}}
$ DEBUG=* oktad dp -- echo "test"
18:22:17.187 87us   87us   oktad:main - loading configuration data
18:22:17.187 152us  152us  oktad:config - trying to load from config param file
18:22:17.187 1us    1us    oktad:config - trying to load from CWD
18:22:17.187 5us    5us    oktad:config - trying to load from home dir
18:22:17.187 10us   10us   oktad:config - loading /Users/ianmo/.okta-aws/config
18:22:17.214 27ms   27ms   oktad:credStore - no credentials found for supplied profile: dp
18:22:17.214 27ms   27ms   oktad:main - cred load err credentials not found!
Username: [email protected]
Password: 
18:22:25.083 7s     7s     oktad:okta - let the login dance begin
18:22:26.604 1s     1s     oktad:okta - login response body {"expiresAt":"2017-06-12T18:27:28.000Z","status":"SUCCESS","sessionToken":"000000fake","_embedded":{"user":{"id":"000000fake","profile":{"login":"[email protected]","firstName":"Guy","lastName":"Guy","locale":"en","timeZone":"America/Los_Angeles"}}}}

how do I find appUrl ?

I'm not sure what to put in appUrl setting. Using the URL I get from okta doesn't work and it doesn't look like the example in the README.

Windows support

I see that the readme says Windows is not supported right now. Has this been tested? If so, are there plans and/or a timeline for Windows support?

Unable to have multiple open sessions

Because the credential caching in ~/.okta-aws/credentials is not namespaced by profile you cannot have 2 sessions to different accounts open in 2 seperate terminal windows. When you attempt to open the 2nd session it sees the credentials file and if those haven't expired it just puts them in your environment without checking that they are for the requested account.

Redesign command structure

This tool is inspired by okta-aws (https://github.com/99designs/aws-vault), and I would prefer that oktad's command structure more closely followed okta-aws.

I'm thinking...

oktad exec aws ec2 describe-instances
oktad add main

and more details as I fill them out here.

build for linux again

go-keytar links against some dependencies that weren't in my docker build container, need to figure this out or convert go-keytar to use libsecret...

Error preparing to AssumeRole!

Hi,

I'm getting the following error when attempting to use oktad. Since the Okta supplied tool doesn't seem to work anywher near as slick, it'd be nice to get this going.

The error is below:

18:31:53.270 427ms  427ms  oktad:okta - didn't find saml response element
18:31:53.270 14s    14s    oktad:main - got saml:

Error preparing to AssumeRole!
18:31:53.270 2us    2us    oktad:main - getSaml err was Invalid saml response!

This was immediately following a "SUCCESS" JSON response from Okta.

Any ideas?

Add a way to assume role once rather than twice

This tool should assume role into the parent account if you don't specify a profile, making it possible to run commands with temporary credentials there as well.

Support OSX keychain

Although the credentials we grab only work for an hour now, it's probably better that we store them somewhere a little safer than a plaintext file on disk.

Store session cookie in keychain

We've been experimenting internally with a new tool which works similarly to oktad, but stores the HTTP session cookie retrieved from Okta in the OSX Keychain / Windows Credential Vault. We're using node for our version with the keytar library for cross platform support. By storing this cookie, users are able to get keys from AWS for the duration of their Okta session without being asked for username/password/MFA which is a huge convenience.

So the feature request is to store this session cookie (the cookie name is sid) so users can get multiple keys if required.

"Error reading config file!" when run from home directory.

When I run a command, something like oktad production -- /bin/bash from my home directory I get an error message "Error reading config file!". If I move to a subdirectory inside my home directory it seems to work fine. Example:

~ : oktad production -- /bin/bash
Error reading config file!
~ : cd libs/test/mytestfolder/tf/
~/libs/test/mytestfolder/tf : oktad production -- /bin/bash
Username:

Running v0.6.0

redventures / oktad Goto Github PK

oktad's Introduction

This application is deprecated as of whenever this gets committed!

oktad

Installation

Setup

Usage

Debugging

Contributors

oktad's People

Contributors

Stargazers

Watchers

Forkers

oktad's Issues

Recommend Projects

Recommend Topics

Recommend Org