This is a simple command-line tools for logging into Okta and generating temporary Amazon AWS Credentials. This tool makes it easy and secure for your developers to generate short-lived, logged and user-attributed credentials that can be used for any of the Amazon SDK libraries or CLI tools.
We have support for logging into Okta, optionally handling MFA Authentication, and then generating new SAML authenticated AWS sessions. In particular, this tool has a few core features.
If your organization requires MFA for the initial login into Okta, we will automatically detect that requirement on a per-user basis and prompt the user to complete the Multi Factor Authentication. The following factors are supported by nd_okta_auth:
- FIDO U2F (eg yubikey)
- Okta Verify with Push
- TOTP (Okta Verify, Duo, and Google Authenticator)
If a user has multiple factors they will be prompted in the above order. A user can hit Control-C to skip a factor.
Amazon IAM only supports Federated Login sessions that last up to 1 hour. For developers, it can be painful to re-authenticate every hour during your work day. This is made much worse if your organization requires MFA on each login.
You may run the Okta Auth-er tool in "reup" mode to get around this. The tool will stay running in a daemon-like mode, and it will reach out regularly to Okta, generate a new SAML Assertion, and then generate updated Amazon AWS credentials. This can run for as long as your Okta administrator has allowed your Login Session to be - often a full work day.
See the --reup commandline option for help here!
For detailed usage instructions, see the --help commandline argument. Basic
instructions though:
$ nd_okta_auth -a <application id> -o <your org name> -u <your username>
08:27:44 (INFO) Nextdoor Okta Auther v0.0.1
Password:
08:27:48 (WARNING) Okta Verify Push being sent...
08:27:48 (INFO) Waiting for Okta Verification...
...
08:28:09 (INFO) Waiting for Okta Verification...
08:28:10 (INFO) Successfully authed Matt Wise
08:28:10 (INFO) Getting SAML Assertion from foobar
08:28:11 (INFO) Found credentials in shared credentials file: ~/.aws/credentials
08:28:11 (INFO) Wrote profile "default" to /Users/diranged/.aws/credentials
08:28:11 (INFO) Session expires at 2017-07-24 16:28:13+00:00
$
Before you can use this tool, your Okta administrator needs to set up Amazon/Okta integration using SAML roles.
This code is heavily based on the previous work done by ThoughtWorksInc on their OktaAuth and AWS Role Credentials tools. We took their general purpose code and re-wrote them into a singularly focused tool that added some new features.
In particular, we found it clumsy to use two CLI tools together to do a single task. Additionally, the tools did not have support for Okta Verify with Push.
If you are interested in working on the codebase, setting up your development environment is quick and easy.
$ virtualenv .venv
$ source .venv/bin/activate
$ pip install -r requirements.txt
Python 2.7.1+ and Python 3.5.0+ are supported
$ nosetests -vv --with-coverage --cover-erase --cover-package=nd_okta_auth