Implement config option for which MFA to use

[lsowen]

Supercedes #97/#73, and streamlines changes for this PR and #85.

[lsowen]

@nickatsegment What is the preferred way(s) to set/override config options?

#97 used the AWS config file, #85 used a CLI switch and environment variables. Currently this PR uses the cli route, and I think env variable override would be useful. Thoughts?

[lsowen]

hi @nickatsegment, happy new year! Wanted to see if you have some feedback on CLI vs AWS config to do the MFA settings.

[nickatsegment]

@lsowen Hi, happy new year! Thanks for hanging in there despite our radio silence :)

Do you have (or can you imagine) a use case where you'd want different MFA methods depending on the account? For me, as a user, I only ever use 1 idP (same for every AWS account) and always pick the same method. So for my own personal use case, I'd prefer an env var because you can set it in your bash profile and not have to copy it to every aws-okta profile.

[lsowen]

@nickatsegment I think whichever method we use (cli flag or aws config) I will implement an ENV variable override.

Would it be useful to put plumbing in place to allow values to be set in the [okta] section and overridden in the individual [profile XYZ] sections? That way you could set it once, or override it if you wanted/needed.

[nickatsegment]

@lsowen I'm guessing it would be useful for some users. Give it a shot and see how much complexity it adds. If it's a lot, I'd say wait for somebody with the need.

[Fauzyy]

@lsowen #111 is in master now 👍 , if you could update this PR I'll merge it in soon! Excited to start using this feature

[lsowen]

@Fauzyy just rebased, updated to use the new GetValue, and updated the README.

This version supports:

• Setting from CLI
• Setting from environment variables
• Setting from AWS config

[Fauzyy]

@lsowen this look good to me so far, I'll merge once I wrap up testing 👍 - thanks!

[Fauzyy]

Great, thanks for this @lsowen 🥂

[manishtomar]

Strangely I don't see this working after taking the latest code and installing it.

$ aws-okta login --mfa-factor-type push ds
INFO[0001] Requesting MFA. Please complete two-factor authentication with your second device
INFO[0001] Select a MFA from the following list
INFO[0001] 0: OKTA (push)
INFO[0001] 1: OKTA (token:software:totp)
Select MFA method: ^C

Isn't it supposed to default to push instead of asking it? Did I misunderstand the documentation?

[lsowen]

hi @manishtomar, while you can mix/match the methods of specifying which one you want to use (eg use environment variable and CLI switch), you have to specify both the provider and the factor-type for the config to have impact. eg

aws-okta login --mfa-provider OKTA --mfa-factor-type push ds

[manishtomar]

@lsowen Awesome. Thank you so much for the clarification and thanks a lot for this contribution!