Saturday, 22 Jun 2024

AWS CLI Access: Simplifying Account Management with Okta Integration

In this use case, we will explore the seamless integration of AWS CLI with Okta via AWS IAM Identity Center. With the latest version of AWS CLI v2, managing CLI profiles linked to SSO accounts and roles has become more streamlined. Now, the CLI can automatically retrieve AWS credentials from SSO and refresh them on your behalf. Say goodbye to the hassle of manually copying and pasting temporary AWS credentials from the AWS IAM Identity Center console.

Option A: Accessing Credentials from AWS Dashboard

To get started, open the AWS IAM Identity Center Dashboard and navigate to the “Command line or programmatic access” section. Here, you will find multiple options to access the CLI. Simply choose the option that suits your needs.

AWS CLI Authorize Request

Option B: Configuration Commands

Alternatively, you can execute the following command in your terminal: aws configure sso. This command will guide you through the configuration process.

  • SSO start URL: Sign in to the AWS Dashboard and copy the URL.
  • SSO Region: Sign in to your AWS Account and copy the Region of AWS IAM Identity Center.

Once you have these details, run the command aws configure sso and follow the prompts.

$ aws configure sso
SSO session name (Recommended): okta
SSO start URL [None]:
SSO Region [None]: eu-central-1
SSO registration scopes [sso:account:access]: 
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
Then enter the code: RXPC-JNHZ

The only AWS account available to you is: 00xxxxxxxx56
Using the account ID 00xxxxxxxx56

You will be prompted to log in to your AWS IAM Identity Center via Okta. If you have enabled MFA, you will need to provide a 2nd Factor. Additionally, AWS IAM Identity Center will ask for your consent to grant access.

Tham Khảo Thêm:  Don't Lose Your Passwords When Changing Phones: Follow These Steps

AWS CLI Authorize Request

After successful authentication, you will be prompted to select one of the roles configured in the workshop. Choose the desired role to create a local profile.

There are 2 roles available to you.

  • PowerUserAccess
  • ViewOnlyAccess

Using the role name “PowerUserAccess”, you can set it as your default client region and output format for the CLI.

CLI default client Region [eu-central-1]:
CLI default output format [None]: json
CLI profile name [PowerUserAccess-00xxxxxxxx56]:

To use this profile, specify the profile name using -profile, as shown:
aws s3 ls -profile PowerUserAccess-00xxxxxxxx56

Test Your Setup

To test the profile, execute the following command: aws sts get-caller-identity -profile profilenameABC. In our case, we used the command:

$ aws sts get-caller-identity -profile PowerUserAccess-00xxxxxxxx56

The output will be:

$ aws sts get-caller-identity -profile PowerUserAccess-00xxxxxxxx56
    "UserId": "AROAXXXXXXXXXXXXXUN6N:[email protected]",
    "Account": "00xxxxxxxx56",
    "Arn": "arn:aws:sts::00xxxxxxxx56:assumed-role/AWSReservedSSO_PowerUserAccess_7aXXXXXXXXXXXX17/[email protected]"

This use case is based on a blog post from the AWS community. We extend our gratitude to the authors for their valuable insights.

Now, you can enjoy the convenience of managing your AWS CLI access with Okta integration via AWS IAM Identity Center. Say goodbye to manual credential management and embrace the simplicity of SSO integration. Happy coding!