forked from oktadev/okta-aws-cli-assume-role
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Prevent session reuse from CredentialProcess - Introduce okta-credential-process command - Provide manpage-like docs Future work: use [ronn](https://github.com/rtomayko/ronn) to make real man pages at build time Resolves oktadev#232
- Loading branch information
Showing
6 changed files
with
152 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# okta-credential_process(1) -- Output AWS credentials in JSON format. | ||
|
||
## SYNOPSIS | ||
|
||
okta-credential_process <role ARN> | ||
|
||
## DESCRIPTION | ||
|
||
The okta-credential_process tool allows you to authenticate to Okta and | ||
assume an AWS IAM Role. | ||
|
||
## FIELDS | ||
|
||
"Version" | ||
|
||
The version of the credential_process interface defined by the AWS | ||
CLI docs here: | ||
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html | ||
|
||
"AccessKeyId" | ||
|
||
The AWS IAM (Identity and Access Management) access key ID. | ||
|
||
"SecretAccessKey" | ||
|
||
The AWS IAM secret access key. | ||
|
||
"SessionToken" | ||
|
||
The AWS STS (Security Token Service) session token. | ||
|
||
"Expiration" | ||
|
||
The timestamp at which the credentials will expire in ISO8601 | ||
format. | ||
|
||
## EXAMPLES | ||
|
||
Add something like the following to ~/.aws/config: | ||
```ini | ||
[profile dev] | ||
credential_process = okta-credential_process arn:aws:iam::123456789012:role/ExampleRole | ||
``` | ||
* Replace arn:aws:iam::123456789012:role/ExampleRole with the real IAM | ||
Role ARN (use okta-listroles to see available role ARNs) | ||
|
||
Use the profile as follows: | ||
```bash | ||
aws --profile dev sts get-caller-identity | ||
``` | ||
|
||
This also works with scripts using the AWS SDK for Python (aka boto3). | ||
|
||
```python | ||
import boto3 | ||
dev = boto3.session.Session(profile_name='dev') | ||
s3 = dev.resource('s3') | ||
for bucket in s3.buckets.all(): | ||
print(bucket.name) | ||
``` | ||
|
||
## NOTES | ||
|
||
AWS CLI doesn't cache the credentials, neither does okta-aws-cli. | ||
Credentials will be fetched by AWS CLI every time it runs (irregardless | ||
of expiry) | ||
|
||
# SEE ALSO | ||
|
||
[okta-listroles(1)](okta-listroles.1.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# okta-listroles(1) -- Output a list of roles available to assume. | ||
|
||
## SYNOPSIS | ||
|
||
okta-listroles | ||
|
||
## DESCRIPTION | ||
|
||
The okta-listroles tool allows you to authenticate to Okta and list the | ||
roles that are available to be assumed. | ||
|
||
## FIELDS | ||
|
||
"accountName" | ||
|
||
The AWS account name and number the role belongs to. | ||
|
||
"roleOptions" | ||
|
||
A list of roleName and AWS IAM roleArn pairs available without a given account. | ||
|
||
"roleName" | ||
|
||
The name of the AWS IAM Role. | ||
|
||
"roleARN" | ||
|
||
The ARN (Amazon Resource Name) of the AWS IAM Role. | ||
|
||
## EXAMPLES | ||
|
||
Running a command like this: | ||
|
||
okta-listroles | ||
|
||
Will prompt for Okta credentials (or reuse your session) and output | ||
something like this to standard output: | ||
|
||
|
||
[ | ||
{ | ||
"accountName": "Account: example-corp (123456789012)", | ||
"roleOptions": [ | ||
{ | ||
"roleName": "Admin", | ||
"roleArn": "arn:aws:iam::123456789012:role/Admin" | ||
} | ||
] | ||
}, | ||
{ | ||
"accountName": "Account: example-research (654321234567)", | ||
"roleOptions": [ | ||
{ | ||
"roleName": "Admin", | ||
"roleArn": "arn:aws:iam::654321234567:role/Admin" | ||
} | ||
{ | ||
"roleName": "ReadOnly", | ||
"roleArn": "arn:aws:iam::654321234567:role/ReadOnly" | ||
} | ||
] | ||
} | ||
] | ||
|
||
# SEE ALSO | ||
|
||
[okta-credential_process(1)](okta-credential_process.1.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80e314a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Java is relatively new to me. I learned a lot going through your classes and I'm still not sure how the switch to environment mode prevents reusing sessions. Excellent progress on the manpage-like documentation. It's very clear and contains the necessary references. Thanks for your work on this, awsprocesscreds came up in a meeting today and folks here are excited to try any alternative we can get our hands on.
80e314a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Essentially, env mode requires not reusing stored STS session credentials, so it happens to also work for credential_process.
The relationship between env mode and sessions is implicit, which is bad from a clarity perspective. I don’t like what I’ve done here from a clean code perspective and intend to do a major cleanup sprint to clarify the entire codebase early next year.
80e314a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds great! I'm new to open-source and am looking forward to contributing on this and other projects in the future. My PS scripts were written on the company's dime, but I'll see if they're okay with me sharing them and plan on doing more on my time.