Obtain temporary AWS Creds from your Okta Profile.

Here's an example. All options are required except okta_mfa_method which default to TOTP based notification.

- name: Create AWS profile
  uses: docker:https://ghcr.io/mrchief/aws-creds-okta-action:latest # or a specific tagged version  
  with:
    aws_role_arn: arn:aws:iam::account-id:role/role-name
    okta_username: [email protected]
    okta_password: ${{ secrets.OKTA_PASSWORD }}
    okta_app_url: https://mycompany.okta.com/home/amazon_aws/1234567890abcdefghij/123
    okta_mfa_seed: ${{ secrets.OKTA_MFA_SEED }}

💡 Note You can also use the non docker image version of the action by switching to:

  uses: mrchief/aws-creds-okta-action@<tag|sha|branch>

Once this step runs it'll set the following environment variables for subsequent steps:

AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***

It also masks the actual values in the logs for added security.

• Currently only supports totp authentication. There are plans to add support for other MFA methods. PRs welcome.
• okta_app_url can be obtained by right clicking the Okta tile for you AWS account. This setup allows for federated login to different AWS accounts.
• okta_password & okta_mfa_seed can be set via environment variables ${{ env.OKTA_MFA_SEED }} although it is not recommended to do so as it can leak secrets. Github repo secrets are the easiest way but if you manage secrets via some other mechanism, you can also use them - these are just normal inputs, you can pass them anything.

You can use this if you're doing all of this:

• you are using Okta for federated logins to AWS accounts
• you have setup Okta MFA with TOTP option (use a time based code, similar to Google Authenticator)
• have one or more AWS apps setup in your Okta apps (see screenshot)

This action uses tokendito tool to generate temporary AWS credentials. The credentials are generated in the home directory of the container and are then exported as environment variables so the subsequent steps can use them seamlessly.

It uses mintotp to generate a totp.

We welcome all kind of contributions, as long as they are not violating our Code of Conduct. You can contribute by:

• reporting a bug (submit one here)
• proposing new feature (submit one here)
• submitting new features or bug fixes (send a PR)

By contributing, you agree that your contributions will be licensed under the project's license

We use Github Flow method so please follow these steps:

• Fork the repo and create your branch from master.
• If you've added code that should be tested, add tests.
• If you've changed APIs, update the documentation.
• Issue that pull request!

NOTE: Ensure that you merge the latest from "upstream" before making a pull request!

Please see CODE_OF_CONDUCT.md

This action is released under Apache License 2.0. Docker container images built in this project include third party materials. See THIRD_PARTY_NOTICE.md for details.