okta-credential_process <role ARN>The okta-credential_process tool allows you to authenticate to Okta and assume an AWS IAM Role.
"Version"
The version of the credential_process interface defined by the AWS
CLI docs here:
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html"AccessKeyId"
The AWS IAM (Identity and Access Management) access key ID."SecretAccessKey"
The AWS IAM secret access key."SessionToken"
The AWS STS (Security Token Service) session token."Expiration"
The timestamp at which the credentials will expire in ISO8601
format. Add something like the following to ~/.aws/config:
[profile dev]
credential_process = okta-credential_process arn:aws:iam::123456789012:role/ExampleRole- Replace arn:aws:iam::123456789012:role/ExampleRole with the real IAM Role ARN (use okta-listroles to see available role ARNs)
Use the profile as follows:
aws --profile dev sts get-caller-identityThis also works with scripts using the AWS SDK for Python (aka boto3).
import boto3
dev = boto3.session.Session(profile_name='dev')
s3 = dev.resource('s3')
for bucket in s3.buckets.all():
print(bucket.name)AWS CLI doesn't cache the credentials, neither does okta-aws-cli. Credentials will be fetched by AWS CLI every time it runs (irregardless of expiry)