AWS - Amazon / Technology · 2020年10月27日

Integrate AWS-OKTA by Python

//if you have only python 3.6:
pip3 install gimme-aws-creds

//if you have several python versions:
python3.6 -m pip install –upgrade gimme-aws-creds

  • Write an AWS login shell script, put it under /usr/local/bin:#!/usr/bin/env bash# you can copy this script into /usr/local/bin/
    # obtain cred by execute “source aws-login <profile> <okta username>”

DEFAULT_PROFILE=’okta’
PROFILE=${1:-$DEFAULT_PROFILE}
USERNAME=$2
echo $PROFILE
REGION=us-east-1
appurl=’https://<your_company_okta_url>’
fi
status=`grep $PROFILE ~/.okta_aws_login_config`
if [ -z “$status” ]; then
account_id=`cat accounts.list | grep $PROFILE | cut -d ” ” -f 1`
echo -e “\nhttps://<company>.okta.com\n\n$appurl\ny\ny\narn:aws:iam::$account_id:role/OWNER\n$USERNAME\n28800\npush\ny\n$PROFILE\n” | gimme-aws-creds -c –profile $PROFILE
gimme-aws-creds –register_device –profile $PROFILE
fi
gimme-aws-creds –profile $PROFILE

ACCESS_KEY_ID=$(aws configure get aws_access_key_id –profile “$PROFILE”)
SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key –profile “$PROFILE”)
SESSION_TOKEN=$(aws configure get aws_session_token –profile “$PROFILE”)

export AWS_ACCESS_KEY_ID=$ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN=$SESSION_TOKEN
export AWS_DEFAULT_REGION=$REGION

  • Create file “.okta_aws_login_config” in your home directory.
  • Copy/paste the below content to the file you created above and change the okta_username, change aws_rolename (if other than OWNER), cred_profile (if other than casb-prod).

[casb-prod]
okta_org_url = https://<company>.okta.com
okta_auth_server =
client_id =
gimme_creds_server = appurl
aws_appname =
aws_rolename = arn:aws:iam::<iam_account_num>:role/OWNER
write_aws_creds = True
cred_profile = casb-prod
okta_username = <Your-UserName>
app_url = https://<your_company_okta_url>
resolve_aws_alias = False
preferred_mfa_type = push
remember_device = True
aws_default_duration = 28800
device_token = <device_token>

Note: You can find the aws_rolename by going to Okta page and Click Amazon Web Services.

source aws-login casb-prod

#Output you will see
casb-prod
Using password from keyring for giri.gurung
Multi-factor Authentication required.
Okta Verify App: SmartPhone_Android: SM-G960U1 selected
Okta Verify push sent…
Saving arn:aws:iam::<iam_account_num>:role/OWNER as casb-prod
Written profile casb-prod to /Users/giri.gurung/.aws/credentials

  • To verify if you are authenticated, run the following command.

aws s3 ls

# You should see list of buckets