okta-aws-cli icon indicating copy to clipboard operation
okta-aws-cli copied to clipboard

Published 20 hours ago verified publisher icon okta

m2m configurable iam role session name

Open monde opened this issue 1 year ago • 1 comments

In M2M okta-aws-cli hard codes the IAM role session name to "okta-aws-cli" https://github.com/okta/okta-aws-cli/blob/master/internal/m2mauth/m2mauth.go#L126

Make this customizable for m2m operators to append meta info into the resulting IAM userId.

Current:

eval `go run cmd/okta-aws-cli/main.go m2m --private-key-file mypk.pem` && aws sts get-caller-identity

{
    "UserId": "abcdefg:okta-aws-cli",
    "Account": "1234",
    "Arn": "arn:aws:sts::1234:assumed-role/S3_Read/okta-aws-cli"
}

Something like --aws-iam-role-session-name

eval `go run cmd/okta-aws-cli/main.go m2m --private-key-file mypk.pem --aws-iam-role-session-name="[email protected]"` && aws sts get-caller-identity

{
    "UserId": "abcdefg:[email protected]",
    "Account": "1234",
    "Arn": "arn:aws:sts::1234:assumed-role/S3_Read/okta-aws-cli"
}

Notes from PM:

Or, not overloading the session role name, put the okta client id and application name in as the role session name:

eval `go run cmd/okta-aws-cli/main.go m2m --private-key-file mypk.pem` && aws sts get-caller-identity

{
    "UserId": "abcdefg:0oaa4htg72TNrkTDr1d7-our-oidc-app",
    "Account": "1234",
    "Arn": "arn:aws:sts::1234:assumed-role/S3_Read/okta-aws-cli"
}

monde avatar Jan 29 '24 19:01 monde

In the m2m mode there are only two API calls being made:

  • Get access token from Okta POST /oauth2/{id}/v1/token
  • Present access token from Okta to AWS STS to get temp IAM creds POST /

We don't ever fetch anything from the Okta Management API about the application name or make any kinds of information gathering queries to the AWS API other than presetting the Okta Access token. So for m2m the only option that makes sense here is to allow the operator to set the role session name to something meaningful in their runtime.

Currently:

$ okta-aws-cli m2m --format noop --exec -- aws sts get-caller-identity

{
    "UserId": "ABCXYX:okta-aws-cli",
    "Account": "123",
    "Arn": "arn:aws:sts::123:assumed-role/S3_Read/okta-aws-cli"
}

And role session name parameter

$ okta-aws-cli m2m --role-session-name myValue --format noop --exec -- aws sts get-caller-identity

{
    "UserId": "ABCXYX:myValue",
    "Account": "123",
    "Arn": "arn:aws:sts::123:assumed-role/S3_Read/myValue"
}

monde avatar Feb 14 '24 18:02 monde