GitHub 上的这个项目名为:okta-aws-cli-assume-role是迄今为止我发现的最简单的方法。
设置脚本
我创建了这个 shell 脚本来将其拉下来并进行设置:
$ cat okta_setup.sh
#!/bin/bash
print_usage() {
echo "Usage: $(basename $0) -a <aws_account> [-h] -r <aws_role> -u <octa_username>" >&2
}
print_help() {
cat <<EOF
Setup Script for Octa AWS CLI tool
==================================
To Execute:
$(basename $0) -a <aws_account> -r <aws_role> -u <octa_username>
Parameters:
-a: AWS Account to have setup with octa
-h: Option to get help
-r: The role to be assumed when logging into AWS
-u: The Octa username to be used to log in
EOF
}
while getopts ":a:hr:u:" opt; do
case ${opt} in
a )
awsAcct=$OPTARG;;
h )
print_help
exit 0
;;
r ) awsRole=$OPTARG;;
u ) octaUser=$OPTARG;;
\? )
print_usage
exit 1
;;
esac
done
if [ -z "${awsAcct}" ]; then
echo "AWS Account is required, use the -a option" >&2
exit 2
fi
if [ -z "${awsRole}" ]; then
echo "AWS Role is required, use the -r option" >&2
exit 3
fi
if [ -z "${octaUser}" ]; then
echo "Octa user is required, use the -u option" >&2
exit 4
fi
########################################
### Setup AWS CLI
########################################
echo 'Setting up ~/.aws/config'
echo '------------------------'
echo ''
aws configure set credential_process "okta-credential_process arn:aws:iam::${awsAcct}:role/${awsRole}" \
--profile "${awsRole}_${awsAcct}"
aws configure set region us-east-1 --profile "${awsRole}_${awsAcct}"
echo ''
echo "Here's the contents..."
echo '----------------------'
cat ~/.aws/config
echo ''
echo ''
########################################
### Setup Okta CLI
########################################
echo 'Setting up Okta CLI'
echo '-------------------'
echo ''
PREFIX=~/.okta bash <(curl -fsSL https://raw.githubusercontent.com/slmingol/okta-aws-cli-assume-role/master/bin/install.sh) -i
echo ''
########################################
### Create My config.properties for Okta
########################################
echo 'Setting up Okta CLI config.properties'
echo '-------------------------------------'
echo ''
cat << EOF > ~/.okta/config.properties
#OktaAWSCLI
OKTA_ORG=myurl.okta.com
OKTA_AWS_APP_URL=https://myurl.okta.com/...
OKTA_USERNAME=${octaUser}
OKTA_BROWSER_AUTH=false
OKTA_ENV_MODE=true
#OKTA_MFA_CHOICE=GOOGLE.token:software:totp
OKTA_STS_DURATION=43200
OKTA_AWS_REGION=us-east-1
OKTA_AWS_ROLE_TO_ASSUME=arn:aws:iam::${awsAcct}:role/${awsRole}
OKTA_PASSWORD_CMD=lpass show --password mydom.com
#OKTA_PASSWORD_CMD=echo "mypassword"
EOF
echo ''
echo "Here's the contents...."
echo '-----------------------'
cat ~/.okta/config.properties
echo ''
echo ''
例子
当您运行此脚本时:
$ ./okta_setup.sh -a 1234567890 -r MySystemsAdminAccess -u smingolelli
Setting up ~/.aws/config
------------------------
Here's the contents...
----------------------
[profile MySystemsAdminAccess_1234567890]
credential_process = okta-credential_process arn:aws:iam::1234567890:role/MySystemsAdminAccess
region = us-east-1
Setting up Okta CLI
-------------------
Installing into ~/.okta
Latest release JAR file: https://github.com/oktadeveloper/okta-aws-cli-assume-role/releases/download/v2.0.4/okta-aws-cli-2.0.4.jar
Fetching JAR file → ~/.okta/okta-aws-cli-2.0.4.jar
Symlinking ~/.okta/okta-aws-cli.jar → okta-aws-cli-2.0.4.jar
Creating example ~/.okta/config.properties
Add the following to ~/.bash_profile or ~/.profile:
#OktaAWSCLI
if [[ -f "$HOME/.okta/bash_functions" ]]; then
. "$HOME/.okta/bash_functions"
fi
if [[ -d "$HOME/.okta/bin" && ":$PATH:" != *":$HOME/.okta/bin:"* ]]; then
PATH="$HOME/.okta/bin:$PATH"
fi
Setting up Okta CLI config.properties
-------------------------------------
Here's the contents....
-----------------------
#OktaAWSCLI
OKTA_ORG=myurl.okta.com
OKTA_AWS_APP_URL=https://myurl.okta.com/......
OKTA_USERNAME=smingolelli
OKTA_BROWSER_AUTH=false
OKTA_ENV_MODE=true
#OKTA_MFA_CHOICE=GOOGLE.token:software:totp
OKTA_STS_DURATION=43200
OKTA_AWS_REGION=us-east-1
OKTA_AWS_ROLE_TO_ASSUME=arn:aws:iam::1234567890:role/MySystemsAdminAccess
OKTA_PASSWORD_CMD=lpass show --password mydom.com
#OKTA_PASSWORD_CMD=echo "mypassword"
发生了什么?
上面做了几件事:
- 添加配置为使用 okta-cli 的 jar 作为配置文件
credential_process
- 在目录中安装和配置 okta-cli
$HOME/.okta
- 配置功能
config.properties
文件
您需要将此目录添加到您的$HOME/.bash_profile
或$HOME/.bashrc
显示在您的$PATH
.
if [[ -d "$HOME/.okta/bin" && ":$PATH:" != *":$HOME/.okta/bin:"* ]]; then
PATH="$HOME/.okta/bin:$PATH"
fi
获取您的 STS 令牌
有了它,您现在可以运行 AWS CLI 命令或 Boto3 Python 脚本,它们会以交互方式提示您登录 Okta,或者这样做并为您检索 STS 令牌。
$ withokta "env" | grep TOK
AWS_SESSION_TOKEN=FQoGZX................5W4sIwW66bYJn9AEh6XeXO2aGKKrcy+sF
-或者-
$ aws --profile MySystemsAdminAccess_1234567890 sts get-caller-identity
{
"UserId": "XXXXXXXXXXXXXXXX:smingolelli",
"Account": "1234567890",
"Arn": "arn:aws:sts::1234567890:assumed-role/MySystemsAdminAccess/smingolelli"
}
请记住,withokta "<cmd>"
可以包含您希望使用传统环境变量的任何命令:
- AWS_SECRET_ACCESS_KEY
- AWS_ACCESS_KEY_ID
- AWS_SESSION_TOKEN
上面我aws
直接调用 CLI 的方法是使用 Okta CLI 中包含的另一个帮助脚本,okta-credential_process
. 这将添加到您的$HOME/.aws/config
文件中,并引用您要担任的 AWS 角色。您可以交互地运行它,以更好地查看aws
调用时返回的内容:
$ okta-credential_process arn:aws:iam::1234567890:role/MySystemsAdminAccess
{"Expiration":"2019-09-08T00:49:45.615579Z","Version":1,"SessionToken":"XXXXXXXX","AccessKeyId":"XXXXXXXXXX","SecretAccessKey":"XXXXXXXXXX"}
该有效负载是 3 个组件:
- AWS_SECRET_ACCESS_KEY
- AWS_ACCESS_KEY_ID
- AWS_SESSION_TOKEN