Merge pull request #213 from okta/pr212_pmgalea_paginate_apps

Paginate apps and better support for non-Admin users

.github/workflows/release.yml

@@ -31,10 +31,10 @@ jobs:
           passphrase: ${{ secrets.PASSPHRASE }}
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3.0.0
+        uses: goreleaser/goreleaser-action@v6.0.0
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           # GitHub sets this automatically

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 2.2.0 (July 3, 2024)
+
+### ENHANCEMENTS
+
+* Seamless support for non-Admin users if OIDC app has `okta.users.read.self` grant [#213](https://github.com/okta/okta-aws-cli/pull/213), thanks [@monde](https://github.com/monde)!
+* Improve README with note about device state in policy [#205](https://github.com/okta/okta-aws-cli/pull/205), thanks [@ramgandhi-okta](https://github.com/ramgandhi-okta)!
+* Correct m2m typo in README [#201](https://github.com/okta/okta-aws-cli/pull/201), thanks [@stefan-lsx](https://github.com/stefan-lsx)!
+
+### BUG FIXES
+
+* Paginating more than 200 apps on `GET /api/v1/apps` not implemented [#212](https://github.com/okta/okta-aws-cli/pull/212), thanks [@pmgalea](https://github.com/pmgalea)!
+* Respect `OKTA_AWSCLI_AWS_REGION` env var value when saving to the profile [#203](https://github.com/okta/okta-aws-cli/pull/203), thanks [@sudolibre](https://github.com/sudolibre)!
+* Default profile value not correctly set to `default` [#200](https://github.com/okta/okta-aws-cli/pull/200), thanks [@mantoine96](https://github.com/mantoine96)!
+
 ## 2.1.2 (February 27, 2024)
 
 ### BUG FIXES

README.md

@@ -11,7 +11,7 @@ other tools accessing the AWS API. There are two primary commands of operation:
 authorization.  `okta-aws-cli web` is native to the Okta Identity Engine and
 its authentication and device authorization flows. `okta-aws-cli web` is not
 compatible with Okta Classic orgs. `okta-aws-cli m2m` makes use of private key
-(OAuth2) authorization and OIDC. 
+(OAuth2) authorization and OIDC.
 
 ```shell
  # *nix, export statements
@@ -20,11 +20,6 @@ export AWS_ACCESS_KEY_ID=ASIAUJHVCS6UQC52NOL7
 export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5T...
 
- # *nix, eval export ENV vars into current shell
-$ eval `okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com` && aws s3 ls
-2018-04-04 11:56:00 test-bucket
-2021-06-10 12:47:11 mah-bucket
-
 rem Windows setx statements
 C:\> okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com
 SETX AWS_ACCESS_KEY_ID ASIAUJHVCS6UQC52NOL7
@@ -92,13 +87,13 @@ authorization at the Okta web site. After that the human returns to the CLI they
 select an identity provider and a role from that IdP.
 
 Web command is an integration that pairs an Okta [OIDC Native
-Application](https://developer.okta.com/blog/2021/11/12/native-sso) with an 
+Application](https://developer.okta.com/blog/2021/11/12/native-sso) with an
 [Okta AWS Federation integration
 application](https://www.okta.com/integrations/aws-account-federation/). In turn
 the Okta AWS Fed app is itself paired with an [AWS IAM identity
 provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create.html).
 The Okta AWS Fed app is SAML based and the Okta AWS CLI interacts with AWS IAM
-using 
+using
 [AssumeRoleWithSAML](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html).
 
 `okta-aws-cli web` handles authentication through Okta and presents a SAML
@@ -131,10 +126,9 @@ at `Applications > [the OIDC app] > General Settings > Grant type`.
 
  If [Multiple AWS environments](#multiple-aws-environments) (see below) are to
  be supported by a single OIDC application, the OIDC app must have the
- `okta.apps.read` grant. Apps read and other application grants are configured
- at `Applications > [the OIDC app] > Okta API Scopes` in the Okta Admin UI.
- *NOTE*: the Okta Management API only supports the `okta.apps.read` grant for
- admin users at this time (see ["Non-Admin Users"](#non-admin-users)).
+ `okta.apps.read` grant for admin users and `okta.users.read.self` for non-admin
+ users. Application grants are configured at `Applications > [the OIDC app] >
+ Okta API Scopes` in the Okta Admin UI.
 
 The pairing with the AWS Federation Application is achieved in the Fed app's
 Sign On Settings. These settings are in the Okta Admin UI at `Applications > [the
@@ -156,14 +150,11 @@ URL below. Then follow the directions in that wizard.
 
 #### Multiple AWS environments
 
-**NOTE**: Multiple AWS environments works correctly without extra configuration
-for admin users. See ["Non-Admin Users"](#non-admin-users) for extra
-configuration needed for non-admin users.
-
 To support multiple AWS environments, associate additional AWS Federation
-applications with the OIDC app The OIDC app **must** have the `okta.apps.read`
-grant. The following is an illustration of the association of objects that make
-up this kind of configuration.
+applications with an OIDC app. The OIDC app **must** have the `okta.apps.read`
+grant to support admin users. To support non-admin users the OIDC app **must**
+have the `okta.users.read.self` grant. The following is an illustration of the
+association of objects that make up this kind of configuration.
 
 ![okta-aws-cli supporting multiple AWS environments](./doc/multi-aws-environments.jpg)
 
@@ -174,6 +165,18 @@ up this kind of configuration.
 
 #### Non-Admin Users
 
+The CLI will work for non-admin users if the OIDC Native app is granted the
+`okta.users.read.self` scope. The API endpoint `GET /api/v1/users/me/appLinks`
+is referenced to discover which applications are assigned to the non-admin user.
+
+**IMPORTANT!!!**
+
+Below is a deprecated recommendation for non-admin users. We are leaving it in
+the README for legacy purposes. We are no longer recommending this workaround so
+long as the OIDC app is granted the `okta.users.read.self` scope.
+
+**OLD work around for non-admin users**
+
 Multiple AWS environments requires extra configuration for non-admin users.
 Follow these steps to support non-admin users.
 
@@ -621,7 +624,9 @@ have equivalent policies if not share the same policy. If the AWS Federation
 app has more stringent assurance requirements than the OIDC app a `400 Bad
 Request` API error is likely to occur.
 
-Note: In authentication policy rule of AWS Federation app, **Device State** must be set to **Any** for using Okta AWS CLI. Other options are not supported at this time.
+**NOTE**: In authentication policy rule of AWS Federation app, **Device State**
+must be set to **Any** for using Okta AWS CLI. Other options are not supported
+at this time.
 
 ## Operation
 
@@ -682,12 +687,16 @@ $ eval `okta-aws-cli`
 $ aws s3 ls
 2018-04-04 11:56:00 test-bucket
 2021-06-10 12:47:11 mah-bucket
+
+$ okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com --exec -- aws s3 ls s3://example
+                           PRE aaa/
+2023-03-08 16:01:01          4 a.log
 ```
 
 ### AWS credentials file orientated usage
 
-**NOTE**: example assumes other Okta AWS CLI configuration values have already been
-set by ENV variables or `.env` file.
+**NOTE**: example assumes other Okta AWS CLI configuration values have already
+been set by ENV variables or `.env` file.
 
 ```shell
 $ okta-aws-cli web --oidc-client-id 0oabc --org-domain my-org.okta.com --profile test --format aws-credentials && \
@@ -704,7 +713,10 @@ Wrote profile "test" to /Users/mikemondragon/.aws/credentials
 2018-04-04 11:56:00 test-bucket
 2021-06-10 12:47:11 mah-bucket
 ```
-**NOTE**: Writing to the AWS credentials file will include the `x_security_token_expires` value in RFC3339 format. This allows tools dependent on valid AWS credentials to validate if they are expired or not, and potentially trigger a refresh if needed.
+**NOTE**: Writing to the AWS credentials file will include the
+*`x_security_token_expires` value in RFC3339 format. This allows tools dependent
+*on valid AWS credentials to validate if they are expired or not, and
+*potentially trigger a refresh if needed.
 
 **NOTE**: the Okta AWS CLI will only append to the AWS credentials file. Be sure to
 comment out or remove previous named profiles from the credentials file.

go.mod

@@ -24,7 +24,10 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 )
 
-require golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
+require (
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
+)
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect

go.sum

@@ -39,6 +39,8 @@ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7
 github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
 github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
@@ -437,6 +439,8 @@ golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/config/config.go

@@ -40,7 +40,7 @@ func init() {
 
 const (
 	// Version app version
-	Version = "2.1.2"
+	Version = "2.2.0"
 
 	////////////////////////////////////////////////////////////
 	// FORMATS

internal/okta/application.go

@@ -16,8 +16,8 @@
 
 package okta
 
-// Application Okta API application object
-// See: https://developer.okta.com/docs/reference/api/apps/#application-object
+// Application Okta API application object.
+// See: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications
 type Application struct {
 	ID       string `json:"id"`
 	Label    string `json:"label"`
@@ -30,3 +30,11 @@ type Application struct {
 		} `json:"app"`
 	} `json:"settings"`
 }
+
+// ApplicationLink Okta API application link object.
+// See: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listAppLinks
+type ApplicationLink struct {
+	ID    string `json:"appInstanceId"`
+	Label string `json:"label"`
+	Name  string `json:"appName"`
+}