support for aws-cli credential_process

[diegoroccia]

I would like to hook okta-aws-cli as credential_process to the aws cli. reference: https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html

this way I can use my aws cli directly without having to run a separate command to get the credentials via okta-aws-cli

This is how saml2aws implements it:

https://github.com/Versent/saml2aws#using-saml2aws-as-credential-process

So what we would need is

a flag --credential-process generating an output with the right JSON format, as well as a flag --quiet that will block the logging from being displayed

[lw-cchapin]

#110

[monde]

I was looking at https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html when I originally implemented okta-aws-cli. At the time the okta-aws-cli required user input so implementing process credentials with not possible because I found the AWS CLI completely swallows stdout/stderr. Since then I think it's possible to run okta-aws-cli without human input if the IdP and Role pre-select flags are used in otka-aws-cli . Also, I'm working on a headless feature for okta-aws-cli so this would be a good time to add process-credentials suport.

[monde]

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-642837

[jkiang13]

I've been using this as a workaround for this in okta-aws-cli v1.x. It translates the export commands to JSON via awk.

[profile okta-aws-cli-test]
credential_process=/bin/sh -c 'okta-aws-cli --org-domain <org_domain> --oidc-client-id <oidc_client_id> --open-browser true | awk '\''BEGIN {RS = ""} {gsub("\n","\",")sub("export AWS_ACCESS_KEY_ID=","\"AccessKeyId\":\"")sub("export AWS_SECRET_ACCESS_KEY=","\"SecretAccessKey\":\"")sub("export AWS_SESSION_TOKEN=","\"SessionToken\":\"")} {print "{\"Version\":1," $0 "\"}"}'\'''

[monde]

Cool work around on v1 @jkiang13
fwiw, v2 is GA'ing next week and we have "Process credential provider output as JSON" feature, you can see more in the beta notes:
https://github.com/okta/okta-aws-cli/releases/tag/v2.0.0-beta.6

[bitle]

I tried the most reset v2 version and I'm running into this error message:

okta-aws-cli web --format process-credentials --oidc-client-id <client-id> --org-domain <domain> --aws-acct-fed-app-id <fed-app-id> --open-browser
Error: arguments --aws-iam-idp , --aws-iam-role , and --open-browser must be set for "process-credentials" format

If I follow the answer above to generate process-credentials with awk it works fine.

[monde]

Process credential support is the v2 release, but it has a bug if you try to combine it with also writing the credential file that has been fixed. That bug is fixed and will be released later this week.

Here's an example of how I run int in my local env:

# ~/.aws/credentials
[default]
credential_process = okta-aws-cli web --format process-credentials --oidc-client-id abc --org-domain test.okta.com --aws-iam-idp arn:aws:iam::123:saml-provider/My_IdP --aws-iam-role arn:aws:iam::123:role/S3_Read --open-browser --write-aws-credentials

I should have closed this issue with the v2 release.