I am using Terraform to configure AWS Single sign-on using the AWS IAM identity provider and Okta Saml app. Also, I will be Setting up AWS CLI with the Okta app using the OIDC native app for Okta. Read my medium blog for a complete, step-by-step guide
https://medium.com/kpmg-uk-engineering/configuring-single-sign-on-for-aws-account-using-iam-identity-provider-and-okta-c996b1486bfd https://medium.com/kpmg-uk-engineering/aws-single-sign-on-with-okta-using-terraform-e86da970ca5b
When you integrate your AWS instance with Okta, users can authenticate to one or more AWS accounts with specific IAM roles using single sign-on with SAML. You can import roles from one or more AWS accounts into Okta, assign them to users, and set the duration of the authenticated sessions.
- Configure Okta as the AWS account identity provider.
- Creating Okta app for AWS SSO
- Creating AWS IAM identity provider
- Configure the SAML app
- Create an AWS IAM role and add Okta as a trusted source for that role
- Attach the IAM policy to the IAM role
- Create a service account and generate the keys
- Attach permissions to list IAM roles to the service user account
- Create an Okta group and deploy the Terraform
- Enabling API Integration to provisioning the Okta app
- Create an Okta group assignment to the SAML app
- Create an Okta user and add the user to the Okta group
| Name | Version |
|---|---|
| terraform | 1.5.1 |
| aws | 5.0 |
| okta | ~> 4.6.1 |
| Name | Version |
|---|---|
| aws | 5.0 |
| okta | ~> 4.6.1 |
No modules.
| Name | Type |
|---|---|
| aws_iam_access_key.sso | resource |
| aws_iam_policy.sso | resource |
| aws_iam_policy.sso_user | resource |
| aws_iam_role.sso | resource |
| aws_iam_role_policy_attachment.sso | resource |
| aws_iam_saml_provider.sso | resource |
| aws_iam_user.sso_user | resource |
| aws_iam_user_policy_attachment.sso | resource |
| okta_app_group_assignment.aws_cli | resource |
| okta_app_group_assignment.sso | resource |
| okta_app_oauth.sso_cli | resource |
| okta_app_oauth_api_scope.sso_cli | resource |
| okta_app_saml.sso | resource |
| okta_app_saml_app_settings.sso | resource |
| okta_group.sso | resource |
| okta_group_memberships.sso_user | resource |
| okta_user.sso | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| api_token | okta API token | string |
n/a | yes |
| aws_account_id | Accoubnt id for aws | string |
n/a | yes |
| aws_iam_identity_provider | iam identity provider name | string |
"aws-sso-okta-test" |
no |
| base_url | base_url for okta | string |
n/a | yes |
| oidc_app_label | oidc app label | string |
"sso-aws-cli" |
no |
| org_name | okta organisation namne | string |
n/a | yes |
| region | aws region | string |
n/a | yes |
| saml_app_label | sso okta app label | string |
"aws-sso-test" |
no |
| sso_role_name | sso role name | string |
"aws-okta-sso-test" |
no |
| sso_user | sso user name | string |
"aws_sso_user" |
no |
| Name | Description |
|---|---|
| OKTA_OIDC_CLIENT_ID | Aws cli oidc client id |