Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS profiles in creds INI file w/ deprecated variables #79

Merged
merged 3 commits into from
Mar 14, 2023
Merged

AWS profiles in creds INI file w/ deprecated variables #79

merged 3 commits into from
Mar 14, 2023

Conversation

monde
Copy link
Collaborator

@monde monde commented Mar 14, 2023
edited
Loading

okta-aws-cli writes AWS creds variables in session token orientation as aws_session_token, aws_access_key_id,aws_secret_access_key. This is done for the given profile of an INI file when running in write aws creds mode. Other tools may still be setting obsolete AWS creds variables (AWS deprecated aws_security_token in November 2014, it is not referred to any any public AWS CLI documentation) that conflict with modern usage. Therefore, instead of ignoring or destroying previous unnecessary values just comment them out so $ aws [op] [args] executes without error.

Standard behavior: $ okta-aws-cli --write-aws-credentials

Given aws creds

[default]
random                = thing
aws_session_token     = abc
aws_access_key_id     = def
aws_secret_access_key = ghi
aws_security_token    = jkl

Given command $ okta-aws-cli --write-aws-credentials

Creds file will be updated as

[default]
# random                = thing
aws_session_token     = xxx
aws_access_key_id     = yyy
aws_secret_access_key = zzz
# aws_security_token    = jkl

The UX will look something like:

$ okta-aws-cli --oidc-client-id abc123 --org-domain test.oktapreview.com --open-browser --write-aws-credentials
System web browser will open the following URL to begin Okta device authorization for the AWS CLI

https://test.oktapreview.com/activate?user_code=GXZVSBSF

? Choose an IdP: AWS Account Federation (arn:aws:iam::123:saml-provider/Mondragon_AWS_CLI)
? Choose a Role: arn:aws:iam::456:role/MMondragon_S3_Read
WARNING: Commented out "default" profile keys "random", "aws_security_token". Uncomment if third party tools use these values.
Updated profile "default" in credentials file "/Users/user/.aws/credentials".

Legacy supporting behavior $ okta-aws-cli --write-aws-credentials --legacy-aws-variables

Given aws creds

[default]
random                = thing
aws_session_token     = abc
aws_security_token    = abc
aws_access_key_id     = def
aws_secret_access_key = ghi

Given command $ okta-aws-cli --write-aws-credentials --legacy-aws-variables

Creds file will be updated as

[default]
# random                = thing
aws_session_token     = xxx
aws_security_token    = xxx
aws_access_key_id     = yyy
aws_secret_access_key = zzz

The UX will look something like:

$ okta-aws-cli --oidc-client-id abc123 --org-domain test.oktapreview.com --open-browser --write-aws-credentials --legacy-aws-variables
System web browser will open the following URL to begin Okta device authorization for the AWS CLI

https://test.oktapreview.com/activate?user_code=GXZVSBSF

? Choose an IdP: AWS Account Federation (arn:aws:iam::123:saml-provider/Mondragon_AWS_CLI)
? Choose a Role: arn:aws:iam::456:role/MMondragon_S3_Read
WARNING: Commented out "default" profile keys "random". Uncomment if third party tools use these values.
WARNING: "default" profile includes legacy variable "aws_security_token". Update tools making use of this deprecated value.
Updated profile "default" in credentials file "/Users/user/.aws/credentials".

@MikeMondragon-okta MikeMondragon-okta marked this pull request as draft March 14, 2023 15:23
@monde monde changed the title INI profiles will have any non-standard keys commented out AWS profiles in creds INI file w/ deprecated variables Mar 14, 2023
@monde monde marked this pull request as ready for review March 14, 2023 23:26
@monde monde merged commit 0074d6f into master Mar 14, 2023
@monde monde deleted the aws_creds_file_comments branch March 14, 2023 23:28
@monde monde mentioned this pull request Mar 15, 2023
Merged
@chenrui333 chenrui333 mentioned this pull request Mar 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@duytiennguyen-okta duytiennguyen-okta duytiennguyen-okta approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@monde @duytiennguyen-okta