OKTA_AWS_ROLE_TO_ASSUME to allow multiple default ARN values mapped to profile names

[ghost]

Describe the bug
Use OKTA_AWS_ROLE_TO_ASSUME to map multiple profiles to their own ARNs

Expected behavior
OKTA_AWS_ROLE_TO_ASSUME should be configurable to say which ARN you are specifying and the name of the profile that ARN should be used under.
i.e. arn:aws:iam::ACCOUNT_ID:role/ROLE-XXYY okta-aws xxyy sts get-caller-identity

Additional context
We use more than 5 AWS accounts and want to have the config.properties pre-set for a default configuration so when a user authenticates/renews their tokens with the profile name, it will pick the role by default instead of being prompted to pick which role to use

[jeremyplichtafc]

Can you explain a little more how you would like to see this work? I think with the recent PR merged #331 (soon to be released) where you can specify override files in ~/.okta/config.{profilename}.properties you would be able to put in specific OKTA_AWS_ROLE_TO_ASSUME options in your specific profiles properties file (along with overriding OKTA_AWS_APP_URL to be the url to your correct AWS account.

My org also has to manage over 5 AWS accounts... 😄

[ghost]

The documentation on how to use OKTA_AWS_ROLE_TO_ASSUME wasn't clear. We ended up figuring out we could use it as a one liner a script or with an alias so we can skip the role selection step.

What ended up doing was OKTA_AWS_ROLE_TO_ASSUME="arn:aws:iam::ACCOUNTID:role/ROLENAME" okta-aws PROFILENAME sts get-caller-identity in our script

as an alias
alias okta-time='OKTA_AWS_ROLE_TO_ASSUME="arn:aws:iam::ACCOUNTID:role:role/ROLENAME" okta-aws PROFILENAME sts get-caller-identity'