- Log exception when encountering unknown ClientError error while listing AWS account aliases.
- Added handling of Okta authentication status for
MFA_ENROLL
andLOCKED_OUT
- Added handling of unknown Okta authentication status
- Formatted code with Python black
- Added region override parameter for write_sts_token method
- Export Profile usage message will not print if using account (-a) argument
- Sorted role options by role name after sorting by account alias
- Fixed exception that would break program when OKTA was configured with accounts that did not give OKTA permissions to login
- Fixed exception handling of missing credentials exception for Python 3
-
Add parameter
-a, --account
to okta-awscli - Filters and lists or chooses AWS roles for account - Creates/updates Okta profile and AWS profile named from account -
Add parameter
-w, --write-default
to okta-awscli - When authenticating with AWS role, the STS credentials will be written to both the AWS account and default profiles
- Fix input requirement of user credentials when Okta token is still valid
- Fix datetime parsing of expiration date for Okta token
- Better error handling for selection of roles
-
Select app specified by
app
field in config ifapp
field exists -
Graciously reprompt for role index on bad selection
-
Add export flag to print creds to console
-
Add reset flag to reset fields in
~/.okta-aws
for current okta-profile -
Stores factor for default okta profiles
-
Add usage message when storing credentials in
/.aws/credentials
-
Use system username if
username
not set in~/.okta-aws
and no username given when prompted -
Display account aliases when prompting for role selection
- create a
~/.okta-alias-info
file to store account aliases - fetch account aliases to display in list of roles
- cache account aliases in
~/.okta-alias-info
along with time last updated - refresh account alias if last updated over a week ago
- create a
-
Add config option
auto-write-profile
to~/.okta-aws
- if "True" and no
--profile
specified, will write aws creds to profile named for the account alias for the chosen role- if account alias for the chosen role is unknown, will write to
default
aws profile
- if account alias for the chosen role is unknown, will write to
- modifies existing functionality if
--profile
specified - will write to the specified profile unless--export
flag set - if
--export
flag set, will not write aws creds, will only display to console - defaults to "False" to maintain existing functionality if option not set
- if "True" and no
-
Add config option
store-role
to~/.okta-aws
- if "False", will not store role upon selection for the chosen
okta-profile
- Will use
role
is already defined for the chosenokta-profile
- defaults to "True" to maintain existing functionality if option not set
- if "False", will not store role upon selection for the chosen
-
Add config option
check-valid-creds
to~/.okta-aws
- if "False", will skip making sure credentials are valid and automatically get new credentials
- if "True", will refresh credentials only if
--profile
and--force
are both specified - Defaults to True to maintain existing behavior
-
Cache okta session id to avoid re-authenticating with Okta when switching token
- stores session id and expiration timestamp in
~/.okta-token
- if session id is expired, will re-authenticate
- stores session id and expiration timestamp in
-
Add config option
session-duration
to~/.okta-aws
- takes in session duration in seconds
- to be valid, must be between 3600 and 43200 (1 hour to 12 hours)
- if invalid or not specified, defaults to 3600 (1 hour)
-
Add config option
region
to~/.okta-aws
- specifies the region to access resources in
- defaults to
us-east-1
- Exports
aws_security_token
variable as well in order to supportM withboto
library calls - Update RESUME
- Travis CI builds to run linting tests for branches and PRs.
- Python3 Compatibility issues.
- Python3 Compatibility. (#38)
- Issue where secondary auth would fail when only a single factor is enrolled for the user. (#27)
- Ability to store MFA factor choice in
~/.okta-aws
. (#3) - Flag to output the version.
- Ability to store AWS Role choice in
~/.okta-aws
. (#4) - Ability to pass in TOTP token as a command-line argument. (#13)
- Support for MFA push notifications. Thanks Justin! (#10)
- Support for caching credentials to use in other sessions. Thanks Justin! (#6, #7)
- Issue #14. Fixed a bug where okta-awscli wasn't connecting to the STS API endpoint in us-gov-west-1 when trying to obtain credential for GovCloud.
- Improved sorting in the app list to be more consistent. Thanks Justin!
- Cleaned up README to improve clarity. Thanks Justin!
- Issue #8. Another pass at trying to fix the MFA list. Factor chosen was being pulled from list which included unsupported factors.
- This CHANGELOG!
- Issue #1. Bug where MFA factor selected isn't always the one passed to Okta for verification.
- Prompts for a username and password if omitted from
.okta-aws
- Spelling fix
- Change
--okta_profile
flag to be--okta-profile
instead.
- Support for flag to force new credentials.
- Handles no profile provided.
- Handles no awscli args provided (authenticate only).
- Initial release. Updated for PyPi.