Disclaimer

Federated Identity: AWS Account Federation using Okta

iam okta aws

Intro

In this post I’ll describe the steps I performed in order to to allow an user managed in Okta to access AWS through identity federation.

Configure Okta as an AWS account identity provider

Documentation

Create a new “AWS Account Federation” application

First, I’ve created a new application ( by going to Applications, and clicking Add Application in the Classic UI).

Next, I searched and added the AWS Account Federation application.

I went with the default name AWS Account Federation and selected SAML 2.0 as the sign on method.

Add the “AWS Account Federation” app - General Settings

Add the “AWS Account Federation” app - Sign-on Options

Okta - Download Identity Provider metadata

After creating the application, I downloaded the Identity Provider metadata - available on the Sign On tab.

AWS - Create the Okta Identity Provider

In AWS, I went to the IAM service, selected Identity providers, then created a provider of type SAML

After creating it, I noted down the Provider Arn (which will be in the format arn:aws:iam::<account>:saml-provider/Okta)

AWS - Add Okta as a trusted source for AWS roles

Documentation

Next, I created a role with the following details.

and attached the AmazonEC2ReadOnlyAccess - in order to allow read only access to AWS EC2 - as the name suggests.

In the last step, I provided the role name OktaDeveloper.

After the role was created, Okta became a trusted entity. In the documentation there is a mention regarding updating the policy, however at this stage, the policy looked fine for me, so I did not make any changes.

AWS Generate the AWS API access key

Create the OktaMasterAccountPolicy IAM Policy

Documentation

Created an IAM Policy named OktaMasterAccountPolicy with the following JSON content, which will allow Okta to dynamically fetch a list of available roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles",
                "iam:ListAccountAliases"
            ],
            "Resource": "*"
        }
    ]
}

Create the OktaSSOuser IAM User

Next, I created a new IAM user OktaSSOuser with Programmatic access.

then attached the policy created in the previous step.

Copied the Access key and Secret key.

Okta - Configure the Amazon Web Services app

Documentation

Sign On

In the Sign On tab I entered the Identity Provider ARN and saved.

Provisioning

In the Provisioning tab I provided the Access key and Secret key obtained in the previous step, then tested and saved the configuration.

After saving, the Provisioning tab reloaded, and I checked the Create Users checkbox, then saved the configuration once more.

Okta - Create a group

Next, I accessed Directory -> Groups, and created a group called AWSDeveloper.

Associate the application

Used Manage Apps to associate the AWS Account Federation application to the group.

Add users

Added an users to the group by using Manage People.

Log into AWS using Okta

Logged into Okta with the user added to the AWSDeveloper group in Okta.

Access AWS EC2

As I had attached the AmazonEC2ReadOnlyAccess policy to the OktaDeveloper role, I confirmed having access to the EC2 dashboard.

The username format in AWS is OktaDeveloper/<email>

Access AWS S3

Unsurprisingly the S3 dashboard is not accessible, as the OktaDeveloper role has only EC2 permissions.

Conclusion

There were many steps required in this configuration, however extending this solution would be easier.

Additional policies could be attached to the OktaDeveloper role.

A new AWS IAM role could be created in the same way as OktaDeveloper, and an Okta group could be associated with it.

New users could be added in Okta, and associated to one group or another, based on the permissions they’re supposed to have.