.pre-commit-config.yamlwith the org-standard hooks (universal pre-commit-hooks set, yamllint/yamlfmt, mdformat, isort, black, mypy, pylint) and a single consolidatedPR checkworkflow that runs pre-commit then tox on every PR.- Supporting configs:
.yamllint.yml,mypy.ini,pylintrc.
- Removed the unused
sixdependency fromrequirements.txt,setup.py, andoktaawscli/aws_auth.py. setup.pynow imports__version__directly fromoktaawscli.versioninstead ofexec-ing the source file.- Five legacy multi-line log strings in
aws_auth.pyandokta_auth.pyare now single-line messages; the prior triple-quoted and backslash-continued forms were leaking embedded indentation into the user-visible output. Log content is otherwise unchanged.
- Version bump only. Republish of 0.4.13 — the 0.4.13 deploy build failed with HTTP 409 from CodeArtifact because that version had already been published from an earlier in-PR build.
- Cross-process file locking and atomic-rename writes for
~/.aws/credentials,~/.okta-aws, and~/.okta-alias-info. Multipleokta-awscliprocesses can now run in parallel against the same dotfiles without clobbering each other. OktaAuth.primary_authnow acquires a 300-second lock around the Okta authentication flow. Parallel runs serialize through a single MFA prompt; the rest pick up the freshly-cached session and skip auth entirely.- Okta API error responses (
errorCodedicts) surface as a one-line exit message with the error code and id, instead ofTypeError: string indices must be integers, not 'str'. - Okta rate-limit responses (
errorCode: E0000047) are retried with proportional-jitter exponential backoff (up to 5 attempts, ~62s worst case). ~/.okta-tokenis written atomically; partial-file corruption from a process killed mid-write no longer breaks the cached-session reader path.filelock.Timeoutfrom the locking helpers is caught at the CLI entry point and surfaces as a one-line error message instead of a stack trace.- Latent
NoSectionErrorincopy_to_default(raised against a credentials file with a populated source profile but no pre-existing[default]section) is fixed.
oktaawscli/_locking.pyexposinglocked(path, timeout=...)andatomic_write(path)primitives, plusLOCK_TIMEOUT_SECONDS(60s default) andINTERACTIVE_LOCK_TIMEOUT_SECONDS(300s for auth flow) constants.tox.iniand atests/unittest-based test suite covering the locking, atomic-write, merge-on-write, and rate-limit behaviors.filelockruntime dependency.
- Log exception when encountering unknown ClientError error while listing AWS account aliases.
- Added handling of Okta authentication status for
MFA_ENROLLandLOCKED_OUT - Added handling of unknown Okta authentication status
- Formatted code with Python black
- Added region override parameter for write_sts_token method
- Export Profile usage message will not print if using account (-a) argument
- Sorted role options by role name after sorting by account alias
- Fixed exception that would break program when OKTA was configured with accounts that did not give OKTA permissions to login
- Fixed exception handling of missing credentials exception for Python 3
-
Add parameter
-a, --accountto okta-awscli- Filters and lists or chooses AWS roles for account
- Creates/updates Okta profile and AWS profile named from account
-
Add parameter
-w, --write-defaultto okta-awscli- When authenticating with AWS role, the STS credentials will be written to both the AWS account and default profiles
- Fix input requirement of user credentials when Okta token is still valid
- Fix datetime parsing of expiration date for Okta token
- Better error handling for selection of roles
-
Select app specified by
appfield in config ifappfield exists -
Graciously reprompt for role index on bad selection
-
Add export flag to print creds to console
-
Add reset flag to reset fields in
~/.okta-awsfor current okta-profile -
Stores factor for default okta profiles
-
Add usage message when storing credentials in
/.aws/credentials -
Use system username if
usernamenot set in~/.okta-awsand no username given when prompted -
Display account aliases when prompting for role selection
- create a
~/.okta-alias-infofile to store account aliases - fetch account aliases to display in list of roles
- cache account aliases in
~/.okta-alias-infoalong with time last updated - refresh account alias if last updated over a week ago
- create a
-
Add config option
auto-write-profileto~/.okta-aws- if "True" and no
--profilespecified, will write aws creds to profile named for the account alias for the chosen role- if account alias for the chosen role is unknown, will write to
defaultaws profile
- if account alias for the chosen role is unknown, will write to
- modifies existing functionality if
--profilespecified - will write to the specified profile unless--exportflag set - if
--exportflag set, will not write aws creds, will only display to console - defaults to "False" to maintain existing functionality if option not set
- if "True" and no
-
Add config option
store-roleto~/.okta-aws- if "False", will not store role upon selection for the chosen
okta-profile - Will use
roleis already defined for the chosenokta-profile - defaults to "True" to maintain existing functionality if option not set
- if "False", will not store role upon selection for the chosen
-
Add config option
check-valid-credsto~/.okta-aws- if "False", will skip making sure credentials are valid and automatically get new credentials
- if "True", will refresh credentials only if
--profileand--forceare both specified - Defaults to True to maintain existing behavior
-
Cache okta session id to avoid re-authenticating with Okta when switching token
- stores session id and expiration timestamp in
~/.okta-token - if session id is expired, will re-authenticate
- stores session id and expiration timestamp in
-
Add config option
session-durationto~/.okta-aws- takes in session duration in seconds
- to be valid, must be between 3600 and 43200 (1 hour to 12 hours)
- if invalid or not specified, defaults to 3600 (1 hour)
-
Add config option
regionto~/.okta-aws- specifies the region to access resources in
- defaults to
us-east-1
- Exports
aws_security_tokenvariable as well in order to supportM withbotolibrary calls - Update RESUME
- Travis CI builds to run linting tests for branches and PRs.
- Python3 Compatibility issues.
- Python3 Compatibility. (#38)
- Issue where secondary auth would fail when only a single factor is enrolled for the user. (#27)
- Ability to store MFA factor choice in
~/.okta-aws. (#3) - Flag to output the version.
- Ability to store AWS Role choice in
~/.okta-aws. (#4) - Ability to pass in TOTP token as a command-line argument. (#13)
- Support for MFA push notifications. Thanks Justin! (#10)
- Support for caching credentials to use in other sessions. Thanks Justin! (#6, #7)
- Issue #14. Fixed a bug where okta-awscli wasn't connecting to the STS API endpoint in us-gov-west-1 when trying to obtain credential for GovCloud.
- Improved sorting in the app list to be more consistent. Thanks Justin!
- Cleaned up README to improve clarity. Thanks Justin!
- Issue #8. Another pass at trying to fix the MFA list. Factor chosen was being pulled from list which included unsupported factors.
- This CHANGELOG!
- Issue #1. Bug where MFA factor selected isn't always the one passed to Okta for verification.
- Prompts for a username and password if omitted from
.okta-aws
- Spelling fix
- Change
--okta_profileflag to be--okta-profileinstead.
- Support for flag to force new credentials.
- Handles no profile provided.
- Handles no awscli args provided (authenticate only).
- Initial release. Updated for PyPi.