def _get_app_roles(self):
user = self._configuration["AWS_OKTA_USER"]
organization = self._configuration["AWS_OKTA_ORGANIZATION"]
okta = Okta(
user_name=user,
user_pass=self._authenticate.get_pass(),
organization=organization,
factor=self._configuration["AWS_OKTA_FACTOR"],
silent=self._configuration["AWS_OKTA_SILENT"],
no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"])
self._configuration["AWS_OKTA_USER"] = ''
self._configuration["AWS_OKTA_PASS"] = ''
if self._configuration["AWS_OKTA_APPLICATION"]:
application_url = self._configuration["AWS_OKTA_APPLICATION"]
else:
applications = okta.get_applications()
application_url = prompt.get_item(
items=applications,
label="AWS application",
key=self._configuration["AWS_OKTA_APPLICATION"])
saml_response = okta.get_saml_response(application_url=application_url)
saml_assertion = saml.get_saml_assertion(saml_response=saml_response)
aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion,
accounts_filter=self._configuration.get(
'AWS_OKTA_ACCOUNT_ALIAS', None))
return aws_roles, saml_assertion, application_url, okta.user_name, okta.organization
def test_okta_get_applications(self, mock_print_tty, mock_makedirs,
mock_open, mock_chmod):
responses.add(responses.POST,
'https://organization.okta.com/api/v1/authn',
json=json.loads(AUTH_TOKEN_RESPONSE))
responses.add(responses.POST,
'https://organization.okta.com/api/v1/sessions',
json=json.loads(SESSION_RESPONSE))
responses.add(responses.GET,
'https://organization.okta.com/api/v1/users/me/appLinks',
json=json.loads(APPLICATIONS_RESPONSE))
okta = Okta(user_name="user_name",
user_pass="******",
organization="organization.okta.com")
applications = okta.get_applications()
expected_applications = OrderedDict([
('AWS',
'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/270'
),
('AWS GOV',
'https://organization.okta.com/home/amazon_aws/0oa3omz2i9XRNSRIHBZO/272'
)
])
self.assertEqual(applications, expected_applications)
def _get_credentials(self):
# Do NOT load credentials from ENV or ~/.aws/credentials
client = boto3.client(
'sts',
aws_access_key_id='',
aws_secret_access_key='',
aws_session_token='',
region_name=self._configuration["AWS_OKTA_REGION"])
okta = Okta(
user_name=self._configuration["AWS_OKTA_USER"],
user_pass=self._authenticate.get_pass(),
organization=self._configuration["AWS_OKTA_ORGANIZATION"],
factor=self._configuration["AWS_OKTA_FACTOR"],
silent=self._configuration["AWS_OKTA_SILENT"],
no_okta_cache=self._configuration["AWS_OKTA_NO_OKTA_CACHE"])
self._configuration["AWS_OKTA_USER"] = ''
self._configuration["AWS_OKTA_PASS"] = ''
if self._configuration["AWS_OKTA_APPLICATION"]:
application_url = self._configuration["AWS_OKTA_APPLICATION"]
else:
applications = okta.get_applications()
application_url = prompt.get_item(
items=applications,
label="AWS application",
key=self._configuration["AWS_OKTA_APPLICATION"])
saml_response = okta.get_saml_response(application_url=application_url)
saml_assertion = saml.get_saml_assertion(saml_response=saml_response)
aws_roles = saml.get_aws_roles(saml_assertion=saml_assertion,
accounts_filter=self._configuration.get(
'AWS_OKTA_ACCOUNT_ALIAS', None))
aws_role = prompt.get_item(items=aws_roles,
label="AWS Role",
key=self._configuration["AWS_OKTA_ROLE"])
print_tty("Role: {}".format(aws_role.role_arn),
silent=self._configuration["AWS_OKTA_SILENT"])
response = client.assume_role_with_saml(
RoleArn=aws_role.role_arn,
PrincipalArn=aws_role.principal_arn,
SAMLAssertion=saml_assertion,
DurationSeconds=int(self._configuration["AWS_OKTA_DURATION"]))
expiration = (
response['Credentials']['Expiration'].isoformat().replace(
"+00:00", "Z"))
response['Credentials']['Expiration'] = expiration
return response
