Hi All -
About a year ago I asked the following: AWS Template Okta Authentication
My cloud team has been asking questions on this again.
From a high-level here is how they would like it to work. We use something like saml2aws (http://thebluenode.com/use-saml2aws-log-aws-via-single-sign-sso-use-aws-cli) and OKTA where we specify an ID/Password. The saml2aws will create a profile on the octopus server.
While calling say the CloudFormation step template instead of passing in AWS credentials we would pass in a Profile Name. Octopus would use that profile to get the credentials to be used in AWS.
As of now most if not all of the CLI commands support passing in --Profile. Which is used over the Key/Secret.
If this it not clear or there are questions please let me know.
Can I clarify, is your wish to have per-user authentication with AWS? As in the person executing the deployment would supply the password?
To help us understand, what is the benefit to you of the approach you describe?
It’s very possible I’ve misunderstood, but it seems like using Okta would be more for a user interactive session, rather than a service like Octopus which would typically use a service account.
Basically, my company wants to get away from the use of Key/Secret as much as possible for security reasons.
So as a user, I log into aws using saml2aws using my ID and password which authenticates to the domain and creates an temporary Key/secret on my machine which can be used.
What they are looking for are additional ways to authenticate from octopus into AWS without using key/secret.
One such thought was to have a “pre” step which will automatically pass a pid/password on the octopus server to generate the key secret and then have use --profile use those credentials.
If there are other ways of doing this I think we are open to that. But from what I can tell all of the built in AWS templates are looking for the use key/secret.