Your organization may have Okta set up as a SAML Connection to an AWS Account. As a result, you may find yourself needing to download an S3 object from within your CLI.
First things first include downloading the following:
- Saml2aws
- awscli
To install the above, will be dependent on your OS such as Windows, or Mac.
To install the above packages you will want to first install The Chocolatey Windows Package Manager. To do so open Powershell as Administrator and run through the following guide on how to install Chocolatey:
Copy Past the following into Powershell that is being ran as Administrator:
Set-ExecutionPolicy RemoteSigned
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))After the install is successful, close the window and re-open powershell as your normal user account and run the following choco commands:
choco install saml2aws
choco install awscli
Afterwards enable your Powershell Profile, see the following for instructions:
Once you have a $PROFILE go ahead and open it with:
notepad $PROFILEAt which point you can add aliases to it to help you with SAML2AWS
First you will need to install Homebrew or Brew (They are the same thing), to do so please use the following guide:
After you have installed Brew with the following inside a terminal of your choosin.
You will need to run the following commands to have brew install the required tools:
brew install saml2aws
brew install awscliAfter you have installed the tools, you cam use the following to login to an AWS Account and create a local profile:
saml2aws configure \
--idp-provider=Okta \
--idp-account=$1 \
--url=${URL} \
--mfa=OKTA \
--username=${USER} \
--profile=$1 \
--role=arn:aws:iam::${ACCOUNT_NUMBER}:role/${ROLE}And then finally login with:
saml2aws login --force --skip-prompt --idp-account="$1" \
unset AWS_ACCESS_KEY_ID \
unset AWS_SECRET_ACCESS_KEY \
export AWS_PROFILE=$1This will unset any previous records and of course will export the new stuff that was made in the ~/.aws/config or \.aws\config depending on your OS.
Some companies can give you profile alias commands that will allow you to switch between multiple accounts at any given time that you can specify in your profile on either Linux, Mac, or Windows provideds your paths are set correctly.
On Windows things operate a little differently, but the commmand is similar. Essentially replace the \ with a back tick ``` it will just appear like this if you copy pasta into Powershell:
The commandss should look like this:
saml2aws configure `
--idp-provider=Okta `
--idp-account=$1 `
--url=${URL} `
--mfa=OKTA `
--username=${USER} `
--profile=$1 `
--role=arn:aws:iam::${ACCOUNT_NUMBER}:role/${ROLE}And then finally login with:
saml2aws login --force --skip-prompt --idp-account="$1" `
unset AWS_ACCESS_KEY_ID `
unset AWS_SECRET_ACCESS_KEY `
export AWS_PROFILE=$1You can also just go thgrough it with saml2aws configure:
Once authenticated, you can run through the following to use the awscli to download objects stored within an S3 bucket. To download an object in a bucket you can use the following aws cli syntax examples:
- To copy it down in your local working directory:
aws s3 cp s3://mybucket/path/to/file/somefile.file .- To copy it down in a target directory:
aws s3 cp s3://mybucket/path/to/file/somefile.file /to/some/target/directory