The company I work for uses a legacy login from okta for AWS. Thus, in order to use the aws-cli, the aws-okta utility is needed, which requires okta MFA before running any aws-cli command.
I'm writing the infrastructure in terraform and I haven't found how to make terraform use okta for it to be able to create aws components.
Is this possible?
Also, this needs to be run then in a ci/cd pipeline and I'm not sure how would it work there because of the MFA, any suggestions you could tell me?
Yes...quite a few approaches available for Okta. Okta makes SSO/federated identity really easy, across AWS, 3rd party SaaS tools, and legacy tools using LDAP auth etc, providing extensive logs/audit trails
https://github.com/oktadeveloper/okta-aws-cli-assume-role
https://github.com/segmentio/aws-okta
https://bitbucket.org/atlassian/cloudtoken/src/master/
https://github.com/Nike-Inc/gimme-aws-creds
We use gimme-aws-creds for about 30 AWS accounts. We use the docker container approach on both Mac and PC across our devops team and dev teams. It allows the user to assume a role in a specific AWS account and you can run the terraform on your PC. You can also use the assume role functionality in the Terraform AWS provider
https://www.terraform.io/docs/providers/aws/index.html
From CI/CD perspective you don't need Okta and you don't need MFA. The jenkins EC2 server or equivalent will have an instance role to assume other roles in the same account or other accounts. Terraform will use this assumed role We use Okta to secure our Jenkins server(LDAP authentication).
