ATTENTION: aws-okta is on indefinite hiatus

[nickatsegment]

Hi all. Unfortunately Segment (and specifically I) will no longer be maintaining aws-okta, for the foreseeable future.

I tried to revive aws-okta with v2, but unfortunately it's just proven to be too much of a time sink to justify.

Several other OSS projects exist that can do what aws-okta does. saml2aws stands out in particular, with a nicer TUI, more providers, lots of MFA options, etc. I haven't done a security audit or anything, but at first blush it looks pretty competent and well-organized. It stores your session creds on disk instead of in a keyring, but I believe chaining this with aws-vault somehow would give you roughly the same level of protection.

I might also recommend forking aws-okta, perhaps starting from my 2.0.0-rc1 branch. I couldn't detangle some of the lesser used features.

I'm going to leave Issues and PRs open for a while, but only for critical, straight-forward bug fixes. No new features will be developed or added.

v1.0.0 is the final major release.

[marshallbrekka]

Shameless plug:

Since I know some of the motivation for 2.x was to provide a pkg interface as well as a CLI, figured I would call out the project okta-auth. It provides an interface for driving the user authentication portion of the flow, resulting in an Okta session token.

It doesn't cover 100% of the functionality of aws-okta (notably obtaining AWS credentials from the Okta session), but can be used as a building block towards that goal.

It's used internally at Fair to power our CLI for obtaining AWS credentials, as well as some internal application credentials not associated with AWS.

[nickatsegment]

That's awesome; plugs encouraged! Part of the reason I had to give up was the feeling that with some work we could reuse parts of other FOSS instead of writing our own. But then aws-okta would just be a wrapper around the pkgs of saml2aws or something similar.

Personally it feels to me like everybody should probably just build their own in-house aws-okta-like. Making a tool to serve every use case is way too hard.