<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Identity Engine Upgrade Blocker with AWS Federation via AWS CLI
May 12, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview

The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note that additional Okta features may require reconfiguration or be disabled in order to complete the upgrade. This article addresses an issue where community-developed tools that use the Amazon Web Services (AWS) Command Line Interface (CLI), such as gimme-aws-creds and saml2aws, stop functioning after an upgrade to Okta Identity Engine (OIE). 

Applies To
  • Okta Identity Engine Upgrade
  • Amazon Web Services Federation
  • Amazon Web Services Command Line Interface
  • USER_AGENT
Cause

Community-developed AWS CLI tools were created using classic authentication methods via the /authn API, which are incompatible with the controls and constraints enforced by OIE. 

To determine if these tools are in use, search the System Log using the following queries:

  • "gimme-aws-creds"
  • “saml2aws"
  • "aws_okta_keyman"
  • "okta-awscli"
  • "fsdpt-cli"
  • "aws-login-tool"
 

System log 

Solution

To maintain CLI access after the upgrade, choose one of the following options:

  • Switch to the Okta AWS CLI application after upgrading to OIE. This application is built for the OIE framework and is compatible with its policies and access controls. The command line user experience is similar to the community created in regards to the user interface; however, it will be compatible with Okta Identity Engine policies and access controls as it is associated to an additional OIDC application. For the latest information, refer to the okta-aws-cli on the Okta GitHub.

     

 

NOTE: The okta-aws-cli application requires the OIE policy framework and cannot be fully tested in classic environments. Continue using the current solution until the upgrade is complete. To test the workstation configuration before the upgrade, refer to Testing okta-aws-cli before upgrade.

Related References

Recommended content

Still looking for help?
Loading
Okta Identity Engine Upgrade Blocker with AWS Federation via AWS CLI