<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
OIE Upgrade Blocker - AWS Federation (AWS CLI)
Oct 15, 2025
Administration
Okta Classic Engine
Okta Identity Engine

Overview

The following reconfiguration has been identified as part of the preparation needed to perform the upgrade to Okta Identity Engine (OIE). Note, additional Okta features may require reconfiguration or be disabled in order to complete the upgrade.

Applies To

  • AWS Federation (AWS CLI)
  • Validator Key: USER_AGENT
  • Upgrade Eligibility: Consent Required

How does this blocker impact the upgrade to OIE?

Customers who use AWS CLI with tools such as gimme-aws-creds, saml2aws, and many other community created tools.  These application were developed using classic authentication methods (via /authn API) and will likely break after the upgrade process since they DO NOT support the controls and constraints enforced by Okta Identity Engine.  

To determine if the one of the "known" community AWS CLIs are in use, search the Syslog with the following each of the queries:

  • "gimme-aws-creds"
  • “saml2aws"
  • "aws_okta_keyman"
  • "okta-awscli"
  • "fsdpt-cli"
  • "aws-login-tool"

Example System log screen

blob

How do I remediate this blocker?

For customers that require CLI access should proceed with the following:

Switch to the Okta AWS CLI application post-upgrade. The "okta-aws-cli" Command Line Interface is built to the Okta Identity Engine framework and its controls. The command line user experience is similar to the community created in regards to the user interface; however, it will be compatible with Okta Identity Engine policies and access controls as it is associated to an additional OIDC application.  Please refer to the latest information on the: "okta-aws-cli" on the Okta GitHub

WARNING: The "okta-aws-cli" requires OIE policy framework and cannot be fully tested in classic, users will continue using the current solution until the upgrade is complete. To "test workstation configuration" prior to the upgrade, follow this knowledge article Testing okta-aws-cli before upgrade

Alternate option is to switch to the web-based AWS IAM Identity Center Access:

Switch to the AWS IAM Identity Center (formerly "AWS Single Sign-On") before upgrading to Okta Identity Engine.  This is a web interface to the Management console that affords the "Account/Role Picker" and access via the Browser Embedded CLI.

More information: AWS IAM Identity Center or AWS User Guide for Configuring Okta and IAM Identity Center

Is there additional training or information I can use to help me with this remediation?

YES, each respective option has a link above.

 

Recommended content

Still looking for help?
Loading
OIE Upgrade Blocker - AWS Federation (AWS CLI)