When multiple Amazon Web Services (AWS) environments are configured for an Okta Org, the okta-aws-cli does not return any associated AWS Identity Providers (IdPs) for users to select.
- okta-aws-cli
- Okta Identity Engine (OIE)
- AWS Account Federation App
Prior to okta-aws-cli v2.2.0, the only way to allow users the ability to dynamically choose which AWS environment they wished to connect to was to add the users to an Administrator Role. This Role needed to provide permissions to view Okta AWS Account Federation Applications registered in the Org.
Doing this can lead to some undesirable side effects, such as the 'Admin' dashboard link being present for these users when they log in to their Okta user dashboard.
As of okta-aws-cli v2.2.0, there is no longer a requirement that users need to be part of an Admin Role in order to dynamically select the AWS environment they wish to connect.
Instead, the Open ID Connect (OIDC) application that is configured for the okta-aws-cli device authorization grant flow can grant the scope 'okta.users.read.self'. This can be done under the Okta Api Scopes tab of the application in the Admin Dashboard.
If users are still unable to see some/all of the AWS Account Federation Applications in the Org:
Verify that the AWS Account Federation Applications do not have Do not display application icon to users selected for Application visibility under the General tab.
- Having this selected will keep the CLI from displaying the AWS Account Federation App as an option for users.
