Integrating your Okta identity provider
substrate create-admin-account -quality <quality>
will ask for several inputs, which this page will help you provide from your Okta identity provider.
Create a custom profile attribute
Visit your Okta admin panel in a browser
Click the hamburger menu
Click Profile Editor in the Directory section
Click User (default) (with type “Okta”)
Click + Add Attribute
Enter “AWS_RoleName” for both Display name and Variable name
Click Save
Create and configure an OAuth OIDC client
Visit your Okta admin panel in a browser
Click the hamburger menu
Click Applications in the Applications section
Click Create App Integration
Select “OAuth - OpenID Connect”
Select “Web Application”
Click Next
Customize App integration name
Change the first/only item in Sign-in redirect URIs to “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name)
Remove all Sign-out redirect URIs
Select “Limit access to selected groups” and select the groups that are authorized to use AWS (or choose another option; this can always be reconfigured)
Click Save
Paste the Client ID, Client secret, and Okta domain in response to
substrate create-admin-account
's promptsClick Okta API Scopes
Click Grant at the end of the “okta.users.read.self” line
Authorize users to use AWS
Visit your Okta admin panel in a browser
Click the hamburger menu
Click People in the Directory section
For every user authorized to use AWS:
Click the user's name
Click Profile
Click Edit
In the AWS_RoleName input, enter the name (not the ARN) of the IAM role they should assume in your admin account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
Click Save
With your identity provider integrated, jump to deleting unnecessary root access keys.
Last updated