Deploying the web service requires a few things: An AWS organizations-based role with permission to run List Accounts in the AWS Organization A reader role in each account with permission to run List Roles in the accounts An Okta Identity Provider with a private key, client ID, and issuer URL.
This deployment relies on a working identity provider, which will provide the ID Token needed for identifying any clients that try to interact with the server. The aws-oidc docker image includes chamber, which we use for loading sensitive environment variables.
Using the latest version of aws-oidc, run aws-oidc serve-config --web-server-port=8080
Ping localhost:8080/health to make sure your service is up and running.
OKTA_PRIVATE_KEY: the private key from the Okta
OKTA_SERVICE_CLIENT_ID: The client ID of the Okta Client that manages Okta apps for your clients
OKTA_CLIENT_ID: the client ID of the Okta Identity Provider that verifies your clients
OKTA_ISSUER_URL: the URL of the identity provider
You can create create those values using this tutorial
AWS_READER_ROLE_NAME: role name that can run AWS List Roles in within each account in your AWS Organization
AWS_ORG_ROLE_ARNS: a list of role ARNs that can list accounts in your AWS Organizatio
You can tag AWS Roles with aws-oidc/skip-role if you want serve-config to skip this role.