# Install okta-aws-cli with Homebrew, Nix

Okta federated identity for AWS CLI. Version 2.6.0 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:okta-aws-cli
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install okta-aws-cli
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#okta-aws-cli
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ok/okta-aws-cli/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:okta-aws-cli
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/okta-aws-cli>
- **Version:** 2.6.0
- **Source summary:** Okta federated identity for AWS CLI
- **Homepage:** <https://github.com/okta/okta-aws-cli>
- **Repository:** <https://github.com/okta/okta-aws-cli>
- **Upstream docs:** <https://github.com/okta/okta-aws-cli#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/okta/okta-aws-cli/archive/refs/tags/v2.6.0.tar.gz>
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- okta-aws-cli (cli)
- okta-aws-cli (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.6.0
- Local data: ok
- Upstream repository: https://github.com/okta/okta-aws-cli
- Upstream latest detected: v2.6.0 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

okta-aws-cli is Okta's command-line bridge between Okta identity and AWS CLI credentials. It authenticates through Okta, exchanges identity assertions with AWS STS, and emits temporary IAM credentials for AWS CLI, SDK, process-credential, or credentials-file workflows.

### Project history

The repository was created on 2022-07-07 as a Go CLI for using Okta as the identity provider for AWS CLI operations. The README describes three primary commands: `web` for human/device authorization, `m2m` for headless machine-to-machine authorization, and `direct` for direct authorization with out-of-band MFA.

The 2.0.0 GA release on 2024-01-25 reorganized the CLI around subcommands, renamed environment variables under the `OKTA_AWSCLI_` prefix, added JSON process-credential output, added an `--exec` mode for running a follow-on command with credentials in the environment, and added support for collecting roles across AWS federation apps.

Subsequent 2.x releases improved multi-profile and multi-app support, non-admin user flows, role and IdP selection, credential formatting, cached-token handling, Chocolatey publishing, and security details such as moving a web SSO token out of the URL query parameter and into a POST body.

### Adoption history

The tool addresses a long-standing enterprise operations problem: developers need AWS CLI access through federated identity without long-lived AWS access keys. Okta's own admin documentation tells administrators to get `okta-aws-cli` from GitHub or package managers such as Homebrew or Chocolatey when configuring Okta as the IdP for AWS CLI.

Homebrew usage is comparatively strong in this batch. The formula API generated on 2026-07-01 reported 5,821 installs over 365 days and 5,730 installs-on-request over the same period, reflecting the tool's practical role in developer workstation setup.

### How it is used

In the human `web` flow, a user runs `okta-aws-cli web`, completes browser/device authorization through Okta, and receives AWS `Access Key ID`, `Secret Access Key`, and `Session Token` output. The tool can emit shell environment exports, write or overwrite AWS credentials-file profiles, or return JSON process credentials.

The README explains the SAML-backed path: an Okta OIDC Native Application is paired with an Okta AWS Federation integration app, the AWS federation app is paired with an AWS IAM identity provider, and the CLI presents a SAML assertion to AWS STS with `AssumeRoleWithSAML`. AWS STS returns temporary credentials; AWS documentation says those credentials consist of an access key ID, secret access key, and security token.

For automation, the `m2m` command uses an Okta API service application and private key, then presents an access token to AWS STS using `AssumeRoleWithWebIdentity`. The README warns that private-key handling needs state-of-the-art secrets management and that `m2m` is not intended for human use.

### Why package nerds care

okta-aws-cli is a packaging marker for enterprise identity workflows moving into developer package managers. A Homebrew formula for this tool is not just a convenience CLI; it becomes part of how companies standardize short-lived cloud credentials on laptops.

The package is also a useful metadata case because it wraps several standards and services in one executable: OIDC, SAML, Okta Identity Engine, AWS IAM identity providers, AWS STS, credentials files, environment variables, and process credentials.

### Timeline

- 2022-07-07: the `okta/okta-aws-cli` repository was created.
- 2024-01-25: version 2.0.0 reached GA with subcommands, process credentials, environment variable renames, and role/profile collection features.
- 2024-07-03: version 2.2.0 improved non-admin user support with the `okta.users.read.self` grant.
- 2025-01-31: version 2.4.0 reduced the scope needed for multiple apps and improved m2m/session handling.
- 2025-05-20: version 2.5.0 added the `direct` command for out-of-band MFA password grant authorization.
- 2026-07-01: Homebrew's formula API reported stable version 2.6.0.

### Related projects

- The package is closely related to Okta AWS Account Federation, Okta OIDC Native Applications, AWS IAM identity providers, AWS STS `AssumeRoleWithSAML`, AWS STS `AssumeRoleWithWebIdentity`, and AWS SDK/CLI process credentials.

### Sources

- <https://api.github.com/repos/okta/okta-aws-cli>
- <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html>
- <https://formulae.brew.sh/api/formula/okta-aws-cli.json>
- <https://github.com/okta/okta-aws-cli>
- <https://help.okta.com/oie/en-us/content/topics/deploymentguides/aws/aws-configure-cli.htm>
- <https://raw.githubusercontent.com/okta/okta-aws-cli/master/CHANGELOG.md>
- <https://raw.githubusercontent.com/okta/okta-aws-cli/master/README.md>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ~/.okta/okta.yaml

## Credential files

- Unix: ~/.aws/credentials
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** okta-aws-cli
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - okta-aws-cli: normalized package name match | nixpkgs package indexes: pkgs/by-name/ok/okta-aws-cli/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [okta-awscli](https://www.automicvault.com/pkg/brew/okta-awscli/) - Shares av.db curated category or tags: aws, cli, identity, okta, security.
- [opensaml](https://www.automicvault.com/pkg/brew/opensaml/) - Shares av.db curated category or tags: cli, identity, security.
- [spiffe-helper](https://www.automicvault.com/pkg/brew/spiffe-helper/) - Shares av.db curated category or tags: cli, identity, security.
- [dexidp](https://www.automicvault.com/pkg/brew/dexidp/) - Shares av.db curated category or tags: cli, identity, security.
- [granted](https://www.automicvault.com/pkg/brew/granted/) - Shares av.db curated category or tags: aws, cli, identity, security.
- [saml2aws](https://www.automicvault.com/pkg/brew/saml2aws/) - Shares av.db curated category or tags: aws, cli, security, sts.
- [cfripper](https://www.automicvault.com/pkg/brew/cfripper/) - Shares av.db curated category or tags: aws, cli, security.
- [chamber](https://www.automicvault.com/pkg/brew/chamber/) - Shares av.db curated category or tags: aws, cli, security.
- [saml-idp](https://www.automicvault.com/pkg/npm/saml-idp/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, identity, okta, security.

## Combined YAML source

View the package source record on GitHub. [combined/okta-aws-cli.yml](https://github.com/automic-vault/db/blob/main/combined/okta-aws-cli.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
