Skip to content

Enable and integrate Okta Authentication

Enable Okta authentication for your AWS account

To enable Okta authentication for your AWS account, submit a pull request to this repository. In your PR, add your AWS account to the following list.

required environment variables on your function

if you dont want to use the preconfigured configuration, you need to instrument your Function environment with:

AUTHENTICATION_URL = "https://r4kmv6ybca4vqpdf3kzn3ce7ui0upgid.lambda-url.eu-central-1.on.aws/"
JWK_URL = "https://apps.statista.com/oauth2/v1/keys"
ENCRYPTION_KEY_NAME = "arn:aws:secretsmanager:eu-central-1:461042034242:secret:dev-env-authorizer/client_encryption_key"
TOKEN_KEY_NAME = "arn:aws:secretsmanager:eu-central-1:461042034242:secret:dev-env-authorizer/token_secret"

make sure you grant your function access to the ENCRYPTION_KEY_NAME secret:

myFunction.grantPrincipal.addToPrincipalPolicy(
  new iam.PolicyStatement({
    actions: ['secretsmanager:GetSecret*'],
    resources: [`${ENCRYPTION_KEY_NAME}*`, `${TOKEN_KEY_NAME}*`],
  }),
)
myFunction.grantPrincipal.addToPrincipalPolicy(
  new iam.PolicyStatement({
    actions: ['kms:Decrypt', 'kms:DescribeKey'],
    resources: ['*'],
  }),
)

with Hono (Remix-App)

add this snippet as a hono middleware to your app:

// using the preconfigured configuration
import { buildHandler, webRequestMiddleware } from '@pit-shared/dev-env-authenticator-client'

const statistaAuthHandler = buildHandler()

app.use('/*', webRequestMiddleware(statistaAuthHandler))

// or using your own configuration
import { buildHandler, webRequestMiddleware } from '@pit-shared/dev-env-authenticator-client'

const statistaAuthHandler = buildHandler(
  process.env.AUTHENTICATOR_URL,
  process.env.JWK_URL,
  process.env.ENCRYPTION_KEY_NAME,
  process.env.TOKEN_KEY_NAME,
)

app.use('/*', webRequestMiddleware(statistaAuthHandler))

with AWS Lambda Function Urls

in your Lambda Function function add this snippet to the top of your function:

import { buildHandler } from '@pit-shared/dev-env-authenticator-client'

const statistaAuthHandler = buildHandler()

export const handler: LambdaFunctionURLHandler = async (event: LambdaFunctionURLEvent): Promise<LambdaFunctionURLResult> => {
  // you need to convert yourself from the LambdaFunctionURLEvent to a standard Web Request
  // and back from a standard Web Response to a LambdaFunctionURLResult
  // see https://developer.mozilla.org/en-US/docs/Web/API/Request

  const request = convertRequest(event)
  const result = await statistaAuthHandler(request)
  if (result !== undefined) {
    return convertResponse(result)
  }
  // ... your normal code
}

with Lambda@Edge

here we create a simple hono app and use the buildHandler function to create a lambda edge handler that can be used in a viewer-request trigger.

import { buildHandler, lambdaEdgeMiddleware } from '@pit-shared/dev-env-authenticator'
import { Hono } from 'hono'
import { handle } from 'hono/aws-edge'
import type { Callback, CloudFrontRequest } from 'hono/lambda-edge'

type Bindings = {
  callback: Callback
  request: CloudFrontRequest
}

const app = new Hono<{ Bindings: Bindings }>()
const statistaAuthHandler = buildHandler()

app.use('/*', lambdaEdgeMiddleware(statistaAuthHandler))

export const handler = handle(app)

it only works as viewer-request trigger since Lambda@Edge does not support env variables you need to find a way to pass them into the function code (e.g. by inlining them)

Usage with automated tools

For all of these ways you need to obtain AWS credentials for your account first! The preferred way is to use the aws-actions/configure-aws-credentials action in your GitHub Actions workflow.

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
  with:
    role-to-assume: ${{ secrets.AWS_ROLE_FOR_GITHUB_ACCESS }}
    aws-region: eu-central-1
    role-duration-seconds: 3600

Node

If you want to use the authenticator in your automated tools, you can obtain a token to be used as X-Stage-Authorization header by using the authToken function:

import { authToken } from '@pit-shared/dev-env-authenticator-client/token'
const token = await authToken()

await fetch('https://stage.statista.com/version/', {
  headers: {
    'X-Stage-Authorization': token,
  },
})

Playwright

// playwright.config.ts
import { defineConfig } from '@playwright/test'
import { authToken } from '@pit-shared/dev-env-authenticator-client/token'

const token = await authToken()

export default defineConfig({
  use: {
    baseURL: 'https://stage.statista.com',
    extraHTTPHeaders: {
      'X-Stage-Authorization': token,
    },
  },
})

remember for top level await to work you need to use "type":"module" and node22 in your package.json. this approach allows to use playwright locally aswell!

within GHA

Simply use the custom action @pit-shared/dev-env-authenticator to obtain the token:

# you need to obtain AWS Credentials for your Account first!

# Get the Token
- name: Get Auth Token
  uses: pit-shared/dev-env-authenticator@main
  id: auth

# The token is obtainable as output from the previous step
- name: Test Stage Programmatic Access
  run: |
    curl -f -H "X-Stage-Authorization: ${{ steps.auth.outputs.token }}" https://stage.statista.com/version/
Last updated: March 31, 2026 at 12:14
By: renovate-token-app[bot]