feat: configurable totp time

README.md

@@ -33,6 +33,10 @@ It also masks the actual values in the logs for added security.
 - `okta_app_url` can be obtained by right clicking the Okta tile for you AWS account. This setup allows for federated login to different AWS accounts.
 - `okta_password` & `okta_mfa_seed` can be set via environment variables `${{ env.OKTA_MFA_SEED }}` although it is not recommended to do so as it can leak secrets. Github repo secrets are the easiest way but if you manage secrets via some other mechanism, you can also use them - these are just normal inputs, you can pass them anything.
 
+## Options
+
+For a list of options and their descriptions, check out `action.yml`.
+
 ## Can I use this
 
 You can use this if you're doing **all** of this:

action.yml

@@ -20,9 +20,13 @@ inputs:
     description: "Okta MFA Method (https://developer.okta.com/docs/reference/api/factors/)"
     required: false
     default: "token:software:totp"
+  totp_time_slot:
+    description: "Time slot (in seconds) for which OTP is valid"
+    required: false
+    default: 5
 runs:
   using: "docker"
   image: "Dockerfile"
 branding:
-  icon: 'unlock'  
-  color: 'orange'
+  icon: "unlock"
+  color: "orange"

entrypoint.sh

@@ -12,7 +12,7 @@ echo -e "[profile default]\noutput = json" >> "$config"
 
 # Attempt to get aws credentials via tokendito
 max_attempts=10
-totp_time=30
+totp_time=${INPUT_TOTP_TIME_SLOT:=10}
 for ((attempts = 1; attempts <= $max_attempts ; attempts++)); do
     tokendito --aws-profile default -ou $INPUT_OKTA_APP_URL -R $INPUT_AWS_ROLE_ARN \
         --username $INPUT_OKTA_USERNAME --password $INPUT_OKTA_PASSWORD \
@@ -63,4 +63,4 @@ while read -r line; do
             echo "::add-mask::${aws_session_token}"
         fi
     fi
-done < "$credentials"
+done <"$credentials"