Skip to main content
Join the official 2019 Python Developers SurveyStart the survey!

Python Yubikey AWS signature library

Project description

Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.

Installation

pip install exile

On Linux, install libpcsclite-dev (apt install libpcsclite-dev, yum install pcsc-lite-devel).

Exile requires Python 3.6+. Python 2.7 is not supported.

Synopsis

import boto3, botocore.auth
from exile import YKOATH, botocore_signers

def write_active_aws_key_to_yubikey():
    credentials = boto3.Session().get_credentials()

    key_name = "exile-{}-SigV4".format(credentials.access_key)
    secret = b"AWS4" + credentials.secret_key.encode()
    print("Writing YubiKey OATH SigV4 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256)

    key_name = "exile-{}-HmacV1".format(credentials.access_key)
    secret = credentials.secret_key.encode()
    print("Writing YubiKey OATH HmacV1 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA1)

write_active_aws_key_to_yubikey()
botocore_signers.install()

print("Using YubiKey credential to perform AWS call")
print(boto3.client("sts").get_caller_identity())

print("Using YubiKey credential to presign an S3 URL")
print(boto3.client("s3").generate_presigned_url(ClientMethod="get_object", Params={"Bucket": "foo", "Key": "bar"}))

TOTP

Because exile uses the YubiKey OATH protocol, you can also use it to store TOTP 2FA tokens, generate and verify codes:

from exile import TOTP
TOTP().save("google", "JBSWY3DPEHPK3PXP")  # Or TOTP.save_otpauth_uri("otpauth://...")
TOTP().get("google")  # Returns a standard 6-digit TOTP code as a string
TOTP().verify("260153", label="google", at=datetime.datetime.fromtimestamp(1297553958))

Authors

  • Andrey Kislyuk

Bugs

Please report bugs, issues, feature requests, etc. on GitHub.

License

Licensed under the terms of the Apache License, Version 2.0.

https://img.shields.io/travis/com/pyauth/exile.svg https://codecov.io/github/pyauth/exile/coverage.svg?branch=master https://img.shields.io/pypi/v/exile.svg https://img.shields.io/pypi/l/exile.svg https://readthedocs.org/projects/exile/badge/?version=latest

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for exile, version 0.1.0
Filename, size File type Python version Upload date Hashes
Filename, size exile-0.1.0-py2.py3-none-any.whl (16.4 kB) File type Wheel Python version py2.py3 Upload date Hashes View hashes
Filename, size exile-0.1.0.tar.gz (12.4 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page