Skip to main content

Python Yubikey AWS signature library

Project description

Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.


pip install exile

On Linux, install libpcsclite-dev (apt install libpcsclite-dev, yum install pcsc-lite-devel).

Exile requires Python 3.6+. Python 2.7 is not supported.


import boto3, botocore.auth
from exile import YKOATH, botocore_signers

def write_active_aws_key_to_yubikey():
    credentials = boto3.Session().get_credentials()

    key_name = "exile-{}-SigV4".format(credentials.access_key)
    secret = b"AWS4" + credentials.secret_key.encode()
    print("Writing YubiKey OATH SigV4 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256)

    key_name = "exile-{}-HmacV1".format(credentials.access_key)
    secret = credentials.secret_key.encode()
    print("Writing YubiKey OATH HmacV1 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA1)


print("Using YubiKey credential to perform AWS call")

print("Using YubiKey credential to presign an S3 URL")
print(boto3.client("s3").generate_presigned_url(ClientMethod="get_object", Params={"Bucket": "foo", "Key": "bar"}))


Because exile uses the YubiKey OATH protocol, you can also use it to store TOTP 2FA tokens, generate and verify codes:

from exile import TOTP
TOTP().save("google", "JBSWY3DPEHPK3PXP")  # Or TOTP.save_otpauth_uri("otpauth://...")
TOTP().get("google")  # Returns a standard 6-digit TOTP code as a string
TOTP().verify("260153", label="google", at=datetime.datetime.fromtimestamp(1297553958))


  • Andrey Kislyuk


Please report bugs, issues, feature requests, etc. on GitHub.


Licensed under the terms of the Apache License, Version 2.0.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for exile, version 0.1.0
Filename, size File type Python version Upload date Hashes
Filename, size exile-0.1.0-py2.py3-none-any.whl (16.4 kB) File type Wheel Python version py2.py3 Upload date Hashes View
Filename, size exile-0.1.0.tar.gz (12.4 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page