exile

Python Yubikey AWS signature library

These details have not been verified by PyPI

Project links

Homepage

Project description

Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.

Installation

pip install exile

Synopsis

import base64, logging
import boto3, botocore.auth
from exile import YKOATH, SCardManager

logging.basicConfig(level=logging.INFO)

ykoath = YKOATH(SCardManager())

def write_active_aws_key_to_yubikey():
    credentials = boto3.Session().get_credentials()
    secret_name = "exile-" + credentials.access_key[len("AKIA"):]
    # This is for SigV4 only. Other formats will require a separate secret
    secret = b"AWS4" + credentials.secret_key.encode()
    print("Writing YubiKey OATH credential", secret_name, "for", credentials.access_key)
    ykoath.put(secret_name, secret, algorithm=YKOATH.Algorithm.SHA256)

write_active_aws_key_to_yubikey()

class YKSigV4Auth(botocore.auth.SigV4Auth):
    def signature(self, string_to_sign, request):
        key_name = "exile-" + self.credentials.access_key[len("AKIA"):]
        k_date = ykoath.calculate(key_name, request.context['timestamp'][0:8].encode(), want_truncated_response=False)
        k_region = self._sign(k_date, self._region_name)
        k_service = self._sign(k_region, self._service_name)
        k_signing = self._sign(k_service, "aws4_request")
        return self._sign(k_signing, string_to_sign, hex=True)

botocore.auth.SigV4Auth.signature = YKSigV4Auth.signature

print("Using YubiKey credential to perform AWS call")
print(boto3.client("sts").get_caller_identity())

Authors

Andrey Kislyuk

Bugs

Please report bugs, issues, feature requests, etc. on GitHub.

License

Licensed under the terms of the Apache License, Version 2.0.

https://img.shields.io/travis/com/pyauth/exile.svg

https://codecov.io/github/pyauth/exile/coverage.svg?branch=master

https://readthedocs.org/projects/exile/badge/?version=latest

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

0.1.1

Sep 24, 2021

0.1.0

Mar 4, 2019

This version

0.0.3

Feb 26, 2019

0.0.2

Feb 26, 2019

0.0.1

Jan 16, 2019

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

exile-0.0.3.tar.gz (10.9 kB view details)

Uploaded Feb 26, 2019 Source

Built Distribution

exile-0.0.3-py3-none-any.whl (14.5 kB view details)

Uploaded Feb 26, 2019 Python 3

File details

Details for the file exile-0.0.3.tar.gz.

File metadata

Download URL: exile-0.0.3.tar.gz
Upload date: Feb 26, 2019
Size: 10.9 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/1.12.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.6.3 requests-toolbelt/0.8.0 tqdm/4.29.1 CPython/3.6.5

File hashes

Hashes for exile-0.0.3.tar.gz
Algorithm	Hash digest
SHA256	`03a5af0c442baac05ee09a13e8123cdc5cea8b8af7ac326b97caaac9b6f58120`
MD5	`6694914322760dd0f8dc0328717f9df1`
BLAKE2b-256	`a0008d160d196e5355ced7782365b27dd73e77262f1d00014d8072e0b74f0a7b`

See more details on using hashes here.

File details

Details for the file exile-0.0.3-py3-none-any.whl.

File metadata

Download URL: exile-0.0.3-py3-none-any.whl
Upload date: Feb 26, 2019
Size: 14.5 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/1.12.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.6.3 requests-toolbelt/0.8.0 tqdm/4.29.1 CPython/3.6.5

File hashes

Hashes for exile-0.0.3-py3-none-any.whl
Algorithm	Hash digest
SHA256	`24576513bf7ece2b0d2b8c219a4bc9bfb916baae48c0cc4b4dc14382841657ef`
MD5	`730fb6191cf7d8e9f8acc0bc5bc37d02`
BLAKE2b-256	`d9173000e5728d2200f59cbeb12ea237de7504bd4eba1f60636db7801f30bd0b`