Python YubiKey AWS signature library
Project description
Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.
Installation
pip install exile
On Linux, install pcsc-lite (apt install pcscd, yum install pcsc-lite).
Exile requires Python 3.6+.
Synopsis
import boto3, botocore.auth
from exile import YKOATH, botocore_signers
def write_active_aws_key_to_yubikey():
credentials = boto3.Session().get_credentials()
key_name = "exile-{}-SigV4".format(credentials.access_key)
secret = b"AWS4" + credentials.secret_key.encode()
print("Writing YubiKey OATH SigV4 credential", key_name, "for", credentials.access_key)
YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256)
key_name = "exile-{}-HmacV1".format(credentials.access_key)
secret = credentials.secret_key.encode()
print("Writing YubiKey OATH HmacV1 credential", key_name, "for", credentials.access_key)
YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA1)
write_active_aws_key_to_yubikey()
botocore_signers.install()
print("Using YubiKey credential to perform AWS call")
print(boto3.client("sts").get_caller_identity())
print("Using YubiKey credential to presign an S3 URL")
print(boto3.client("s3").generate_presigned_url(ClientMethod="get_object", Params={"Bucket": "foo", "Key": "bar"}))Storing the secret key on a YubiKey instead of in the home directory (~/.aws/credentials) protects it in case the host computer or its filesystem is compromised. The YubiKey acts as an HSM, and can optionally be further configured to require user interaction (pressing a button on the key) to sign the request:
YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256, require_touch=True)
TOTP
Because exile uses the YubiKey OATH protocol, you can also use it to store TOTP 2FA tokens, generate and verify codes:
from exile import TOTP
TOTP().save("google", "JBSWY3DPEHPK3PXP") # Or TOTP.save_otpauth_uri("otpauth://...")
TOTP().get("google") # Returns a standard 6-digit TOTP code as a string
TOTP().verify("260153", label="google", at=datetime.datetime.fromtimestamp(1297553958))
Links
Bugs
Please report bugs, issues, feature requests, etc. on GitHub.
License
Licensed under the terms of the Apache License, Version 2.0.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file exile-0.1.1.tar.gz.
File metadata
- Download URL: exile-0.1.1.tar.gz
- Upload date:
- Size: 17.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a3171b8bfd97c389acb561337582d91d44d4d7846f0f4bea63a8179b890b1b14 |
|
| MD5 | 4f8206c1f7bda6534f14c1c249d37cf2 |
|
| BLAKE2b-256 | 96ebdce3160acf6982650d1ff5892f84fdf60b14eaba5cb88215a9843dc31712 |
File details
Details for the file exile-0.1.1-py2.py3-none-any.whl.
File metadata
- Download URL: exile-0.1.1-py2.py3-none-any.whl
- Upload date:
- Size: 17.7 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2f1789ada8e6af0c59a5337647576d0277a285bea08c98ac6fec58861510d18d |
|
| MD5 | 590ecaa907f4d2ce992f8d017b021ba6 |
|
| BLAKE2b-256 | 3bf33d881e8283b3ffd9192840c9a2e610b975f0e99e8add4bb3431173070eff |
