Skip to main content

Renew AWS Simple Token Service Credentials

Project description

Based on the ADSF-CLI script [originally posted by Quint Van Deman] (

## Overview
This script provides a seamless mechanism for federating the AWS CLI. When
properly configured this script allows a user to get a short lived (1 hour) set of
credentials for each authorized role.

The script leverages Kerberos and ADFS to avoid any need for the user to enter
a AD domain password or provide AWS credentials. However, users can also
authenticate using NTLM with their username and password or with a Kerberos keytab.

## Configuration
Kerb-STS looks for configuration in the ~/.kerb-sts/config.json file. This file contains
the URL of the ADFS AWS login page and the default region. Users can generate this file with Kerb-STS:
kerb-sts --configure
This will prompt the user for those values and then serialize the configuration. Users
can also manually create the configuration file which should look like the following:
"region": "us-east-1",
"adfs_url": ""
Users can override either of the configured values on the command line.

## Building a Wheel
The easiest way to install and distribute kerb-sts is using a wheel.
A distribution can be built by running:
python bdist_wheel
That should output a .whl file in the dist directory.

## Installation
* *Note: Python 2.7.10 is the minimal version supported*
* *Note: All platforms have been tested with both Python 2.7 and 3.4*

### OSX
* *Note: If you are using El Capitan, refer to the subsequent OSX section*

0. Install [Python] (
1. sudo easy_install pip
2. sudo pip install dist/

### OSX - El Capitan
* *Note: El Capitan forces the version of some modules which directly interfere with kerb-sts. In order to
get it to work users need to either use a version of Python that was not included with the OS or need
to follow these instructions which leverage virtual environments.*

0. Install [Python] (
1. sudo easy_install pip virtualenv
2. sudo pip install --upgrade pip
3. virtualenv ~/kerb-sts
4. source ~/kerb-sts/bin/activate
5. sudo pip install dist/ --ignore-installed six
6. deactivate
7. sudo ln -s ~/kerb-sts/bin/kerb-sts /usr/local/bin/kerb-sts

### Windows
0. Install [Python] (
1. Ensure python and python/scripts are on the PATH
2. pip install --upgrade pip
3. Install pywin32 from [SourceForge] ( Follow the instructions to ensure you get the correct version.
4. pip install dist/

### Ubuntu
0. sudo apt-get update
1. sudo apt-get install -y krb5-kdc libkrb5-dev python-setuptools python3-pip
2. sudo pip3 install --upgrade pip
3. sudo pip install dist/

## Usage
If the install went smoothly `kerb-sts` should be on your path. There are a lot of configuration options.
The best way to discover them is to check out the help statement.
kerb-sts --help

#### Default Role
The script allows users to specify an AWS IAM role that will be set as the default IAM role in
the credentials file.
kerb-sts -r [iam-role-to-assume]
All subsequent AWS CLI commands will use this role by default.

Additionally, all available roles will be added as named profiles to the credentials file.
Users can then leverage the default role or use the AWS_DEFAULT_PROFILE environment variable to
select a specific role/profile. You can find more information about the credentials file
in the [AWS Documentation](

#### Daemon
By passing in a `--daemon` flag, the script will continue running and update the credentials file every
half hour. The refresh time can be set with the `--refresh` argument, but remember
the tokens only last for one hour.
kerb-sts -r [iam-role-to-assume] --daemon

#### NTLM Auth
The script allows users to authenticate using NTLM (username, domain, password).
kerb-sts -u username -p 'password' -d DOMAIN

#### Keytab
This script allows users to generate Kerberos tokens with Kerberos keytabs. Keytabs
are private key files that are signed with the user's name, domain, and password.
You can generate a keytab by running:
ktutil -k username.keytab add -p username@DOMAIN.COM -e arcfour-hmac-md5 -V 1
Users can use the keytab to authenticate with Kerberos by running:
kinit -kt username.keytab username@DOMAIN.COM
Keytabs allow users to authenticate without their password. The keytab is signed with the password however, so
when a password is updated the keytab must likewise be updated.
They can then be used with kerb-sts to generate temporary tokens:
kerb-sts --key username.keytab -u username -d DOMAIN.COM

#### Credential File
The default location for the AWS credentials file is ~/.aws/credentials. Users are also able to specify
a different location for the credentials generated.
kerb-sts -c ./aws-credentials

## Troubleshooting
#### Kerberos
If you are having issues authenticating with Kerberos, make sure you can run `kinit`. This should prompt you for
your password and then login successfully. You can view your current Kerberos tickets with `klist`. If you want to
ensure Kerberos is working properly you can delete all of your tickets with `kdestroy -A` and then try to get another
ticket issued by running `kinit`.

## Development
The recommended way to install locally from source is to use a virtual environment. From the root
of the kerb-sts source code directory run:

0. pip install virtualenv
1. virtualenv venv
2. source venv/bin/activate
3. python install
4. python kerb_sts/

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release. See tutorial on generating distribution archives.

Built Distribution

kerb_sts-0.1.0-py2.py3-none-any.whl (16.4 kB view hashes)

Uploaded py2 py3

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page