Nextdoor Okta Auther
Project description
# Nextdoor Okta Auth-er
This is a simple command-line tools for logging into Okta and generating temporary Amazon AWS Credentials. This tool makes it easy and secure for your developers to generate short-lived, [logged and user-attributed][tracking] credentials that can be used for any of the Amazon SDK libraries or CLI tools.
# Features
We have support for logging into Okta, optionally handling MFA Authentication, and then generating new SAML authenticated AWS sessions. In particular, this tool has a few core features.
## Optional MFA Authentication
If your organization requires MFA for the _[initial login into Okta][okta_mfa]_, we will automatically detect that requirement on a per-user basis and prompt the user to complete the Multi Factor Authentication. The following factors are supported by _nd_okta_auth_:
[FIDO U2F][okta_u2f] (eg yubikey)
[Okta Verify with Push][okta_verify]
TOTP (Okta Verify, Duo, and Google Authenticator)
If a user has multiple factors they will be prompted in the above order. A user can hit Control-C to skip a factor.
## Re-Up Mode .. Automatic Credential Re-Generation
Amazon IAM only supports Federated Login sessions that last up to 1 hour. For developers, it can be painful to re-authenticate every hour during your work day. This is made much worse if your organization requires MFA on each login.
You may run the Okta Auth-er tool in “reup” mode to get around this. The tool will stay running in a daemon-like mode, and it will reach out regularly to Okta, generate a new SAML Assertion, and then generate updated Amazon AWS credentials. This can run for as long as your Okta administrator has allowed your Login Session to be - often a full work day.
See the –reup commandline option for help here!
# Usage
For detailed usage instructions, see the –help commandline argument. Basic instructions though:
$ nd_okta_auth -a <application id> -o <your org name> -u <your username> 08:27:44 (INFO) Nextdoor Okta Auther v0.0.1 Password: 08:27:48 (WARNING) Okta Verify Push being sent… 08:27:48 (INFO) Waiting for Okta Verification… … 08:28:09 (INFO) Waiting for Okta Verification… 08:28:10 (INFO) Successfully authed Matt Wise 08:28:10 (INFO) Getting SAML Assertion from foobar 08:28:11 (INFO) Found credentials in shared credentials file: ~/.aws/credentials 08:28:11 (INFO) Wrote profile “default” to /Users/diranged/.aws/credentials 08:28:11 (INFO) Session expires at 2017-07-24 16:28:13+00:00 $
## Okta Setup Before you can use this tool, your Okta administrator needs to set up [Amazon/Okta integration][okta_aws_guide] using SAML roles.
## Inspiration This code is heavily based on the previous work done by [ThoughtWorksInc][thoughtworksinc] on their [OktaAuth][oktaauth] and [AWS Role Credentials][aws_role_credentials] tools. We took their general purpose code and re-wrote them into a singularly focused tool that added some new features.
In particular, we found it clumsy to use two CLI tools together to do a single task. Additionally, the tools did not have support for [Okta Verify with Push][okta_verify].
# Developer Setup
If you are interested in working on the codebase, setting up your development environment is quick and easy.
$ virtualenv .venv $ source .venv/bin/activate $ pip install -r requirements.txt
## Python Versions
Python 2.7.1+ and Python 3.5.0+ are supported
## Running Tests
$ nosetests -vv –with-coverage –cover-erase –cover-package=nd_okta_auth
[oktaauth]: https://github.com/ThoughtWorksInc/oktaauth [aws_role_credentials]: https://github.com/ThoughtWorksInc/aws_role_credentials [thoughtworksinc]: https://github.com/ThoughtWorksInc [tracking]: https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/ [okta_aws_guide]: https://support.okta.com/help/servlet/fileField?retURL=%2Fhelp%2Farticles%2FKnowledge_Article%2FAmazon-Web-Services-and-Okta-Integration-Guide&entityId=ka0F0000000MeyyIAC&field=File_Attachment__Body__s [okta_mfa]: https://www.okta.com/products/adaptive-multi-factor-authentication/ [okta_verify]: https://www.okta.com/blog/tag/okta-verify-with-push/ [okta_u2f]: https://support.okta.com/help/s/article/Using-YubiKey-Authentication-in-Okta [aws_saml]: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for nd_okta_auth-1.0.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8e3ea285ccd422c7c739dc93c39e6cc74613adf1ff817686aa429303ea061cba |
|
MD5 | 383679c66ab066e0088f2f612d91e22f |
|
BLAKE2b-256 | 52285ecc0bb285480a14c62285c1b7b8dbe0b512245456968f11533ea05af4f3 |