Nextdoor Okta Auther
# Nextdoor Okta Auth-er
This is a simple command-line tools for logging into Okta and generating temporary Amazon AWS Credentials. This tool makes it easy and secure for your developers to generate short-lived, [logged and user-attributed][tracking] credentials that can be used for any of the Amazon SDK libraries or CLI tools.
We have support for logging into Okta, optionally handling MFA Authentication, and then generating new SAML authenticated AWS sessions. In particular, this tool has a few core features.
## Optional MFA Authentication
If your organization requires MFA for the _[initial login into Okta][okta_mfa]_, we will automatically detect that requirement on a per-user basis and prompt the user to complete the Multi Factor Authentication. The following factors are supported by _nd_okta_auth_:
- [FIDO U2F][okta_u2f] (eg yubikey)
- [Okta Verify with Push][okta_verify]
- TOTP (Okta Verify, Duo, and Google Authenticator)
If a user has multiple factors they will be prompted in the above order. A user can hit Control-C to skip a factor.
## Re-Up Mode .. Automatic Credential Re-Generation
Amazon IAM only supports Federated Login sessions that last up to 1 hour. For developers, it can be painful to re-authenticate every hour during your work day. This is made much worse if your organization requires MFA on each login.
You may run the Okta Auth-er tool in “reup” mode to get around this. The tool will stay running in a daemon-like mode, and it will reach out regularly to Okta, generate a new SAML Assertion, and then generate updated Amazon AWS credentials. This can run for as long as your Okta administrator has allowed your Login Session to be - often a full work day.
See the –reup commandline option for help here!
For detailed usage instructions, see the –help commandline argument. Basic instructions though:
$ nd_okta_auth -a <application id> -o <your org name> -u <your username> 08:27:44 (INFO) Nextdoor Okta Auther v0.0.1 Password: 08:27:48 (WARNING) Okta Verify Push being sent… 08:27:48 (INFO) Waiting for Okta Verification… … 08:28:09 (INFO) Waiting for Okta Verification… 08:28:10 (INFO) Successfully authed Matt Wise 08:28:10 (INFO) Getting SAML Assertion from foobar 08:28:11 (INFO) Found credentials in shared credentials file: ~/.aws/credentials 08:28:11 (INFO) Wrote profile “default” to /Users/diranged/.aws/credentials 08:28:11 (INFO) Session expires at 2017-07-24 16:28:13+00:00 $
## Okta Setup Before you can use this tool, your Okta administrator needs to set up [Amazon/Okta integration][okta_aws_guide] using SAML roles.
## Inspiration This code is heavily based on the previous work done by [ThoughtWorksInc][thoughtworksinc] on their [OktaAuth][oktaauth] and [AWS Role Credentials][aws_role_credentials] tools. We took their general purpose code and re-wrote them into a singularly focused tool that added some new features.
In particular, we found it clumsy to use two CLI tools together to do a single task. Additionally, the tools did not have support for [Okta Verify with Push][okta_verify].
# Developer Setup
If you are interested in working on the codebase, setting up your development environment is quick and easy.
$ virtualenv .venv $ source .venv/bin/activate $ pip install -r requirements.txt
## Python Versions
Python 2.7.1+ and Python 3.5.0+ are supported
## Running Tests
$ nosetests -vv –with-coverage –cover-erase –cover-package=nd_okta_auth
[oktaauth]: https://github.com/ThoughtWorksInc/oktaauth [aws_role_credentials]: https://github.com/ThoughtWorksInc/aws_role_credentials [thoughtworksinc]: https://github.com/ThoughtWorksInc [tracking]: https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/ [okta_aws_guide]: https://support.okta.com/help/servlet/fileField?retURL=%2Fhelp%2Farticles%2FKnowledge_Article%2FAmazon-Web-Services-and-Okta-Integration-Guide&entityId=ka0F0000000MeyyIAC&field=File_Attachment__Body__s [okta_mfa]: https://www.okta.com/products/adaptive-multi-factor-authentication/ [okta_verify]: https://www.okta.com/blog/tag/okta-verify-with-push/ [okta_u2f]: https://support.okta.com/help/s/article/Using-YubiKey-Authentication-in-Okta [aws_saml]: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.