Skip to main content

Okta AWS SAML credential helper

Project description

okta_aws_cred_helper

OKTA AWS credential helper.

You you only need the following steps to setup your aws credentials file derived from Okta automatically. Procedures are

okta-aws-cred-helper init
okta-aws-cred-helper refresh

# then you are ready to go.
AWS_PROFILE=okta-role aws s3 ls
# If you need to know what profiles are available to you, you need to check your aws credentials file, i.e. ~/.aws/credentials

# when your DevSecOps made change on permissions, you need to refresh your local aws credentials file to pick up the change.
okta-aws-cred-helper refresh

Install

pip install okta-aws-credential-helper

Initialize

Preparation:

  1. You need to know Okta AWS application sso URL. It should be like https://domain.okta.com/app/amazon_aws/`app-id`/sso/saml.
  2. You already have your email/password/google 2Fa set up.
  3. During the process, we will reset the Okta Google 2FA code. You will need a QR code scanner application (besides Google 2FA app) so it can read the TOTP code. An useful application can be: https://play.google.com/store/apps/details?id=com.tohsoft.qrcode.pro

Read your TOTP code

Login to your Okta Account and reset your 2FA code. When you are resetting, while the QR code still displays, use the QR code scanner to decode the QR code, which will be like

otpauth://totp/xxx.okta.com:<your-email>?secret=<totp-code>&issuer=xxx.okta.com

Mark the totp code down and you will use it later.

Initialize okta credentials

Execute

okta-aws-cred-helper init

Follow the questions and input your answers. You will be asked for sso_url, okta username(email), okta password, totp code (you previously marked down). Note whatever you have input will be echo back to the screen. Please keep alert from peeping.

review your okta credentials settings

NOTE your okta credentials settings are stored in file ~/.aws/okta-aws/settings.json. Keep it secret. You can also edit this file directly later instead of running okta-aws-cred-helper init command.

Once initialized, the file should be like

{
  "sso_url": "https://domain.okta.com/app/amazon_aws/aaaaabbbbbcccccDDDDD/sso/saml",
  "region": "ap-southeast-2",
  "user_name": "name@email.com.au",
  "password": "<password>",
  "google_2fa_totp": "<totp code>"
}

Automatically set your ~/.aws/credentials file

Execute

okta-aws-cred-helper refresh

This command will modify your ~/.aws/credentials for the new credentials derived from okta. The credentials from Okta will be defined as profiles with name starting with okta-.

Note existing credentials in ~/.aws/credentials with profile name not starting with okta- will be intact.

After executing this command, simply check the content of ~/.aws/credentials to get familiar with what roles OKTA has allowed you to assume to. You can also configure other personal profiles to source from these okta- profiles.

Caching

This process uses directory ~/.aws/okta-aws as temporary credential caches.

Refreshing

This tool automatically refreshes the credentials behind the scene for you.

Speed

While refreshing credentials, you may feel your aws tools (boto scripts or awscli) freeze for several seconds. This usually happens at the edge of every 30 seconds. When this tool sense it is close to the end of each 30 seconds, it will wait until this 30 second window pass, to avoid the google 2FA authentication failure caused by network delay or time in-synchronization.

Improve

The following items are in the view:

  • Use more secure store.
  • Test on windows
  • Test on linux(ubuntu)
  • add a easy role assumption support
  • Allow signing Login URLs (working with awslogin)
  • Package properly and add testing

Contribution welcome..


Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

okta-aws-credential-helper-0.3.2.tar.gz (10.1 kB view details)

Uploaded Source

Built Distribution

okta_aws_credential_helper-0.3.2-py3-none-any.whl (10.7 kB view details)

Uploaded Python 3

File details

Details for the file okta-aws-credential-helper-0.3.2.tar.gz.

File metadata

  • Download URL: okta-aws-credential-helper-0.3.2.tar.gz
  • Upload date:
  • Size: 10.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.6.7

File hashes

Hashes for okta-aws-credential-helper-0.3.2.tar.gz
Algorithm Hash digest
SHA256 67d5f40c84ad0d3f5edf5b168fc9f9530ff378a36bd9bb5b26419bbc8225e500
MD5 5f683f80201127705abc197f430c5518
BLAKE2b-256 e7603f60bc0a2ad175e5d1c5b677d168cb960d2104335bf8614ddb12710d743d

See more details on using hashes here.

File details

Details for the file okta_aws_credential_helper-0.3.2-py3-none-any.whl.

File metadata

  • Download URL: okta_aws_credential_helper-0.3.2-py3-none-any.whl
  • Upload date:
  • Size: 10.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.6.7

File hashes

Hashes for okta_aws_credential_helper-0.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 37debbce2712f0be4e1f6708d2980fa90c1a0d1a1c2fb96f483e91ed2982e554
MD5 a18a82faef5b008e7faf72245cde0612
BLAKE2b-256 5bfaef80f0393c5a34d2489aed9729ee20737c52aea87fc905296a461ad67650

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page