Skip to main content

1Password aws-vault like utility

Project description

op-aws-vault

A aws-vault like utility built completely on 1Password.

What is it?

Irritated by no aws-vault 1Password integration and finding 1Password AWS plugin a bit buggy, this was an itch I wanted to scratch.

It's a small python script/utility that emulates the behaviour of aws-vault but completely integrated in 1Password. It wraps around the 1Password CLI.

It requires a 1Password account and 1Password CLI. It's tested on MacOS and Linux. Probably doesnt work on Windows.

It uses your AWS credentials and OTP key as a means to accomplish the following:

  • Exec into a shell with a (MFA'd) session of any role you can assume
  • Login to the AWS console via Federation

It requires no on-disk configuration, all configuration is set up in 1Password, including roles to assume, AWS creds and One-Time-Password.

This means if you interact with AWS on different computers, you only need to set this up once in 1Password, no config setup, no key imports.

How to install

Create Python Virtual Environment and pip install op-aws-vault

You need to have the 1Password CLI and GUI open and unlocked for it to work.

You may want to disable the 1Password aws plugin (unalias aws) as I find it interferes.

Setup

You need to set up a 1Password item with the following attribute names (exactly):

  • access key id(AWS Key ID)
  • secret access key (AWS Secret Key)
  • mfa serial (MFA Serial ARN - Optional with MFA - Recommended!)
  • one-time password (TOTP Required for MFA)
  • default-region (Default Region(default-region))

To assume roles you need to add text attributes with the ARNs of roles to assume with a role-{role name} pattern.

For example if you have a dev role, you would add a text attribute to 1Password item called role-dev and make the value the ARN of the role.

You can add as many roles as you wish.

Finally, you need to tag the item as aws-credential this allows op-aws-vault to find it.

Usage

Each command requires a role as the first positional argument.

It can be any of the role-{name} roles in your 1Password or default for the top-level role.

Expect for 1Password to verify your identity at least once per session.

All commands accept the following optional arguments

--region AWS region to operate against

--duration Duration for session to be valid for. (1hr, 120mins etc.)

op-aws-vault exec

This opens an authenticated shell with the role you choose

op-aws-vault exec <role name>

op-aws-vault exec dev would open a shell with

op-aws-vault exec dev -- /bin/bash would open a bash shell explicitly

Unlike aws-vault, op-aws-vault can be safely nested.

op-aws-vault login

op-aws-vault login dev to open a web browser with a federated console Login for the dev role.

If you'd prefer to not open a browser, just get the URL, use the --stdout option to print to console.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

op_aws_vault-0.0.1-py3-none-any.whl (5.6 kB view details)

Uploaded Python 3

File details

Details for the file op_aws_vault-0.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for op_aws_vault-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5d95ca28e49ab0b42eea1dc936b215429e828db2129d0ada2bb31b753fd34ff8
MD5 8cb5ef9adedac6d2129676388e5148b0
BLAKE2b-256 4d1931c0dda0b16d4f37a5e108efb77f2c944564b266aa48b5f41d93d084424d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page