1Password aws-vault like utility
Project description
op-aws-vault
A aws-vault like utility built completely on 1Password.
What is it?
Irritated by no aws-vault 1Password integration and finding 1Password AWS plugin a bit buggy, this was an itch I wanted to scratch.
It's a small python script/utility that emulates the behaviour of aws-vault but completely integrated in 1Password. It wraps around the 1Password CLI.
It requires a 1Password account and 1Password CLI. It's tested on MacOS, Linux, Windows and WSL2
It uses your AWS credentials and OTP key as a means to accomplish the following:
- Exec into a shell with a (MFA'd) session of any role you can assume
- Login to the AWS console via Federation
It requires no on-disk configuration, all configuration is set up in 1Password, including roles to assume, AWS creds and One-Time-Password.
This means if you interact with AWS on different computers, you only need to set this up once in 1Password, no config setup, no key imports.
How to install
Create Python Virtual Environment and pip install op-aws-vault
You need to have the 1Password CLI and GUI open and unlocked for it to work.
You may want to disable the 1Password aws plugin (unalias aws) as I find it interferes.
Setup
You need to set up a 1Password item with the following attribute names (exactly):
access key id(AWS Key ID)secret access key(AWS Secret Key)mfa serial(MFA Serial ARN - Optional with MFA - Recommended!)one-time password(TOTP Required for MFA)default-region(Default Region)
To assume roles you need to add text attributes with the ARNs of roles to assume with a role-{role name} pattern.
For example if you have a dev role, you would add a text attribute to 1Password item called role-dev and make the value the ARN of the role.
You can add as many roles as you wish.
Finally, you need to tag the item as aws-credentials - this allows op-aws-vault to find it.
It should look similar to:
Usage
Each command requires a role as the first positional argument.
It can be any of the role-{name} roles in your 1Password or default for the top-level role.
Expect for 1Password to verify your identity at least once per session.
All commands accept the following optional arguments
--region AWS region to operate against
--duration Duration for session to be valid for. (1hr, 120mins etc.)
op-aws-vault exec
This opens an authenticated shell with the role you choose
op-aws-vault exec <role name>
op-aws-vault exec dev would open a shell with
op-aws-vault exec dev -- /bin/bash would open a bash shell explicitly
Unlike aws-vault, op-aws-vault can be safely nested.
op-aws-vault login
op-aws-vault login dev to open a web browser with a federated console Login for the dev role.
If you'd prefer to not open a browser, just get the URL, use the --stdout option to print to console.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file op_aws_vault-0.0.7.tar.gz.
File metadata
- Download URL: op_aws_vault-0.0.7.tar.gz
- Upload date:
- Size: 90.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ced4e862b263d4768bed9bfc122bf433ff3146def3f26d1742024ff893e2b6fa |
|
| MD5 | 3a783f12ec061071e811b8f50a145e02 |
|
| BLAKE2b-256 | 206467609f68d7f005f281611819a79a0971b8afc6702297129130faba823cf8 |
File details
Details for the file op_aws_vault-0.0.7-py3-none-any.whl.
File metadata
- Download URL: op_aws_vault-0.0.7-py3-none-any.whl
- Upload date:
- Size: 5.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 73889f6bd526af6b090d70a988b64dc7899a7c61dc8a1825d92ddced401fc1d8 |
|
| MD5 | 6eaffdd834be23c3cbc35e51bb40acce |
|
| BLAKE2b-256 | 5bb927a5481a5a5f4be0bbff91a9253d48ccfe8692c0cd56c1248e0fa5b2ccfc |
