AWS cli assume role and Okta authentication.
Project description
pyokta-aws-cli-assume-role
Okta-AWS auth tool for humans
If you login to AWS via Okta SAML federation and assume an IAM role, this tool will help you easily achieve pragmatic access to AWS via the aws cli and SDKs. Also helpful for running terraform/terragrunt, packer, and credstash with iam roles.
Replaces okta-aws-cli-assume-role
Table of Contents
NOTICE: Though this project works in a limited capacity, keep in mind that this project is still in rapid development phase. No security audits have been performed.
Why a new tool?
Benefits over existing tool
- No PATH changes or overriding aws executables - you're still using native awscli.
- Supports multiple tenants.
- One consistent config file for all tenants.
- Env var changes are 100% optional.
- Cleaner https error output.
- Easy to install.
- JVM not required.
Existing tool features missing in this tool
These features are planned to be supported in the near future. See roadmap.
- Interactively select from multiple mfa options.
- Set desired mfa option via cli args, env vars, or config file.
- Support Okta Verify app mfa (currently only sms is verified to work).
- Cross-OS compatibility testing (current focus is Linux systems).
- Okta token caching/refresh.
Getting Started
Requirements
- python 3.5+
- pip
- awscli:
pip install awscli-- Though it's not required to run the tool, the tool exists to support friendly awscli auth via Okta.
Install
pip install pyokta-aws-cli-assume-role
Configure
Configuration can be input via cli args, env vars, or the pyokta-aws config file described above. Configuration takes presidence as follows: cli args > env vars > config file. For all supported args and env vars, run pyokta-aws --help and pyokta-aws [COMMAND] --help.
Interactive
Run pyokta-aws configure for interactive configuration (WIP).
Config file
Default configuration file location is ~/.pyokta_aws/config.
Example config file:
[my-aws-profile]
region = us-east-1
okta_org = example.okta.com
okta_aws_app_url = https://example.okta.com/home/amazon_aws/123456789
aws_role_to_assume = arn:aws:iam::987654321:role/AWSAdmin
aws_idp = arn:aws:iam::987654321:saml-provider/Okta
username = johnsmith
password = <it is recommended to keep this blank>
sts_duration = 14400
- region: Target AWS region. (Will override default region in target aws cli profile)
- okta_org: Base domain for okta org.
- okta_aws_app_url: Okta app url (can be found by hovering over aws app chiclet).
- aws_role_to_assume: Found in AWS console under
IAM > Roles > <role_id>. Look forARN. - aws_idp: Found in AWS console under
IAM > Identity Providers > <provider_id>. Look forARN. - username: Okta username.
- password: it is recommended to keep this blank and enter it interactively.
- sts_duration: Duration (in seconds) to keep token alive. Max duration found in
IAM > Identity Providers > <provider_id>.
Usage
The main command is pyokta-aws auth.
Basic usage: pyokta-aws auth --profile <aws_profile>.
For supported args, run pyokta-aws auth --help.
How it works
The main pyokta-aws auth command authenticates with Okta and aquires a temporary set of credentials from AWS STS. These credentials get written to you local aws credentials file. This allows the awscli and other tools like terraform/terragrunt, packer, and credstash to run as expected without needing to override the awscli executable or export environment variables.
Before auth happens, your local aws cli config profile is updated via the profile and region set in the pyokta-aws config. Treat you pyokta-aws config file as the single source of truth for aws cli config when authenticating with Okta.
Roadmap
- pypi package
- cli and settings loaders
- support multi-tenant settings
- ci (testing) :construction_worker:
- okta auth
- okta 2fa (sms)
- get saml from okta app
- aws auth via okta auth
- aws config if not previously setup
- basic documentation :pencil:
- support multiple 2fa methods
- interactive initial config :children_crossing:
- readthedocs :pencil:
- tests :white_check_mark:
- windows support :checkered_flag:
- ci/cd (deploy to pypi)?
- aws role list selection in interactive mode :children_crossing:
- okta 2fa (others)
- use context managers to auto-cancel okta verifications on cancel
- okta token cache/refresh to speedup multiple logins :children_crossing:
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pyokta-aws-cli-assume-role-0.0.8rc3.tar.gz.
File metadata
- Download URL: pyokta-aws-cli-assume-role-0.0.8rc3.tar.gz
- Upload date:
- Size: 25.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 20a81ee5a19da5348f7737f607f0c379e67971637decb69404f7443d351b1819 |
|
| MD5 | c28d1d91d7807c807cc8b42c596851af |
|
| BLAKE2b-256 | 2d47a12958d7cb27535b94e6b0e1d6ac9b8df6a0b3129c27dcb99d4eb37978a7 |
File details
Details for the file pyokta_aws_cli_assume_role-0.0.8rc3-py2.py3-none-any.whl.
File metadata
- Download URL: pyokta_aws_cli_assume_role-0.0.8rc3-py2.py3-none-any.whl
- Upload date:
- Size: 28.1 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f2ea375332c554dda16b2ac31147c38fddd3631ddc6ae35d0f46f19907bdd6f2 |
|
| MD5 | f23390449f8bc4e5ecab99058134b79a |
|
| BLAKE2b-256 | 8747e5be9fedb9bcaa01a589f381a198159e7597fd9cdf8159f406b765570e63 |
