Skip to main content

MFA for AWS CLI using SafeNet Trusted Access (STA)

Project description

sta-awscli

MFA for AWS CLI using SafeNet Trusted Access (STA)

This script allows using SafeNet Trusted Access (STA) IDP based authentication when working with AWSCLI. At the moment, the supported configuration is using Keycloak (https://www.keycloak.org) as an "agent" between STA and AWS, allowing us to support AWS with multiple accounts and roles. The script assumes STA and Keycloak are configured and working for SAML based access to AWS.

The script supports all STA authentication methods, including manual OTP, Push based OTP and GriDsure. GriDsure support is experimental and requires "tesseract" v4.0 and above to be installed on the host (https://tesseract-ocr.github.io/tessdoc/Installation.html).

Configuration

On first execution, the script will collect the required information to create a configuration file (sta-awscli.config) that is stored in ~\.aws folder. It's possible to run the script with -c switch to specify an alternative location for the config file or --update-config to overwrite existing configurations.

The configuration file includes:

  • AWS Region
  • Keycloak URL
  • Keycloak version
  • Keycloak Realm Name
  • AWS application name in Keycloak

For example:

[config]
aws_region =  
cloud_idp =  
is_new_kc =  
tenant_reference_id =  
aws_app_name =  

Usage

Once the configuration is created, a connection is established to STA through Keycloak and the user will be asked to provide a username, based on STA authentication policy, AD Password and OTP. If the user only has single token (MobilePASS+ or GriDsure) assigned, the authentication will be triggered automatically (Push for MobilePASS+ or the pattern grid presented for GriDsure). For auto triggered Push - the user can cancel the Push using CTRL+C to manually enter OTP. If the user has multiple tokens assigned, the user is aksed to provide an OTP, but still has the abbility to trigger Push ("p" or blank OTP) and GriDsure ("g").

After successful authentication, if a user has a single role assigned, an Access Token is generated and stored in .aws\credentials file. If the user has multiple roles assigned, the user is presented with the list of available roles to select the desired role and an Access Token is generated and stored.

Switches

 $ sta-awscli -h                                   
sta-awscli (version) MFA for AWS CLI using SafeNet Trusted Access (STA)

usage: sta-awscli [-h] [-v] [-c CLI_CONFIG_PATH] [--update-config] [-u USERNAME] 
                  [-r [REGION] | --region [{eu-north-1,ap-south-1,eu-west-3,eu-west-2,eu-west-1,
                                            eu-central-1,ap-northeast-3,ap-northeast-2,ap-northeast-1,
                                            ap-east-1,ap-southeast-1,ap-southeast-2,sa-east-1,
                                            ca-central-1,us-east-1,us-east-2,us-west-1,us-west-2}]]
options:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -c CLI_CONFIG_PATH, --config CLI_CONFIG_PATH
                        Specify script configuration file path
  --update-config       Force update sta-awscli configuration file
  -u USERNAME, --username USERNAME
                        Specify your SafeNet Trusted Access Username
  -r [REGION]           Specify any AWS region (without input checking)
  --region [REGION]     Specify AWS region (e.g. us-east-1)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sta-awscli-2.0.13.tar.gz (15.3 kB view details)

Uploaded Source

Built Distribution

sta_awscli-2.0.13-py3-none-any.whl (14.6 kB view details)

Uploaded Python 3

File details

Details for the file sta-awscli-2.0.13.tar.gz.

File metadata

  • Download URL: sta-awscli-2.0.13.tar.gz
  • Upload date:
  • Size: 15.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.15 CPython/3.10.6 Linux/5.15.0-1017-azure

File hashes

Hashes for sta-awscli-2.0.13.tar.gz
Algorithm Hash digest
SHA256 8dbd01473f0053b4adc6fcc44f5727618691cfd007482d5139993d7a1b1001fb
MD5 eb12d05e364e5a94a64426e224cf3172
BLAKE2b-256 026dd5a56476377191bbce6704cad82bad09b8618c921a0cf994cae12bb06ccc

See more details on using hashes here.

File details

Details for the file sta_awscli-2.0.13-py3-none-any.whl.

File metadata

  • Download URL: sta_awscli-2.0.13-py3-none-any.whl
  • Upload date:
  • Size: 14.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.15 CPython/3.10.6 Linux/5.15.0-1017-azure

File hashes

Hashes for sta_awscli-2.0.13-py3-none-any.whl
Algorithm Hash digest
SHA256 1da1482c3b66231e8d85138b555489b0d92eef27691db5c8911622cc2490866b
MD5 5c8a04316ff507c8182e6c8599c1d5e2
BLAKE2b-256 286261a755efde9fd27a95af0881b707cca666b27c8fb66871848977e8d2052e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page