MFA for AWS CLI using SafeNet Trusted Access (STA)
Project description
sta-awscli
MFA for AWS CLI using SafeNet Trusted Access (STA)
This script allows using SafeNet Trusted Access (STA) IDP based authentication when working with AWSCLI. At the moment, the supported configuration is using Keycloak (https://www.keycloak.org) as an "agent" between STA and AWS, allowing us to support AWS with multiple accounts and roles. The script assumes STA and Keycloak are configured and working for SAML based access to AWS.
The script supports all STA authentication methods, including manual OTP, Push based OTP and GriDsure. GriDsure support is experimental and requires "tesseract" v4.0 and above to be installed on the host (https://tesseract-ocr.github.io/tessdoc/Installation.html).
Configuration
On first execution, the script will collect the required information to create a configuration file (sta-awscli.config) that is stored in ~.aws folder. It's possible to run the script with -c switch to specify an alternative location for the config file.
The configuration file includes:
- AWS Region
- Keycloak URL
- Keycloak version
- Keycloak Realm Name
- AWS application name in Keycloak
For example:
[config]
aws_region =
cloud_idp =
is_new_kc =
tenant_reference_id =
aws_app_name =
Usage
Once the configuration is created, a connection is established to STA through Keycloak and the user will be asked to provide a username, based on STA authentication policy, AD Password and OTP. If the user only has single token (MobilePASS+ or GriDsure) assigned, the authentication will be triggered automatically (Push for MobilePASS+ or the pattern grid presented for GriDsure). For auto triggered Push - the user can cancel the Push using CTRL+C to manually enter OTP. If the user has multiple tokens assigned, the user is aksed to provide an OTP, but still has the abbility to trigger Push ("p" or blank OTP) and GriDsure ("g").
After successful authentication, if a user has a single role assigned, an Access Token is generated and stored in .aws\credentials file. If the user has multiple roles assigned, the user is presented with the list of available roles to select the desired role and an Access Token is generated and stored.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file sta-awscli-2.0.4.tar.gz.
File metadata
- Download URL: sta-awscli-2.0.4.tar.gz
- Upload date:
- Size: 11.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.15 CPython/3.10.6 Linux/5.15.0-1017-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cdcae05dc999b8322a667b2927f20bac410eb259396f9afac02444143f21a503 |
|
| MD5 | 52ac80699890975dedb4871a0ed3c306 |
|
| BLAKE2b-256 | 7b8a75a9ba2dfcab8b43dc91d797dcc0892f94a10f5faa91f7dd48db7a5c658c |
File details
Details for the file sta_awscli-2.0.4-py3-none-any.whl.
File metadata
- Download URL: sta_awscli-2.0.4-py3-none-any.whl
- Upload date:
- Size: 10.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.1.15 CPython/3.10.6 Linux/5.15.0-1017-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f58f070ee973ceb2ad59d5cd36160f0963cdc7edb805bfbf3f116d3e8dc0281d |
|
| MD5 | eb3a459c53e336f6a70da9bb4d601c80 |
|
| BLAKE2b-256 | aec0f1b742d2bffe43a9ceca536038a535fdcd8cc93f650b46830c47f7a90415 |
