Skip to content

Commit

Permalink
Merge pull request #23 from WarnerMedia/sync/update-to-2.7.0
Browse files Browse the repository at this point in the history
Sync/update to 2.7.0
  • Loading branch information
mjreed-wbd authored Aug 17, 2023
2 parents ad9a8d2 + 13a10b9 commit 1041e3b
Show file tree
Hide file tree
Showing 24 changed files with 2,096 additions and 280 deletions.
31 changes: 28 additions & 3 deletions .github/workflows/build_nix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,34 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: cachix/install-nix-action@v17

- uses: cachix/install-nix-action@v20
with:
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
github_access_token: ${{ secrets.GITHUB_TOKEN }}

- name: Building package
run: nix build .

- name: Write a gimme-aws-creds config file for testing
run: |
cat > ~/.okta_aws_login_config <<EOF
[default]
okta_org_url = https://foobar.okta.com
okta_auth_server =
client_id =
gimme_creds_server = appurl
aws_appname =
aws_rolename =
write_aws_creds = False
cred_profile = role
okta_username = [email protected]
app_url = https://foobar.okta.com/home/amazon_aws/00000000000000000000/111
resolve_aws_alias = False
preferred_mfa_type =
aws_default_duration = 36000
device_token =
output_format = json
EOF
- name: Check gimme-aws-creds version
run: ./result/bin/gimme-aws-creds --version
22 changes: 10 additions & 12 deletions .github/workflows/cicd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,15 @@ on:
jobs:
test:
name: Unit Tests
# Python 3.6 is currently only available in Ubuntu 20.
# https://github.com/actions/setup-python/issues/544
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [ "3.6", "3.7", "3.8", "3.9" ]
python-version: [ "3.7", "3.8", "3.9", "3.10" ]

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
Expand All @@ -45,11 +43,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v3

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -60,7 +58,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1
uses: github/codeql-action/autobuild@v2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -74,7 +72,7 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
uses: github/codeql-action/analyze@v2

deploy:
name: Deploy to PyPi
Expand All @@ -84,9 +82,9 @@ jobs:
- code-scan
if: github.event_name == 'release'
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v2
uses: actions/setup-python@v3
with:
python-version: '3.x'
- name: Install dependencies
Expand Down
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
__pycache__/
*.py[cod]
*$py.class
.DS_Store

# nix flake init -t template#python
.direnv
Expand Down Expand Up @@ -52,6 +53,7 @@ nosetests.xml
coverage.xml
*,cover
.hypothesis/
htmlcov/

# Translations
*.mo
Expand Down
2 changes: 1 addition & 1 deletion LONG_DESCRIPTION.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ With gimme-aws-creds all you need to know is your username, password, Okta url a

[Okta SAML integration to AWS using the AWS App](https://help.okta.com/en/prod/Content/Topics/Miscellaneous/References/OktaAWSMulti-AccountConfigurationGuide.pdf)

Python 3.6+
Python 3.7+

## Installation

Expand Down
1 change: 1 addition & 0 deletions MANIFEST.in
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
include README.md
include LICENSE.txt
include requirements.txt
include LONG_DESCRIPTION.md
8 changes: 6 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,30 @@ ifdef OS
BIN := Scripts
PYTHON := python
SEP := ;
SFX := .cmd
else
BIN := bin
PYTHON := python3
SEP := :
SFX :=
endif

docker-build:
docker build -t gimme-aws-creds .

test: docker-build
nosetests -vv tests
pytest -vv tests

venv:
$(PYTHON) -mvenv ./venv

init: venv
./venv/$(BIN)/$(PYTHON) -mpip install -r requirements_dev.txt


exe: init
./venv/$(BIN)/$(PYTHON) -mpip install .
$(eval FIDODIR := $(shell ./venv/$(BIN)/$(PYTHON) -c "import fido2;from os import path as op;print(op.dirname(fido2.__file__))"))
./venv/$(BIN)/$(PYTHON) -mPyInstaller -F --hidden-import=gimme_aws_creds --add-data "$(FIDODIR)/public_suffix_list.dat$(SEP)fido2" bin/gimme-aws-creds

clean:
rm -rf build dist venv
75 changes: 67 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,19 +1,22 @@
# Gimme AWS Creds

[![][license img]][license]
[![Build Status](https://travis-ci.org/Nike-Inc/gimme-aws-creds.svg?branch=master)](https://travis-ci.org/Nike-Inc/gimme-aws-creds)
[![][cicd img]][cicd]

gimme-aws-creds is a CLI that utilizes an [Okta](https://www.okta.com/) IdP via SAML to acquire temporary AWS credentials via AWS STS.

Okta is a SAML identity provider (IdP), that can be easily set-up to do SSO to your AWS console. Okta does offer an [OSS java CLI]((https://github.com/oktadeveloper/okta-aws-cli-assume-role)) tool to obtain temporary AWS credentials, but I found it needs more information than the average Okta user would have and doesn't scale well if have more than one Okta App.

With gimme-aws-creds all you need to know is your username, password, Okta url and MFA token, if MFA is enabled. gimme-aws-creds gives you the option to select which Okta AWS application and role you want credentials for. Alternatively, you can pre-configure the app and role name by passing -c or editing the config file. This is all covered in the usage section.

## Disclaimer
Okta is a registered trademark of Okta, Inc. and this tool has no affiliation with or sponsorship by Okta, Inc.

## Prerequisites

[Okta SAML integration to AWS using the AWS App](https://help.okta.com/en/prod/Content/Topics/Miscellaneous/References/OktaAWSMulti-AccountConfigurationGuide.pdf)

Python 3.6+
Python 3.7+

### Optional

Expand Down Expand Up @@ -134,6 +137,50 @@ alias gimme-aws-creds="docker run -it --rm \

With this config, you will be able to run further commands seamlessly!

## Command Auto Completion

If you are using Bash or Zsh, you can add autocompletion for the gimme-aws-creds commandline options and profile names. To add the autocomplete config, add the following to the end of your .bashrc or .zshrc:

.bashrc
```bash
INSTALL_DIR=$(dirname $(which gimme-aws-creds))
source ${INSTALL_DIR}/gimme-aws-creds-autocomplete.sh"
```
.zshrc
```bash
INSTALL_DIR=$(dirname $(which gimme-aws-creds))
autoload bashcompinit
bashcompinit
source ${INSTALL_DIR}/gimme-aws-creds-autocomplete.sh
```
## Using gimme-aws-creds with Okta Identity Engine
There are two options for using gimme-aws-creds with an OIE domain:
* Device Authorization Flow
* Forcing the use of the Okta Classic login flow
### Okta Identity Engine and Device Authorization Flow
This is the recommended method for authentication with OIE. It matches the flow used by Okta's [AWS client](https://github.com/okta/okta-aws-cli). When using gimme-aws-creds with the Device Authorization flow, you will authenticate using your browser. Storing credentials in keychain or passing MFA codes through the command-line is NOT POSSIBLE.
To use gimme-aws-creds with an Okta Identity Engine (OIE) domain, you must create a new OIDC Native Application and connect it to your AWS integration app(s).
The OIDC Native Application requires Grant Types `Authorization Code`, `Device Authorization` , and `Token Exchange`. These settings are in the Okta Admin UI at `Applications > [the OIDC app] > General Settings > Grant type`.
The pairing with the AWS Federation Application is achieved in the Fed app's Sign On Settings. These settings are in the Okta Admin UI at `Applications > [the AWS Fed app] > Sign On`. Make sure to set the `Allowed Web SSO Client` value to the Client ID of the OIDC Native Application. Repeat that setting for each AWS application you want to access with gimme-aws-creds.
Finally, set the Client ID in gimme-aws-creds (`gimme-aws-creds --action-configure` or update the `client_id` parameter in your config file)
Make sure to use the same authentication policy for both the AWS Federation Application and the OIDC application ( or at least use equivalent policy rules for both). If not, you'll receive a `400 Bad Request` response when requesting the Web SSO token.
### Forcing the use of the Okta Classic login flow ###
The login flow used in Okta Classic currently still works with Okta Identity Engine domains, BUT there are a couple caveats:
* The Okta classic flow passes the `stateToken` parameter when requesting "step-up" authentication. This capability was removed in OIE, so if the authentication policy on your AWS app(s) requires MFA but the Global Session Policy does not (or if a higher level of MFA factor is required to access AWS), you cannot authenticate using the classic login flow.
* MFA using Okta Verify is only supported on mobile devices. Okta Verify on macOS/Windows is not supported.
* Passwordless authentication and endpoint security checks are not supported.
## Configuration
To set-up the configuration run:
Expand All @@ -142,7 +189,7 @@ To set-up the configuration run:
gimme-aws-creds --action-configure
```
You can also set up different Okta configuration profiles, this useful if you have multiple Okta accounts or environments you need credentials for. You can use the configuration wizard or run:
You can also set up different Okta configuration profiles, this is useful if you have multiple Okta accounts or environments you need credentials for. You can use the configuration wizard or run:
```bash
gimme-aws-creds --action-configure --profile profileName
Expand All @@ -153,7 +200,7 @@ A configuration wizard will prompt you to enter the necessary configuration para
- conf_profile - This sets the Okta configuration profile name, the default is DEFAULT.
- okta_org_url - This is your Okta organization url, which is typically something like `https://companyname.okta.com`.
- okta_auth_server - [Okta API Authorization Server](https://help.okta.com/en/prev/Content/Topics/Security/API_Access.htm) used for OpenID Connect authentication for gimme-creds-lambda
- client_id - OAuth client ID for gimme-creds-lambda
- client_id - OAuth client ID for user authentication in Okta Identity Engine and gimme-creds-lambda in Okta "classic"
- gimme_creds_server
- URL for gimme-creds-lambda
- 'internal' for direct interaction with the Okta APIs (`OKTA_API_KEY` environment variable required)
Expand All @@ -175,13 +222,16 @@ A configuration wizard will prompt you to enter the necessary configuration para
- token:hardware - OTP using hardware like Yubikey
- call - OTP via Voice call
- sms - OTP via SMS message
- email - OTP via email
- web - DUO uses localhost webbrowser to support push|call|passcode
- passcode - DUO uses `OKTA_MFA_CODE` or `--mfa-code` if set, or prompts user for passcode(OTP).
- resolve_aws_alias - y or n. If yes, gimme-aws-creds will try to resolve AWS account ids with respective alias names (default: n). This option can also be set interactively in the command line using `-r` or `--resolve` parameter
- include_path - (optional) Includes full role path to the role name in AWS credential profile name. (default: n). If `y`: `<acct>-/some/path/administrator`. If `n`: `<acct>-administrator`
- remember_device - y or n. If yes, the MFA device will be remembered by Okta service for a limited time. This option can also be set interactively in the command line using `-m` or `--remember-device`
- output_format - `json` , `export` or `windows`, determines default credential output format, can be also specified by `--output-format FORMAT` and `-o FORMAT`.
- open-browser - Open the device authentication link in the default web browser automatically (Okta Identity Engine domains only)
- force-classic - Force the use of the Okta Classic login process (Okta Identity Engine domains only)
## Configuration File
Expand Down Expand Up @@ -263,6 +313,7 @@ A list of values of to change with environment variables are:
- `OKTA_MFA_CODE` - corresponds to `--mfa-code` CLI option
- `OKTA_PASSWORD` - provides password during authentication, can be used in CI
- `OKTA_USERNAME` - corresponds to `okta_username` configuration and `--username` CLI option
- `AWS_STS_REGION` - force the use of the STS in a specific region (`us-east-1`, `eu-north-1`, etc.)
Example: `GIMME_AWS_CREDS_CLIENT_ID='foobar' AWS_DEFAULT_DURATION=12345 gimme-aws-creds`
Expand All @@ -276,6 +327,10 @@ For changing variables outside of this, you'd need to create a separate profile
`gimme-aws-creds --action-list-roles` will print all available roles to STDOUT without retrieving their credentials.
### Credential expiration time
Writing to the AWS credentials file will include the `x_security_token_expires` value in RFC3339 format. This allows tools to validate if the credentials are expiring or are expiring soon and warn the user or trigger a refresh.
### Generate credentials as json
`gimme-aws-creds -o json` will print out credentials in JSON format - 1 entry per line
Expand Down Expand Up @@ -346,23 +401,25 @@ Then, you can choose the newly registered authenticator from the factors list.
## Running Tests
You can run all the unit tests using nosetests. Most of the tests are mocked.
You can run all the unit tests using pytest. Most of the tests are mocked.
```bash
nosetests --verbosity=2 tests/
pytest -vv tests
```
## Maintenance
This project is maintained by [Ann Wallace](https://github.com/anners), [Eric Pierce](https://github.com/epierce), and [Justin Wiley](https://github.com/sector95).
This project is maintained by [Eric Pierce](https://github.com/epierce)
## Thanks and Credit
I came across [okta_aws_login](https://github.com/nimbusscale/okta_aws_login) written by Joe Keegan, when I was searching for a CLI tool that generates AWS tokens via Okta. Unfortunately it hasn't been updated since 2015 and didn't seem to work with the current Okta version. But there was still some great code I was able to reuse under the MIT license for gimme-aws-creds. I have noted in the comments where I used his code, to make sure he receives proper credit.
## Etc
[Okta's Java tool](https://github.com/oktadeveloper/okta-aws-cli-assume-role)
[okta-aws-cli](https://github.com/okta/okta-aws-cli)
[okta-aws-cli-assume-role](https://github.com/oktadev/okta-aws-cli-assume-role)
[AWS - How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS](https://aws.amazon.com/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/)
Expand All @@ -374,3 +431,5 @@ Gimme AWS Creds is released under the [Apache License, Version 2.0](http://www.a
[license]:LICENSE
[license img]:https://img.shields.io/badge/License-Apache%202-blue.svg
[cicd]:https://github.com/Nike-Inc/gimme-aws-creds/actions/workflows/cicd.yml
[cicd img]:https://github.com/Nike-Inc/gimme-aws-creds/actions/workflows/cicd.yml/badge.svg
44 changes: 44 additions & 0 deletions bin/gimme-aws-creds-autocomplete.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#/usr/bin/env bash
#
# Auto-complete script for gimme-aws-creds.
#
# Links:
# https://www.gnu.org/software/bash/manual/html_node/Programmable-Completion-Builtins.html#Programmable-Completion-Builtins
#
# To use in your current shell:
# /> source gimme-aws-creds-completion.sh
#
# To auto-load in new shells, copy to the system wide bash completion directory:
# on Mac: /usr/local/etc/bash_completion.d/
# on Linux: /etc/bash_completion.d/
# on Windows: who cares???
#

gimme-aws-creds_autocomplete()
{
local _cmd_line="${COMP_LINE}"
local _cur="${COMP_WORDS[COMP_CWORD]}"
local _prev="${COMP_WORDS[COMP_CWORD-1]}"
local _opts="--help --action-configure --configure --output-format --profile --resolve --insecure -keep --version --action-list-profiles --list-profiles --action-list-roles --open-browser"
local _suggestions=""
if [[ "${_prev}" == "gimme-aws-creds" && "${_cur}" == "" ]] ; then
_suggestions=($(compgen -W "${_opts}" "${_cur}"))
elif [[ "${_cur}" == "-" ]] ; then
_suggestions=($(compgen -W "${_opts}" "${_cur}"))
elif [[ "${_cur}" =~ "--" ]] ; then
_suggestions=($(compgen -W "${_opts}" -- "${_cur}"))
elif [ "${_prev}" == "--profile" ] || [ "${_prev}" == "-p" ] ; then
# Get a list of profiles from the okta config-file (if we have some):
local IFS=$'\n'
local _creds_cfg_file=${HOME}/.okta_aws_login_config
if [ -f ${_creds_cfg_file} ] ; then
local _profiles=$(grep "^\[" ${_creds_cfg_file} | sed -e 's/\[//' -e 's/\]//')
[ ! -z "${_profiles}" ] && _suggestions=($(compgen -W "${_profiles}" "${_cur}"))
fi
elif [ "${_prev}" == "--output-format" ] || [ "${_prev}" == "-o" ] ; then
_suggestions=($(compgen -W "export json" "${_cur}"))
fi
COMPREPLY=("${_suggestions[@]}")
}

complete -F gimme-aws-creds_autocomplete gimme-aws-creds
Loading

0 comments on commit 1041e3b

Please sign in to comment.