aws-assume

Release 0.2.3

AWS session token refreshing daemon

Homepage PyPI Python

Keywords
AWS, MFA, keyring, keychain, yubikey
License
GPL-3.0
Install
pip install aws-assume==0.2.3

Documentation

AWS Session daemon

This script automatically gets an MFA authenticated session using a Yubikey as MFA (multi factor authentication) and updates ~/.aws/credentials.

As long as you've got your yubikey connected to your computer you'll never have to enter a second factor authentication code for the aws cli. As other tools / libraries (boto3) use ~/.aws/credentials as well you don't have to enter a token for these either.

Usage

You can install aws-session-daemon using pip (pip install aws-session-daemon), I recommend to install aws-session-daemon using poetry (poetry install aws-session-daemon) or in a virtualenv.

Your ~/.aws/credentials should contain your credentials and a profile with the the keys aws_access_key_id, aws_secret_access_key and aws_session_token.

For example:

~/.aws/credentials

[default]
aws_access_key_id = ...(your key id)...
aws_secret_access_key = ...(your access key)...

[profile]
aws_access_key_id = ...(placeholder, can be anything)...
aws_secret_access_key = ...(placeholder, can be anything)...
aws_session_token = ...(placeholder, can be anything)...

Your ~/.aws/credentials will be updated in place, only the specified profile section should be touched (your comments will be safe).

Older versions are rotated up to 5 items.

Next aws-session-daemon should be started with the following arguments:

aws-session-daemon --rolearn ... --oath_slot=... --serialnumber=... --profile_name=... --access-key-id=... --secret-access-key=... --mfa-session-duration=...
Argument Description
--rolearn arn of the role you'd like to assume
--oath_slot oath slot on your yubikey
--serialnumber serial number of your MFA
--profile_name profile used in ~/.aws/credentials
--access-key-id access key (as obtained from IAM console)
--secret-access-key secret access key (as obtained from IAM console)
--mfa-session-duration duration (in seconds) for MFA session
--credentials-section you can specify a different section than default in ~/.aws/credentials
--config-section TEXT config section in configuration file ~/config/aws-session-daemon/config.toml

You should only run one aws-session-daemon process per profile, I use systemd for starting aws-session-daemon, by using the following unit file:

~/.config/systemd/user/aws-session-daemon@.service

[Unit]
Description=Amazon Web Services token daemon

[Service]
Type=simple
ExecStart=%h/bin/aws-session-daemon --config-section='%i'
Restart=on-failure

[Install]
WantedBy=default.target

And reload systemd using systemctl --user daemon-reload, start aws-session-daemon using systemctl --user start aws-session-daemon@...

If you're not so fortunate to have systemd you can also use something like supervisord to start aws-session-daemon.

~/supervisord.conf

[supervisord]

[supervisorctl]
serverurl=unix:///home/user/supervisord.sock

[unix_http_server]
file=/home/user/supervisord.sock

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[program:session-daemon-...]
command=/home/user/bin/aws-session-daemon --config-section=...
autorestart=true

Start supervisord using supervisord -c supervisor.conf and start session-daemon using supervisorctl -c supervisor.conf start session-daemon-....

Configuration

aws-session-daemon can also use a configuration file, the default location of this file is ~/.config/aws-session-daemon/config.toml. This file contains defaults so you don't have to supply all of the arguments.

You can define multiple config-sections:

[123457890123]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::123457890123:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[098765432101]
mfa_oath_slot="Amazon Web Services:user@098765432101"
credentials_section="098765432101"
mfa_serial_number="arn:aws:iam::098765432101:mfa/user"

If you need to assume roles from a certain AWS account you'll end up with a lot of simular entries. To make this simple the configuration can be defined hierarchical.

[[org]]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::{section}:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[[org.098765432101]]
[[org.567890123456]]

This would be the same as the following configuration:

[098765432101]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::098765432101:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[567890123456]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::567890123456:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

Stats

Dependencies
2
Dependent packages
0
Dependent repositories
0
Total releases
9
Latest release
First release
Stars
0
Forks
0
Watchers
2
Contributors
1
Repository size
145 KB
SourceRank
6

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.2.3
0.2.2
0.2.1
0.2.0
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0

Contributors

Dick Marinus


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-12 12:33:18 UTC

Login to resync this project