aws2fa

Release 0.0.3

aws2fa is a simple command line tool to handle 2fa authentication respecting aws-cli standard patterns

Homepage PyPI Python

Keywords
aws, 2fa, auth, authentication, awscli
License
BSD-3-Clause
Install
pip install aws2fa==0.0.3

Documentation

aws2fa

aws2fa is a simple command to handle 2fa authentication respecting aws-cli standard configuration.

Usage:

$ aws2fa [profile]
2FA device serial number for profile 'default': arn:aws:iam::123456789:mfa/username
2FA code: 123456
Sucesss! Your token will expire on: 2017-06-04 09:08:27+00:00

Now you can use aws-cli or any aws library which uses ~/.aws/credentials standard configuration.

Features

  • aws2fa respects aws-cli configuration. No magic, no duplicated credentials.
  • Full integration with aws-cli profiles
  • Smooth device handling
  • Super minimal implementation

Installation

Simply run:

$ pip install aws2fa

We assume you have previously installed and configured aws-cli:

$ pip install awscli
$ awscli configure

Configuration conventions

aws2fa handles this automatically for you. You don't need to worry about this.

  • $profile::source-profile: A profile with this name will be created to store your original credentials.
  • $profile: This profile will contain the temporal credentials for the duration of your session.

AWS configuration

  • Create a user in the IAM console

  • Create and attach a policy which defines a explicit deny to all actions and resources if a multi-factor device is not present (Documentation about explicit-deny.):

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": false
                }
            }
        }
    ]
}

  • Attach any other custom or aws-provided policy to the user that you want allow access to.

Alternatives

Another option would be to use what Andreas Wittig describes in his article Improve AWS security: protect your keys with ease. The idea behind, is to instead of doing a explicit-deny on all resources or actions (if a 2fa token has not been used), you just allow the user to assume a role if a 2fa device is present.

Then, after creating different roles, you can configure aws-cli to assume certain roles when you use certain profiles.

I can see why this approach is interesting for many cases, but I believe following the explicit deny approach is more straight forward for many others.

Helpful Links

Contribute

  • Fork the repository on GitHub.
  • Write a test which shows that the bug was fixed or that the feature works as expected.
    • Use tox command to run all the tests in all locally available python version.
  • Send a pull request and bug the maintainer until it gets merged and published. :).

Stats

Dependencies
0
Dependent packages
0
Dependent repositories
0
Total releases
3
Latest release
First release
Stars
6
Forks
0
Watchers
2
Contributors
1
Repository size
31.3 KB
SourceRank
8

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.0.3
0.0.2
0.0.1

Contributors

Jorge Bastida


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-12 12:33:11 UTC

Login to resync this project