awsprocesscreds

AWS Process Credential Providers.


Keywords
aws, credentials, adfs, aws-cli, cloud, credential-provider, iam, iam-credentials, okta, saml2, sts
License
Apache-2.0
Install
pip install awsprocesscreds==0.0.1

Documentation

AWS Process Credential Providers

https://travis-ci.org/awslabs/awsprocesscreds.svg?branch=master

A collection of process-based credential providers to be used with the AWS CLI and related tools.

This is an experimental package, breaking changes may occur on any minor version bump.

Installation

The easiest way to install is to use pip:

pip install awsprocesscreds

Requirements

This package requires a version of python to be installed. Currently supported python versions are:

  • 2.7.9+
  • 3.3.x
  • 3.4.x
  • 3.5.x
  • 3.6.x

SAML Forms-Based Authentication

If you have a SAML identity provider, you can use awsprocesscreds-saml to configure programmatic access to your AWS resources. It has four required arguments:

  • -e / --endpoint - Your SAML idp endpoint.
  • -u / --username - Your SAML username.
  • -p / --provider - The name of your SAML provider. Currently okta and adfs are supported.
  • -a / --role-arn- The role arn you wish to assume. Your SAML provider must be configured to give you access to this arn.

This will cache your credentials by default, which will allow you to run multiple commands without having to enter your password each time. You can disable the cache by specifying --no-cache.

Additionally, you can show logs by specifying -v or --verbose.

To configure this provider, you need create a profile using the credential_process config variable. See the AWS CLI Config docs for more details on this config option.

Example okta configuration:

[profile okta]
region = us-west-2
credential_process = awsprocesscreds-saml -e https://example.okta.com/home/amazon_aws/blob/123 -u 'monty@example.com' -p okta -a arn:aws:iam::123456789012:role/okta-dev

Example adfs configuration:

[profile adfs]
region = us-west-2
credential_process = awsprocesscreds-saml -e 'https://corp.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices' -u Monty -p adfs -a arn:aws:iam::123456789012:role/ADFS-Dev

Custom Providers

The mechanism this package uses to provide credentials is generally available, and not specific to this package. It can be used to implement any custom credential provider that will work with the AWS CLI, boto3, and other SDKs as they implement support.

A detailed breakdown of this mechanism along with a live demo of implementing a credential provider that hooks into the macOS keychain can be seen on this recorded talk from re:Invent 2017: AWS CLI: 2107 and Beyond

The CLI will call the process provided as the value for credential_process. This process must return credentials on stdout in the following JSON form:

{
   "Version": 1,
   "AccessKeyId": "string",
   "SecretAccessKey": "string",
   "SessionToken": "string",
   "Expiration": "2019-01-31T21:45:41+00:00"
}

Where Expiration is an RFC 3339 compatible timestamp. As the expiration time nears, the process will be called again to get a new set of credentials. The Version denotes the version of this format, whose only current valid value is 1. The remaining keys are the AWS credentials you wish to use.