exile

Release 0.1.1

Python YubiKey AWS signature library

Homepage PyPI Python

License
Apache-2.0
Install
pip install exile==0.1.1

Documentation

Exile: Python YubiKey AWS signature library

Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.

Installation

pip install exile

On Linux, install pcsc-lite (apt install pcscd, yum install pcsc-lite).

Exile requires Python 3.6+.

Synopsis

import boto3, botocore.auth
from exile import YKOATH, botocore_signers

def write_active_aws_key_to_yubikey():
    credentials = boto3.Session().get_credentials()

    key_name = "exile-{}-SigV4".format(credentials.access_key)
    secret = b"AWS4" + credentials.secret_key.encode()
    print("Writing YubiKey OATH SigV4 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256)

    key_name = "exile-{}-HmacV1".format(credentials.access_key)
    secret = credentials.secret_key.encode()
    print("Writing YubiKey OATH HmacV1 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA1)

write_active_aws_key_to_yubikey()
botocore_signers.install()

print("Using YubiKey credential to perform AWS call")
print(boto3.client("sts").get_caller_identity())

print("Using YubiKey credential to presign an S3 URL")
print(boto3.client("s3").generate_presigned_url(ClientMethod="get_object", Params={"Bucket": "foo", "Key": "bar"}))

Storing the secret key on a YubiKey instead of in the home directory (~/.aws/credentials) protects it in case the host computer or its filesystem is compromised. The YubiKey acts as an HSM, and can optionally be further configured to require user interaction (pressing a button on the key) to sign the request:

YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256, require_touch=True)

TOTP

Because exile uses the YubiKey OATH protocol, you can also use it to store TOTP 2FA tokens, generate and verify codes:

from exile import TOTP
TOTP().save("google", "JBSWY3DPEHPK3PXP")  # Or TOTP.save_otpauth_uri("otpauth://...")
TOTP().get("google")  # Returns a standard 6-digit TOTP code as a string
TOTP().verify("260153", label="google", at=datetime.datetime.fromtimestamp(1297553958))

Authors

  • Andrey Kislyuk

Links

Bugs

Please report bugs, issues, feature requests, etc. on GitHub.

License

Licensed under the terms of the Apache License, Version 2.0.

https://codecov.io/github/pyauth/exile/coverage.svg?branch=master https://readthedocs.org/projects/exile/badge/?version=latest

Stats

Dependencies
3
Dependent packages
0
Dependent repositories
0
Total releases
5
Latest release
First release
Stars
41
Forks
0
Watchers
3
Contributors
1
Repository size
37.1 KB
SourceRank
9

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.1.1
0.1.0
0.0.3
0.0.2
0.0.1

Contributors

Andrey Kislyuk


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-09-24 16:15:00 UTC

Login to resync this project