MCPcopy Index your code
hub / github.com/Nike-Inc/gimme-aws-creds

github.com/Nike-Inc/gimme-aws-creds @v2.8.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.8.2 ↗ · + Follow
404 symbols 1,369 edges 27 files 196 documented · 49% updated 37d agov2.8.2 · 2024-05-13★ 97091 open issues

Browse by type

Functions 345 Types & classes 38 Endpoints 21
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Gimme AWS Creds

[![][license img]][license] [![][cicd img]][cicd]

gimme-aws-creds is a CLI that utilizes an Okta IdP via SAML to acquire temporary AWS credentials via AWS STS.

Okta is a SAML identity provider (IdP), that can be easily set-up to do SSO to your AWS console. Okta does offer an OSS java CLI tool to obtain temporary AWS credentials, but I found it needs more information than the average Okta user would have and doesn't scale well if have more than one Okta App.

With gimme-aws-creds all you need to know is your username, password, Okta url and MFA token, if MFA is enabled. gimme-aws-creds gives you the option to select which Okta AWS application and role you want credentials for. Alternatively, you can pre-configure the app and role name by passing -c or editing the config file. This is all covered in the usage section.

Disclaimer

Okta is a registered trademark of Okta, Inc. and this tool has no affiliation with or sponsorship by Okta, Inc.

Prerequisites

Okta SAML integration to AWS using the AWS App

Python 3.7+

A Note on Python 3.10+ Compatibility on Windows

gimme-aws-creds depends on the ctap-keyring-device library for WebAuthn support. All of the released versions of ctap-keyring-device require winRT on Windows, which only works on Python 3.9 and lower and is no longer maintained. Until a version of ctap-keyring-device that supports winSDK (the replacement for winRT) is released to PyPi, or some other solution is found, WebAuthn support will not be available for people running Python 3.10+ on Windows.

Optional

Gimme-creds-lambda can be used as a proxy to the Okta APIs needed by gimme-aws-creds. This removes the requirement of an Okta API key. Gimme-aws-creds authenticates to gimme-creds-lambda using OpenID Connect and the lambda handles all interactions with the Okta APIs. Alternately, you can set the OKTA_API_KEY environment variable and the gimme_creds_server configuration value to 'internal' to call the Okta APIs directly from gimme-aws-creds.

Installation

This is a Python 3 project.

Install/Upgrade from PyPi:

pip3 install --upgrade gimme-aws-creds

OR

Install/Upgrade the latest gimme-aws-creds package direct from GitHub:

pip3 install --upgrade git+git://github.com/Nike-Inc/gimme-aws-creds.git

OR

Install the gimme-aws-creds package if you have already cloned the source:

python -m pip install .

OR

Use homebrew

brew install gimme-aws-creds

OR

Use with nix flakes

# flake.nix
# Use by running `nix develop`
{
  description = "Shell example";

  inputs.flake-utils.url = "github:numtide/flake-utils";
  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
  inputs.gimme-aws-creds.url = "github:Nike-Inc/gimme-aws-creds";

  outputs = {
    self,
    nixpkgs,
    flake-utils,
    gimme-aws-creds,
    ...
  } @ inputs:
    flake-utils.lib.eachDefaultSystem
    (
      system: let
        pkgs = nixpkgs.legacyPackages.${system};
      in {
        devShells.default = pkgs.mkShell {
          packages = [pkgs.bash gimme-aws-creds.defaultPackage.${system}];
        };
      }
    );
}

OR

Use with original nix

# shell.nix
# Use by running `nix-shell`
{pkgs ? import <nixpkgs> {}, ...}:
with pkgs; let
  gimme-src = fetchgit {
    name = "gimme-aws-creds";
    url = "https://github.com/Nike-Inc/gimme-aws-creds";
    branchName = "master";
    sha256 = "<replace>"; #nix-prefetch-url --unpack https://github.com/Nike-Inc/gimme-aws-creds/archive/master.tar.gz
  };

  gimme-aws-creds = import gimme-src;
in
  mkShell rec {
    name = "gimme-aws-creds";

    buildInputs = [
      bash
      (gimme-aws-creds.default)
    ];
  }

OR

Build the docker image locally:

docker build -t gimme-aws-creds .

To make it easier you can also create an alias for the gimme-aws-creds command with docker:

# make sure you have the "~/.okta_aws_login_config" locally first!
touch ~/.okta_aws_login_config && \
alias gimme-aws-creds="docker run -it --rm \
  -v ~/.aws/credentials:/root/.aws/credentials \
  -v ~/.okta_aws_login_config:/root/.okta_aws_login_config \
  gimme-aws-creds"

With this config, you will be able to run further commands seamlessly!

Command Auto Completion

If you are using Bash or Zsh, you can add autocompletion for the gimme-aws-creds commandline options and profile names. To add the autocomplete config, add the following to the end of your .bashrc or .zshrc:

.bashrc

INSTALL_DIR=$(dirname $(which gimme-aws-creds))
source ${INSTALL_DIR}/gimme-aws-creds-autocomplete.sh"

.zshrc

INSTALL_DIR=$(dirname $(which gimme-aws-creds))
autoload bashcompinit
bashcompinit
source ${INSTALL_DIR}/gimme-aws-creds-autocomplete.sh

Using gimme-aws-creds with Okta Identity Engine

There are two options for using gimme-aws-creds with an OIE domain: * Device Authorization Flow * Forcing the use of the Okta Classic login flow

Okta Identity Engine and Device Authorization Flow

This is the recommended method for authentication with OIE. It matches the flow used by Okta's AWS client. When using gimme-aws-creds with the Device Authorization flow, you will authenticate using your browser. Storing credentials in keychain or passing MFA codes through the command-line is NOT POSSIBLE.

To use gimme-aws-creds with an Okta Identity Engine (OIE) domain, you must create a new OIDC Native Application and connect it to your AWS integration app(s).

The OIDC Native Application requires Grant Types Authorization Code, Device Authorization , and Token Exchange. These settings are in the Okta Admin UI at Applications > [the OIDC app] > General Settings > Grant type.

The pairing with the AWS Federation Application is achieved in the Fed app's Sign On Settings. These settings are in the Okta Admin UI at Applications > [the AWS Fed app] > Sign On. Make sure to set the Allowed Web SSO Client value to the Client ID of the OIDC Native Application. Repeat that setting for each AWS application you want to access with gimme-aws-creds.

Finally, set the Client ID in gimme-aws-creds (gimme-aws-creds --action-configure or update the client_id parameter in your config file)

Make sure to use the same authentication policy for both the AWS Federation Application and the OIDC application ( or at least use equivalent policy rules for both). If not, you'll receive a 400 Bad Request response when requesting the Web SSO token.

Forcing the use of the Okta Classic login flow

The login flow used in Okta Classic currently still works with Okta Identity Engine domains, BUT there are a couple caveats: * The Okta classic flow passes the stateToken parameter when requesting "step-up" authentication. This capability was removed in OIE, so if the authentication policy on your AWS app(s) requires MFA but the Global Session Policy does not (or if a higher level of MFA factor is required to access AWS), you cannot authenticate using the classic login flow. * MFA using Okta Verify is only supported on mobile devices. Okta Verify on macOS/Windows is not supported. * Passwordless authentication and endpoint security checks are not supported.

Configuration

To set-up the configuration run:

gimme-aws-creds --action-configure

You can also set up different Okta configuration profiles, this is useful if you have multiple Okta accounts or environments you need credentials for. You can use the configuration wizard or run:

gimme-aws-creds --action-configure --profile profileName

A configuration wizard will prompt you to enter the necessary configuration parameters for the tool to run, the only one that is required is the okta_org_url. The configuration file is written to ~/.okta_aws_login_config, but you can change the location with the environment variable OKTA_CONFIG.

  • conf_profile - This sets the Okta configuration profile name, the default is DEFAULT.
  • okta_org_url - This is your Okta organization url, which is typically something like https://companyname.okta.com.
  • okta_auth_server - Okta API Authorization Server used for OpenID Connect authentication for gimme-creds-lambda
  • client_id - OAuth client ID for user authentication in Okta Identity Engine and gimme-creds-lambda in Okta "classic"
  • gimme_creds_server
  • URL for gimme-creds-lambda
  • 'internal' for direct interaction with the Okta APIs (OKTA_API_KEY environment variable required)
  • 'appurl' to set an aws application link url. This setting removes the need of an OKTA API key.
  • write_aws_creds - True or False - If True, the AWS credentials will be written to ~/.aws/credentials otherwise it will be written to stdout.
  • cred_profile - If writing to the AWS cred file, this sets the name of the AWS credential profile.
  • The reserved word role will use the name component of the role arn as the profile name. i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [okta-1234-role] in the aws credentials file
  • The reserved word acc will use the account number (or alias if resolve_aws_alias is set to y) as the profile name. i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [arn:aws:iam::123456789012] or if resolve_aws_alias [okta-1234-role] in the aws credentials file.
  • The reserved word acc-role will use the name component of the role arn prepended with account number (or alias if resolve_aws_alias is set to y) to avoid collisions, i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [123456789012-okta-1234-role], or if resolve_aws_alias [okta-1234-role] in the aws credentials file
  • If set to default then the temp creds will be stored in the default profile
  • Note: if there are multiple roles, and default is selected it will be overwritten multiple times and last role wins. The same happens when role is selected and you have many accounts with the same role names. Consider using acc-role if this happens.
  • aws_appname - This is optional. The Okta AWS App name, which has the role you want to assume.
  • aws_rolename - This is optional. The ARN of the role you want temporary AWS credentials for. The reserved word 'all' can be used to get and store credentials for every role the user is permissioned for.
  • aws_default_duration = This is optional. Lifetime for temporary credentials, in seconds. Defaults to 1 hour (3600)
  • app_url - If using 'appurl' setting for gimme_creds_server, this sets the url to the aws application configured in Okta. It is typically something like https://something.okta[preview].com/home/amazon_aws/app_instance_id/something
  • okta_username - use this username to authenticate
  • enable_keychain - enable the use of the system keychain to store the user's password
  • preferred_mfa_type - automatically select a particular device when prompted for MFA:
  • push - Okta Verify App push or DUO push (depends on okta supplied provider type)
  • token:software:totp - OTP using the Okta Verify App
  • token:hardware - OTP using hardware like Yubikey
  • call - OTP via Voice call
  • sms - OTP via SMS message
  • email - OTP via email
  • web - DUO uses localhost webbrowser to support push|call|passcode
  • passcode - DUO uses OKTA_MFA_CODE or --mfa-code if set, or prompts user for passcode(OTP).
  • claims_provider - DUO Universal Prompt
  • preferred_mfa_provider - (optional) automatically select a particular provider when prompted for MFA:
  • GOOGLE
  • OKTA
  • DUO
  • duo_universal_factor - (optional) Configure which type of factor to use with Duo Universal Prompt. Must be one of (case-sensitive):
  • Duo Push (default)
  • Passcode
  • Phone Call
  • resolve_aws_alias - y or n. If yes, gimme-aws-creds will try to resolve AWS account ids with respective alias names (default: n). This option can also be set interactively in the command line using -r or --resolve parameter
  • include_path - (optional) Includes full role path to the role name in AWS credential profile name. (default: n). If y: <acct>-/some/path/administrator. If n: <acct>-administrator
  • remember_device - y or n. If yes, the MFA device will be remembered by Okta service for a limited time. This option can also be set interactively in the command line using -m or --remember-device
  • output_format - json , export or windows, determines default credential output format, can be also specified by --output-format FORMAT and -o FORMAT.
  • open-browser - Open the device authentication link in the default web browser automatically (Okta Identity Engine domains only)
  • force-classic - Force the use of the Okta Classic login process (Okta Identity Engine domains only)

Configuration File

The config file follows a configfile format. By default, it is located in $HOME/.okta_aws_login_config

Example file:

[myprofile]
client_id = myclient_id

Configurations can inherit from other configurations to share common configuration parameters.

[my-base-profile]
client_id = myclient_id
[myprofile]
inherits = my-base-profile
aws_rolename = my-role

Usage

If you are not using gimme-creds-lambda nor using appurl settings, make sure you set the OKTA_API_KEY environment variable.

After running --action-configure, just run gimme-aws-creds. You will be prompted for the necessary information.

```bash $ ./gimme-aws-creds Username: user@domain.com Password for

Core symbols most depended-on inside this repo

Shape

Method 342
Class 38
Route 21
Function 3

Languages

Python100%

Modules by API surface

gimme_aws_creds/okta_classic.py53 symbols
gimme_aws_creds/main.py51 symbols
tests/test_okta_classic_client.py46 symbols
tests/test_main.py41 symbols
gimme_aws_creds/config.py31 symbols
gimme_aws_creds/ui.py19 symbols
gimme_aws_creds/duo.py18 symbols
gimme_aws_creds/errors.py17 symbols
gimme_aws_creds/okta_identity_engine.py15 symbols
gimme_aws_creds/webauthn.py13 symbols
gimme_aws_creds/duo_universal.py13 symbols
gimme_aws_creds/dummy_webauthn.py13 symbols

For agents

$ claude mcp add gimme-aws-creds \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page