
KeyConjurer is a project designed to get rid of permanent AWS credentials.
KeyConjurer is made of three parts:
KeyConjurer is designed to work with Okta as an IdP, supports AWS applications, and is inspired in part by okta-aws-cli. The main difference from okta-aws-cli is that KeyConjurer does not require all users to have access to the Okta administration API - Instead, we use a Lambda function to access the protected resources required.
We use KeyConjurer a lot at Riot, but we can't guarantee any external support for this project. It's use at your own risk. If you encounter a bug or have a feature request, please feel free to raise a pull request or an issue against this repository. You're also welcome to fork the code and modify it as you see fit.
In order to use KeyConjurer, an Okta administrator must configure their tenant appropriately:
profile openid okta.apps.readOkta configuration should be configured out of band and is not provided in this repository.
A single lambda function is used to filter applications within the organization to just the ones the user has access to. This function is required because enumerating applications within Okta's API is currently considered an administrative action, and as such, using a users access token to perform this action requires the user to be an administrator on the Okta tenant.
The Lambda function is deployed as a Docker container. It's up to you to decide how to launch the Docker container, but you'll need to specify two values:
| Flag | Purpose |
|---|---|
--okta-host |
The hostname of your Okta instance. This may also be set via KEYCONJURER_OKTA_HOST. |
--okta-token or --okta-token-file |
An API token for your Okta instance. This must have the okta.apps.read scope. You may set --okta-token-file instead of --okta-token if you're supplying secrets to the container via a volume. This may also be set via KEYCONJURER_OKTA_TOKEN and KEYCONJURER_OKTA_TOKEN_FILE respectively. |
$ claude mcp add key-conjurer \
-- python -m otcore.mcp_server <graph>