MCPcopy Index your code
hub / github.com/RiotGames/key-conjurer

github.com/RiotGames/key-conjurer @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
212 symbols 601 edges 46 files 19 documented · 9%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

KeyConjurer

Key Conjurer Champion

KeyConjurer is a project designed to get rid of permanent AWS credentials.

KeyConjurer is made of three parts:

  • webserver - Lambda functions used by the CLI to gather data on protected resources.
  • cli - The CLI interface.
  • frontend - A static webpage which informs users on how to download and use KeyConjurer.

KeyConjurer is designed to work with Okta as an IdP, supports AWS applications, and is inspired in part by okta-aws-cli. The main difference from okta-aws-cli is that KeyConjurer does not require all users to have access to the Okta administration API - Instead, we use a Lambda function to access the protected resources required.

We use KeyConjurer a lot at Riot, but we can't guarantee any external support for this project. It's use at your own risk. If you encounter a bug or have a feature request, please feel free to raise a pull request or an issue against this repository. You're also welcome to fork the code and modify it as you see fit.

Dependencies

  • go 1.20+
  • node 16.17.0+

Administration

Okta setup

In order to use KeyConjurer, an Okta administrator must configure their tenant appropriately:

  • A new native OIDC application must be created within your Okta tenant, and the following settings must be configured:
  • Scopes: profile openid okta.apps.read
  • Authorization Types: Hybrid Flow, Authorization Code, Token Exchange
  • Redirection URI: http://localhost:57468
  • We recommend you enable Federated Mode on this native application so that users don't need to be explicitly assigned to it.
  • All AWS applications must have their Allowed Web SSO Client set to the Client ID of the native OIDC application that was created. This can be configured by going to the Sign On tab for each individual Okta application or managing the application configuration in an IAC provider, like Terraform.

Okta configuration should be configured out of band and is not provided in this repository.

Lambda functions settings

A single lambda function is used to filter applications within the organization to just the ones the user has access to. This function is required because enumerating applications within Okta's API is currently considered an administrative action, and as such, using a users access token to perform this action requires the user to be an administrator on the Okta tenant.

The Lambda function is deployed as a Docker container. It's up to you to decide how to launch the Docker container, but you'll need to specify two values:

Flag Purpose
--okta-host The hostname of your Okta instance. This may also be set via KEYCONJURER_OKTA_HOST.
--okta-token or --okta-token-file An API token for your Okta instance. This must have the okta.apps.read scope. You may set --okta-token-file instead of --okta-token if you're supplying secrets to the container via a volume. This may also be set via KEYCONJURER_OKTA_TOKEN and KEYCONJURER_OKTA_TOKEN_FILE respectively.

Extension points exported contracts — how you extend this code

OktaService (Interface)
(no doc) [1 implementers]
internal/api/serverless_functions.go
ImportMetaEnv (Interface)
(no doc)
frontend/src/vite-env.d.ts
ImportMeta (Interface)
(no doc)
frontend/src/vite-env.d.ts

Core symbols most depended-on inside this repo

Error
called by 13
command/error.go
FindAccount
called by 13
command/config.go
ValidUntil
called by 11
command/credentials.go
ExportEnvironmentVariable
called by 9
command/credentials.go
ConfigFromCommand
called by 9
command/context.go
Parse
called by 9
command/get.go
Add
called by 8
command/config.go
Resolve
called by 7
command/config.go

Shape

Function 104
Method 67
Struct 34
Interface 6
TypeAlias 1

Languages

Go97%
TypeScript3%

Modules by API surface

command/error.go27 symbols
command/config.go27 symbols
command/credentials.go13 symbols
pkg/oauth2cli/handler.go11 symbols
command/login.go9 symbols
command/get.go9 symbols
internal/oktawebsso/html.go8 symbols
command/config_test.go8 symbols
internal/api/serverless_functions.go7 symbols
command/awsconfig.go7 symbols
pkg/oauth2cli/authorizationcode.go6 symbols
command/switch.go6 symbols

For agents

$ claude mcp add key-conjurer \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact