-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #25 from nathan-v/Feature_App_Level_MFA
Application-level MFA support, improved menus, v0.7.0
- Loading branch information
Showing
15 changed files
with
707 additions
and
250 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| [](https://github.com/nathan-v/aws_okta_keyman/blob/master/LICENSE.txt) [](https://pypi.python.org/pypi/aws-okta-keyman/0.2.0) [](https://badge.fury.io/py/aws-okta-keyman)  [](http://pepy.tech/count/aws-okta-keyman) | ||
| [](https://github.com/nathan-v/aws_okta_keyman/blob/master/LICENSE.txt) [](https://pypi.python.org/pypi/aws-okta-keyman/) [](https://badge.fury.io/py/aws-okta-keyman)  [](http://pepy.tech/count/aws-okta-keyman) | ||
|
|
||
| [](https://codeclimate.com/github/nathan-v/aws_okta_keyman) [](https://codeclimate.com/github/nathan-v/aws_okta_keyman) [](https://codecov.io/gh/nathan-v/aws_okta_keyman)  | ||
|
|
||
|
|
@@ -21,10 +21,9 @@ features that help set it apart from other similar tools that are available. | |
|
|
||
| ### Optional MFA Authentication | ||
|
|
||
| If you organization requires MFA for the _[initial login into Okta][okta_mfa]_, | ||
| we will automatically detect that requirement during authentication and prompt | ||
| the user to complete the Multi Factor Authentication. At this time | ||
| application-level MFA is not supported. | ||
| If you organization or integration requires MFA we will automatically detect that | ||
| requirement during authentication and prompt the user to complete the | ||
| Multi Factor Authentication. | ||
|
|
||
| In particular, there is support for standard passcode based auth, as well as | ||
| support for [Okta Verify with Push][okta_verify] and [Duo Auth][duo_auth]. If both | ||
|
|
@@ -42,7 +41,8 @@ be able to use a browser. | |
| #### Supported MFA Solutions | ||
|
|
||
| * Okta Verify | ||
| * Duo Auth (push, call, or OTP) | ||
| * Duo Auth (push, call, or OTP via CLI) | ||
| * Duo Auth (push, call, or OTP via web browser) | ||
| * Okta OTP | ||
| * Google Auth OTP | ||
| * SMS OTP | ||
|
|
@@ -58,17 +58,21 @@ AWS Okta Keyman supports multiple AWS roles when configured. The user is prompte | |
| select the role they wish to use before the temporary keys are generated. An example | ||
| of this is shown here: | ||
|
|
||
| 17:10:21 (WARNING) Multiple AWS roles found; please select one | ||
| [0] Role: arn:aws:iam::012345678910:role/admin_noiam | ||
| [1] Role: arn:aws:iam::012345678910:role/readonly | ||
| [2] Role: arn:aws:iam::012345678910:role/admin_full | ||
| Select a role from above: 2 | ||
| 17:10:22 (INFO) Assuming role: arn:aws:iam::012345678910:role/admin_full | ||
| ```text | ||
| 16:48:48 (WARNING) Multiple AWS roles found; please select one | ||
| Account Role | ||
| [0] example-prod Admin | ||
| [1] example-prod Dev | ||
| Selection: 0 | ||
| 16:48:51 (INFO) Getting SAML Assertion from example | ||
| 16:48:51 (INFO) Assuming role: arn:aws:iam::1234567890:role/Admin | ||
| ``` | ||
|
|
||
| ### Re-Up Mode .. Automatic Credential Re-Generation | ||
|
|
||
| Amazon IAM only supports Federated Login sessions that last up to *1 hour*. For | ||
| Amazon IAM defaults to Federated Login sessions that last up to *1 hour*. For | ||
| developers, it can be painful to re-authenticate every hour during your work | ||
| day. This is made much worse if your organization requires MFA on each login. | ||
|
|
||
|
|
@@ -78,19 +82,23 @@ generating a new SAML Assertion, and then generating updated Amazon AWS | |
| credentials. This can run for as long as your Okta administrator has allowed | ||
| your Login Session to be - often a full work day. | ||
|
|
||
| In the case of application-level MFA you will be prompted every 50 minutes or | ||
| so to complete the MFA again. | ||
|
|
||
| See the `--reup` commandline option for help here! | ||
|
|
||
|
|
||
| ### AWS Accounts from Okta | ||
|
|
||
| As of v0.5.1 AWS Okta Keyman can pull the AWS Accounts that have been assigned | ||
| from Okta itself which means the app ID value no longer needs to be provided in | ||
| the command line or in the config file. A config file can still optionally be used | ||
| to ensure account names or order if preferred. | ||
| AWS Okta Keyman can pull the AWS Accounts that have been assigned from Okta | ||
| itself which means the app ID value no longer needs to be provided in the | ||
| command line or in the config file. A config file can still optionally be used | ||
| to ensure account names or order if preferred. This means with no configuration | ||
| saved you only need to provide your organization. | ||
|
|
||
| ### Automatic Username | ||
|
|
||
| As of v0.5.1 AWS Okta Keyman will use the current user as the username for Okta | ||
| AWS Okta Keyman will use the current user as the username for Okta | ||
| authentication if no username has been provided. | ||
|
|
||
|
|
||
|
|
@@ -107,31 +115,73 @@ as needed on each run of the tool. | |
|
|
||
| Example config file: | ||
|
|
||
| username: [email protected] | ||
| org: example | ||
| accounts: | ||
| - name: Test | ||
| appid: exampleAppIDFromOkta/123 | ||
| - name: Dev | ||
| appid: exampleAppIDFromOkta/234 | ||
| - name: Prod | ||
| appid: exampleAppIDFromOkta/345 | ||
| ```yaml | ||
| username: [email protected] | ||
| org: example | ||
| accounts: | ||
| - name: Test | ||
| appid: exampleAppIDFromOkta/123 | ||
| - name: Dev | ||
| appid: exampleAppIDFromOkta/234 | ||
| - name: Prod | ||
| appid: exampleAppIDFromOkta/345 | ||
| ``` | ||
| When used you'll get a similar interface to AWS Role selection but for your AWS | ||
| accounts: | ||
| $ aws_okta_keyman | ||
| 16:56:47 (INFO) AWS Okta Keyman v0.3.0 | ||
| 16:56:47 (WARNING) No app ID provided; please select from available AWS accounts | ||
| [0] Account: Test | ||
| [1] Account: Dev | ||
| [2] Account: Prod | ||
| Select an account from above: 0 | ||
| 16:56:49 (INFO) Using account: Test / exampleAppIDFromOkta/123 | ||
| ```text | ||
| 16:48:41 (WARNING) No app ID provided; select from available AWS accounts | ||
|
|
||
| Account | ||
| [0] Test | ||
| [1] Dev | ||
| [2] Prod | ||
| Selection: 2 | ||
|
|
||
| 16:48:47 (INFO) Using account: Prod / exampleAppIDFromOkta/123 | ||
| ``` | ||
| ### Interactive Configuration | ||
| For interactive configuration and creation of the config file you can start the tool with just config as a parameter and you will be propted to provide the basic information needed to get started. | ||
| For interactive configuration and creation of the config file you can start the tool with just config as a parameter and you will be propted to provide the basic information needed to get started. An example of this is shown here: | ||
| ```text | ||
| $ aws_okta_keyman config | ||
| 14:21:41 (INFO) AWS Okta Keyman 🔐 v0.7.0 | ||
| 14:21:41 (INFO) Interactive setup requested | ||
|
|
||
| What is your Okta Organization subdomain? | ||
| Example; for https://co.okta.com enter 'co' | ||
|
|
||
| Okta org: example | ||
|
|
||
| What is your Okta user name? | ||
| If it is nathan you can leave this blank. | ||
|
|
||
| Username: nathan.v | ||
|
|
||
| Next we can optionally configure your AWS integrations. This is not | ||
| required as the AWS integrations can be picked up automatically from | ||
| Okta. If you would prefer to list only specific integrations or prefer | ||
| to specify the friendly names yourself you can provide the following | ||
| information. You will be prompted to continue providing integration | ||
| details until you provide a blank response to the app ID. If you are | ||
| unsure how to answer these questions just leave the app ID blank. | ||
|
|
||
| What is your AWS integration app ID? | ||
| Example; 0oaciCSo1d8/123 | ||
| App ID: 0oaciCSo1d8/123 | ||
|
|
||
| Please provide a friendly name for this app. | ||
| App ID: AWS Prod | ||
|
|
||
| What is your AWS integration app ID? | ||
| Example; 0oaciCSo1d8/123 | ||
| App ID: | ||
|
|
||
| 14:21:58 (INFO) Config file written. Please rerun Keyman | ||
| ``` | ||
|
|
||
| `aws_okta_keyman config` | ||
|
|
||
|
|
@@ -143,8 +193,14 @@ Python 2.7.4+ and Python 3.5.0+ are supported | |
|
|
||
| ### Client Setup | ||
|
|
||
| #### Mac OS Installation with Homebrew | ||
|
|
||
| ... | ||
|
|
||
| #### Typical Linux or Windows Installation | ||
|
|
||
| Before you can install this tool you need to have a working Python installation with pip. | ||
| If you're not sure if you have this a good place to start would be the [Python Beginner's Guide](https://wiki.python.org/moin/BeginnersGuide/Download) . | ||
| If you're not sure if you have this a good place to start would be the [Python Beginner's Guide](pythonbeginner) . | ||
|
|
||
| Once your Python environment is configured simply run `pip install aws-okta-keyman` to install the tool. | ||
|
|
||
|
|
@@ -154,19 +210,49 @@ For detailed usage instructions, see the `--help` commandline argument. | |
|
|
||
| Typical usage: | ||
|
|
||
| $ aws_okta_keyman -a <application id> -o <your org name> -u <your username> | ||
| 08:27:44 (INFO) AWS Okta Keyman v0.2.0 | ||
| Password: | ||
| 08:27:48 (WARNING) Okta Verify Push being sent... | ||
| 08:27:48 (INFO) Waiting for Okta Verification... | ||
| ... | ||
| 08:28:09 (INFO) Waiting for Okta Verification... | ||
| 08:28:10 (INFO) Successfully authed Nathan V | ||
| 08:28:10 (INFO) Getting SAML Assertion from foobar | ||
| 08:28:11 (INFO) Found credentials in shared credentials file: ~/.aws/credentials | ||
| 08:28:11 (INFO) Wrote profile "default" to /Users/nathan-v/.aws/credentials | ||
| 08:28:11 (INFO) Session expires at 2017-07-24 16:28:13+00:00 | ||
| $ | ||
| ```text | ||
| $ aws_okta_keyman | ||
| 16:48:22 (INFO) AWS Okta Keyman 🔐 v0.7.0 | ||
| Password: | ||
| 16:48:28 (WARNING) No Duo Auth factor specified; please select one: | ||
| Duo Factor | ||
| [0] 📲 Duo Push | ||
| [1] 📟 OTP Passcode | ||
| [2] 📞 Phone call | ||
| Selection: 0 | ||
| 16:48:31 (INFO) Using factor: 📲 Duo Push | ||
| 16:48:33 (WARNING) Duo required; check your phone... 📱 | ||
| 16:48:40 (INFO) Waiting for MFA success... | ||
| 16:48:41 (INFO) Successfully authed Nathan V | ||
| 16:48:41 (WARNING) No app ID provided; select from available AWS accounts | ||
| Account | ||
| [0] AWS - Sandbox | ||
| [1] AWS - Development | ||
| [2] AWS - Staging | ||
| [3] AWS - Integration | ||
| [4] AWS - Production | ||
| Selection: 4 | ||
| 16:48:47 (INFO) Using account: AWS - Production / exampleAppIDFromOkta/123 | ||
| 16:48:47 (INFO) Getting SAML Assertion from example | ||
| 16:48:48 (WARNING) Multiple AWS roles found; please select one | ||
| Account Role | ||
| [0] example-prod Admin | ||
| [1] example-prod Dev | ||
| Selection: 0 | ||
| 16:48:51 (INFO) Getting SAML Assertion from example | ||
| 16:48:51 (INFO) Assuming role: arn:aws:iam::1234567890:role/Admin | ||
| 16:48:52 (INFO) Wrote profile "default" to /home/nathan/.aws/credentials 💾 | ||
| 16:48:52 (INFO) Current time is 2019-11-08 00:48:52.265393 | ||
| 16:48:52 (INFO) Session expires at 2019-11-08 01:48:52+00:00 ⏳ | ||
| 16:48:52 (INFO) All done! 👍 | ||
| ``` | ||
|
|
||
|
|
||
| ### Okta Setup | ||
| Before you can use this tool, your Okta administrator needs to set up | ||
|
|
@@ -185,17 +271,17 @@ Credentials][aws_role_credentials] tools. | |
| ## Developer Info | ||
|
|
||
| See CONTRIBUTING.md for more information on contributing to this project. | ||
|
|
||
| ## License | ||
|
|
||
| Copyright 2018 Nathan V | ||
| Copyright 2019 Nathan V | ||
|
|
||
| Copyright 2018 Nextdoor.com, Inc | ||
|
|
||
| Licensed under the Apache License, Version 2.0. See LICENSE.txt file for details. | ||
|
|
||
| Some code in `aws_okta_keyman/okta.py`, `aws_okta_keyman/aws.py`, | ||
| `aws_okta_keyman/aws_saml.py`, and `aws_okta_keyman/test/aws_saml_test.py` is | ||
| `aws_okta_keyman/aws_saml.py`, and `aws_okta_keyman/test/aws_saml_test.py` is | ||
| distributed under MIT license. See the source files for details. A copy of the | ||
| license is in the LICENSE_MIT.txt file. | ||
|
|
||
|
|
@@ -205,6 +291,7 @@ license is in the LICENSE_MIT.txt file. | |
| [aws_role_credentials]: https://github.com/ThoughtWorksInc/aws_role_credentials | ||
| [thoughtworksinc]: https://github.com/ThoughtWorksInc | ||
| [tracking]: https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/ | ||
| [pythonbeginner]: https://wiki.python.org/moin/BeginnersGuide/Download | ||
| [okta_aws_guide]: https://support.okta.com/help/servlet/fileField?retURL=%2Fhelp%2Farticles%2FKnowledge_Article%2FAmazon-Web-Services-and-Okta-Integration-Guide&entityId=ka0F0000000MeyyIAC&field=File_Attachment__Body__s | ||
| [okta_mfa]: https://www.okta.com/products/adaptive-multi-factor-authentication/ | ||
| [okta_verify]: https://www.okta.com/blog/tag/okta-verify-with-push/ | ||
|
|
||
Oops, something went wrong.