AWS Process Credential Providers.
Project description
A collection of process-based credential providers to be used with the AWS CLI and related tools.
This is an experimental package, breaking changes may occur on any minor version bump.
Installation
The easiest way to install is to use pip:
pip install awsprocesscreds
Requirements
This package requires a version of python to be installed. Currently supported python versions are:
2.7.9+
3.3.x
3.4.x
3.5.x
3.6.x
SAML Forms-Based Authentication
If you have a SAML identity provider, you can use awsprocesscreds-saml to configure programmatic access to your AWS resources. It has four required arguments:
-e / --endpoint - Your SAML idp endpoint.
-u / --username - Your SAML username.
-p / --provider - The name of your SAML provider. Currently okta and adfs are supported.
-a / --role-arn- The role arn you wish to assume. Your SAML provider must be configured to give you access to this arn.
This will cache your credentials by default, which will allow you to run multiple commands without having to enter your password each time. You can disable the cache by specifying --no-cache.
Additionally, you can show logs by specifying -v or --verbose.
To configure this provider, you need create a profile using the credential_process config variable. See the AWS CLI Config docs for more details on this config option.
Example okta configuration:
[profile okta] region = us-west-2 credential_process = awsprocesscreds-saml -e https://example.okta.com/home/amazon_aws/blob/123 -u 'monty@example.com' -p okta -a arn:aws:iam::123456789012:role/okta-dev
Example adfs configuration:
[profile adfs] region = us-west-2 credential_process = awsprocesscreds-saml -e 'https://corp.example.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices' -u Monty -p adfs -a arn:aws:iam::123456789012:role/ADFS-Dev
Custom Providers
The mechanism this package uses to provide credentials is generally available, and not specific to this package. It can be used to implement any custom credential provider that will work with the AWS CLI, boto3, and other SDKs as they implement support.
A detailed breakdown of this mechanism along with a live demo of implementing a credential provider that hooks into the macOS keychain can be seen on this recorded talk from re:Invent 2017: AWS CLI: 2107 and Beyond
The CLI will call the process provided as the value for credential_process. This process must return credentials on stdout in the following JSON form:
{ "Version": 1, "AccessKeyId": "string", "SecretAccessKey": "string", "SessionToken": "string", "Expiration": "2019-01-31T21:45:41+00:00" }
Where Expiration is an RFC 3339 compatible timestamp. As the expiration time nears, the process will be called again to get a new set of credentials. The Version denotes the version of this format, whose only current valid value is 1. The remaining keys are the AWS credentials you wish to use.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for awsprocesscreds-0.0.2-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 22c116ab81343b4de01de52b099367b9cbe11b52c3f4963c89fc6d3c46bacbe4 |
|
MD5 | 28cb6b9ae54c44c514c7882afce2a182 |
|
BLAKE2b-256 | d68f9113a5db30594fb7a6027fde320fa1157c2c7264c8a9d85b0c888c72691b |