Single Sign on within AWS removes the ability to generate long-lived access tokens for AWS. Instead, the Amazon Security Token Service is used to generate short-lived tokens.
This command line utility can be used to authenticate with an SSO provider (ex: Okta) and generate access token credentials. It supports assuming an AWS role and will automatically update your AWS CLI credentials file with the new credentials.
For ease of use, the token generator is packaged as a docker container. Your team will not need to clone this repository
or install anything. Token can be generated via a single docker run
command. A helper script is also included to encapsulate
the arguments of the docker command.
The token generator runs as a docker container which can bind-mount to your AWS credentials file to save temporary credentials.
Installation is as simple as downloading the aws-token
script and saving it to your prefered PATH location e.g. /usr/local/bin/aws-token
. Then execute that file every time
you need a new token.
$> aws-token
export AWS_PROFILE=<the generated profile here>
export AWS_ACCESS_KEY_ID=$(aws configure get $AWS_PROFILE.aws_access_key_id)
export AWS_SECRET_ACCESS_KEY=$(aws configure get $AWS_PROFILE.aws_secret_access_key)
export AWS_SESSION_TOKEN=$(aws configure get $AWS_PROFILE.aws_session_token)
export AWS_DEFAULT_REGION=us-east-1
$> aws-token --help
usage: index.js [-h] [-v] [--username USERNAME] [--password PASSWORD]
[--role ROLE]
[--account {staging,development}]
[--profile PROFILE]
AWS STS Token Generator
Optional arguments:
-h, --help Show this help message and exit.
-v, --version Show program's version number and exit.
--username USERNAME Okta username (ex. [email protected])
--password PASSWORD Okta password
--role ROLE Name of SAML role to assume
--account {staging,development}
Name of account to switch to. Defaults to "staging".
--profile PROFILE Profile name that the AWS credentials should be saved
as. Defaults to the name of the account specified.
The process of authenticating with Okta (and many SAML SSO providers) is only possible via form-based authentication. We're using headless browser automation to emulate a form-based sign-on. This is similar to the solution proposed by Amazon.
- Prompt user for SSO-provider username and password
- Use a headless browser to navigate to the login page and submit the credentials
- Prompt for a TOTP token
- Use the headless browser to submit the TOTP token
- Parse the response from Amazon to extract the SAML assertion
- Present accessible roles to the user (if more than one) and allow them to select the role to assume
- Use the STS API to assume the role
- Save the token information to the AWS credentials file
We recommend the following steps for use in your organization, see example
:
-
Create a fresh git repository/dir
-
Copy
config.example.json
to the root of your repository/dir asconfig.json
and edit it for your organization -
Create a Dockerfile for your token generator. The following should suffice:
FROM $ORG/aws-sts:config
-
Build and publish the docker image for use in your organization
-
Copy the
aws-token
script to your prefered PATH location e.g./usr/local/bin/aws-token
-
in your terminal do a
$ aws-token
to generate a temporal AWS token
Configuration is done by creating a config.json file in the root of your repository. An example template is provided.
awsConfigPath: Path to the user AWS CLI credential file. The recommended path is the path to the
Docker container's credential path.
outputFormat: Output format of AWS access token credentials
region: Region used for AWS API calls
provider: Name of the SAML provider to use for authentication
idPEntryUrl: URL to access the form-based authentication login for the provider
defaultAccount: Default AWS account to use when one is not specified via the command line
accounts: Map of accountName/account-objects for accounts which can be switched to
once initially authenticated
account:
accountNumber: AWS account number
idpEntryUrl: URL to access the form-based authentication login for the provider. If not defined will
fallback to the global idPEntryUrl
Once configured, build a docker container so that folks on your team can easily generate tokens without setup or configuration.
docker-compose build
docker-compose push
File it HERE
Sometimes, you might run into a timeout when you think all the required params are entered correctly. When that happens, it's useful to turn of headless browsing to see what's going on.
$ npm run start-debug
- All functionality is executed inside a Docker container. Docker must be available in order for the application to work.
- At the moment, only Okta authentication is supported. We welcome Pull Requests for additional providers.