获取aws令牌的cli工具。
stsauth的Python项目详细描述
stsauth
创建临时的AWS_ACCESS_KEY_ID
和AWS_SECRET_ACCESS_KEY
,可与诸如awscli
、ansible
、terraform
等cli工具一起使用
这种身份验证方法是首选的,因为它消除了对长期访问密钥的需要,并强制每个用户在连接到aws服务时使用自己的凭据。
先决条件
- ^必须安装{
}和 pip
。 - 如果需要,请确保将
pip
配置为在组织的代理服务器后面工作有关配置的详细信息,请参见PIP Configuration - 必须已经有权访问AWS帐户控制台
安装
# Uninstall if a version of `stsauth` already exists $ pip uninstall stsauth # Install the current release $ pip install stsauth # Install a specific version $ pip install stsauth==0.1.0
升级
$ pip install stsauth --upgrade
配置
- 需要有效的aws cli配置。有关aws cli的更多信息,请参见AWS CLI了解更多信息。
- 示例
~/.aws/credentials
文件:[default] output = json region = us-east-1 idpentryurl = https://<fqdn>/adfs/ls/idpinitiatedsignon.aspx?LoginToRP=urn:amazon:webservices domain = MYADDOMAIN okta_org = my-organization okta_shared_secret = 16CHARLONGSTRING aws_access_key_id = awsaccesskeyidstringexample aws_secret_access_key = awssecretaccesskeystringexample
用法
$ stsauth Usage: stsauth [OPTIONS] COMMAND [ARGS]... Options: -v, --verbosity LVL Either CRITICAL, ERROR, WARNING, INFO or DEBUG --version Show the version and exit. --help Show this message and exit. Commands: authenticate profiles $ stsauth authenticate --help Usage: stsauth authenticate [OPTIONS] Options: -u, --username TEXT IdP endpoint username. -p, --password TEXT Program will prompt for input if not provided. -i, --idpentryurl TEXT The initial url that starts the authentication process. -d, --domain TEXT The active directory domain. -c, --credentialsfile TEXT Path to AWS credentials file. -l, --profile TEXT Name of config profile. -r, --region TEXT The AWS region to use. ex: us-east-1 -k, --okta-org TEXT The Okta organization to use. ex: my- organization -s, --okta-shared-secret TEXT Okta Shared Secret for TOTP Authentication. WARNING! Please use push notifications if at all possible. Unless you are aware of what you are doing, this method could potentially expose your Shared Secret. Proceed with caution and use a tool like `pass` to securely store your secrets. -o, --output [json|text|table] -f, --force Auto-accept confirmation prompts. --help Show this message and exit. $ stsauth authenticate Username: username Password: Please choose the role you would like to assume: Account 000000000000: [0]: ADFS-Role-One [1]: ADFS-Role-Two Account 000000000001: [2]: ADFS-Role-One Account 000000000002: [3]: ADFS-Role-One [4]: ADFS-Role-Two Selection: 2 Requesting credentials for role: arn:aws:iam::000000000001:role/ADFS-Role-One ------------------------------------------------------------ Your new access key pair has been generated with the following details: ------------------------------------------------------------ File Path: /Users/username/.aws/credentials Profile: 000000000001-ADFS-Role-One Expiration Date: 2018-06-27 16:29:01+00:00 ------------------------------------------------------------ To use this credential, call the AWS CLI with the --profile option: (e.g. aws --profile 000000000001-ADFS-Role-One ec2 describe-instances). exportAWS_PROFILE=000000000001-ADFS-Role-One -------------------------------------------------------------- $ stsauth profiles --help Usage: stsauth profiles [OPTIONS][PROFILE] Lists the profile details from the credentialsfile or a specified profile. Args: credentialsfile: the file containing the profile details. profile: (Optional) a specific profile to print details for. Options: -c, --credentialsfile TEXT Path to AWS credentials file. --help Show this message and exit. $ stsauth profiles Account Profile Expire Date Status ----------- -------------------------- ------------------- ------- None default No Expiry Set Active None saml 2018-06-25 16:32:20 Expired Account-One 000000000000-ADFS-Role-One 2018-06-25 16:36:27 Expired Account-Two 000000000000-ADFS-Role-Two 2018-06-25 16:47:51 Expired Account-One 000000000001-ADFS-Role-One 2018-06-27 10:04:46 Active Account-One 000000000002-ADFS-Role-One 2018-06-27 11:23:23 Active Account-Two 000000000002-ADFS-Role-Two 2018-06-27 11:28:22 Active
警告
如果可能的话,建议对mfa使用okta推送通知。存储您的共享机密或通过命令行将其传递给其他人会带来将共享机密暴露给其他人的风险。如果被破坏,mfa的安全性就会丧失。请谨慎行事,并了解相关风险如果您认为您的共享机密已被泄露,请立即撤销它。
故障排除
验证
时出错An error occurred (AccessDenied) when calling the AssumeRoleWithSAML operation: Access denied
你可能失去了许可。请尝试通过AWS控制台登录
学分
这个项目主要基于Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0