[](https://circleci.com/gh/Nextdoor/nd_okta_auth)
# Nextdoor Okta Auth-er
This is a simple command-line tools for logging into Okta and generating
temporary Amazon AWS Credentials. This tool makes it easy and secure for your
developers to generate short-lived, [logged and user-attributed][tracking]
credentials that can be used for any of the Amazon SDK libraries or CLI tools.
# Features
We have support for logging into Okta, optionally handling MFA Authentication,
and then generating new SAML authenticated AWS sessions. In particular, this
tool has a few core features.
## Optional MFA Authentication
If your organization requires MFA for the _[initial login into Okta][okta_mfa]_,
we will automatically detect that requirement on a per-user basis and prompt
the user to complete the Multi Factor Authentication. The following factors
are supported by _nd\_okta\_auth_:
- [FIDO U2F][okta_u2f] (eg yubikey)
- [Okta Verify with Push][okta_verify]
- TOTP (Okta Verify, Duo, and Google Authenticator)
If a user has multiple factors they will be prompted in the above order. A
user can hit Control-C to skip a factor.
## Re-Up Mode .. Automatic Credential Re-Generation
Amazon IAM only supports Federated Login sessions that last up to *1 hour*. For
developers, it can be painful to re-authenticate every hour during your work
day. This is made much worse if your organization requires MFA on each login.
You may run the Okta Auth-er tool in "reup" mode to get around this. The tool
will stay running in a daemon-like mode, and it will reach out regularly to
Okta, generate a new SAML Assertion, and then generate updated Amazon AWS
credentials. This can run for as long as your Okta administrator has allowed
your Login Session to be - often a full work day.
See the `--reup` commandline option for help here!
# Usage
For detailed usage instructions, see the `--help` commandline argument. Basic
instructions though:
$ nd_okta_auth -a <application id> -o <your org name> -u <your username>
08:27:44 (INFO) Nextdoor Okta Auther v0.0.1
Password:
08:27:48 (WARNING) Okta Verify Push being sent...
08:27:48 (INFO) Waiting for Okta Verification...
...
08:28:09 (INFO) Waiting for Okta Verification...
08:28:10 (INFO) Successfully authed Matt Wise
08:28:10 (INFO) Getting SAML Assertion from foobar
08:28:11 (INFO) Found credentials in shared credentials file: ~/.aws/credentials
08:28:11 (INFO) Wrote profile "default" to /Users/diranged/.aws/credentials
08:28:11 (INFO) Session expires at 2017-07-24 16:28:13+00:00
$
## Okta Setup
Before you can use this tool, your Okta administrator needs to set up
[Amazon/Okta integration][okta_aws_guide] using SAML roles.
## Inspiration
This code is heavily based on the previous work done by
[ThoughtWorksInc][thoughtworksinc] on their [OktaAuth][oktaauth] and [AWS Role
Credentials][aws_role_credentials] tools. We took their general purpose code
and re-wrote them into a singularly focused tool that added some new features.
In particular, we found it clumsy to use two CLI tools together to do a single
task. Additionally, the tools did not have support for [Okta Verify with
Push][okta_verify].
# Developer Setup
If you are interested in working on the codebase, setting up your development
environment is quick and easy.
$ virtualenv .venv
$ source .venv/bin/activate
$ pip install -r requirements.txt
## Python Versions
Python 2.7.1+ and Python 3.5.0+ are supported
## Running Tests
$ nosetests -vv --with-coverage --cover-erase --cover-package=nd_okta_auth
[oktaauth]: https://github.com/ThoughtWorksInc/oktaauth
[aws_role_credentials]: https://github.com/ThoughtWorksInc/aws_role_credentials
[thoughtworksinc]: https://github.com/ThoughtWorksInc
[tracking]: https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/
[okta_aws_guide]: https://support.okta.com/help/servlet/fileField?retURL=%2Fhelp%2Farticles%2FKnowledge_Article%2FAmazon-Web-Services-and-Okta-Integration-Guide&entityId=ka0F0000000MeyyIAC&field=File_Attachment__Body__s
[okta_mfa]: https://www.okta.com/products/adaptive-multi-factor-authentication/
[okta_verify]: https://www.okta.com/blog/tag/okta-verify-with-push/
[okta_u2f]: https://support.okta.com/help/s/article/Using-YubiKey-Authentication-in-Okta
[aws_saml]: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
Raw data
{
"_id": null,
"home_page": "https://github.com/Nextdoor/nd_okta_auth",
"name": "nd-okta-auth",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "apache",
"author": "Nextdoor Engineering",
"author_email": "eng@nextdoor.com",
"download_url": "https://files.pythonhosted.org/packages/aa/6c/e74acc8f0eefe945a9285c6bbac9479a6deecec8324ac64193a272e8a3a1/nd_okta_auth-1.0.6.tar.gz",
"platform": null,
"description": "[](https://circleci.com/gh/Nextdoor/nd_okta_auth)\n\n# Nextdoor Okta Auth-er\n\nThis is a simple command-line tools for logging into Okta and generating\ntemporary Amazon AWS Credentials. This tool makes it easy and secure for your\ndevelopers to generate short-lived, [logged and user-attributed][tracking]\ncredentials that can be used for any of the Amazon SDK libraries or CLI tools.\n\n# Features\n\nWe have support for logging into Okta, optionally handling MFA Authentication,\nand then generating new SAML authenticated AWS sessions. In particular, this\ntool has a few core features.\n\n## Optional MFA Authentication\n\nIf your organization requires MFA for the _[initial login into Okta][okta_mfa]_,\nwe will automatically detect that requirement on a per-user basis and prompt\nthe user to complete the Multi Factor Authentication. The following factors\nare supported by _nd\\_okta\\_auth_:\n\n- [FIDO U2F][okta_u2f] (eg yubikey)\n- [Okta Verify with Push][okta_verify]\n- TOTP (Okta Verify, Duo, and Google Authenticator)\n\nIf a user has multiple factors they will be prompted in the above order. A\nuser can hit Control-C to skip a factor.\n\n## Re-Up Mode .. Automatic Credential Re-Generation\n\nAmazon IAM only supports Federated Login sessions that last up to *1 hour*. For\ndevelopers, it can be painful to re-authenticate every hour during your work\nday. This is made much worse if your organization requires MFA on each login.\n\nYou may run the Okta Auth-er tool in \"reup\" mode to get around this. The tool\nwill stay running in a daemon-like mode, and it will reach out regularly to\nOkta, generate a new SAML Assertion, and then generate updated Amazon AWS\ncredentials. This can run for as long as your Okta administrator has allowed\nyour Login Session to be - often a full work day.\n\nSee the `--reup` commandline option for help here!\n\n# Usage\n\nFor detailed usage instructions, see the `--help` commandline argument. Basic\ninstructions though:\n\n $ nd_okta_auth -a <application id> -o <your org name> -u <your username>\n 08:27:44 (INFO) Nextdoor Okta Auther v0.0.1\n Password: \n 08:27:48 (WARNING) Okta Verify Push being sent...\n 08:27:48 (INFO) Waiting for Okta Verification...\n ...\n 08:28:09 (INFO) Waiting for Okta Verification...\n 08:28:10 (INFO) Successfully authed Matt Wise\n 08:28:10 (INFO) Getting SAML Assertion from foobar\n 08:28:11 (INFO) Found credentials in shared credentials file: ~/.aws/credentials\n 08:28:11 (INFO) Wrote profile \"default\" to /Users/diranged/.aws/credentials\n 08:28:11 (INFO) Session expires at 2017-07-24 16:28:13+00:00\n $\n\n## Okta Setup\nBefore you can use this tool, your Okta administrator needs to set up\n[Amazon/Okta integration][okta_aws_guide] using SAML roles.\n\n## Inspiration\nThis code is heavily based on the previous work done by\n[ThoughtWorksInc][thoughtworksinc] on their [OktaAuth][oktaauth] and [AWS Role\nCredentials][aws_role_credentials] tools. We took their general purpose code\nand re-wrote them into a singularly focused tool that added some new features.\n\nIn particular, we found it clumsy to use two CLI tools together to do a single\ntask. Additionally, the tools did not have support for [Okta Verify with\nPush][okta_verify].\n\n# Developer Setup\n\nIf you are interested in working on the codebase, setting up your development\nenvironment is quick and easy.\n\n $ virtualenv .venv\n $ source .venv/bin/activate\n $ pip install -r requirements.txt\n \n## Python Versions\n\nPython 2.7.1+ and Python 3.5.0+ are supported\n\n## Running Tests\n\n $ nosetests -vv --with-coverage --cover-erase --cover-package=nd_okta_auth\n\n[oktaauth]: https://github.com/ThoughtWorksInc/oktaauth\n[aws_role_credentials]: https://github.com/ThoughtWorksInc/aws_role_credentials\n[thoughtworksinc]: https://github.com/ThoughtWorksInc\n[tracking]: https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/\n[okta_aws_guide]: https://support.okta.com/help/servlet/fileField?retURL=%2Fhelp%2Farticles%2FKnowledge_Article%2FAmazon-Web-Services-and-Okta-Integration-Guide&entityId=ka0F0000000MeyyIAC&field=File_Attachment__Body__s\n[okta_mfa]: https://www.okta.com/products/adaptive-multi-factor-authentication/\n[okta_verify]: https://www.okta.com/blog/tag/okta-verify-with-push/\n[okta_u2f]: https://support.okta.com/help/s/article/Using-YubiKey-Authentication-in-Okta\n[aws_saml]: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html\n",
"bugtrack_url": null,
"license": "Apache License, Version 2.0",
"summary": "Nextdoor Okta Auther",
"version": "1.0.6",
"split_keywords": [
"apache"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "52285ecc0bb285480a14c62285c1b7b8dbe0b512245456968f11533ea05af4f3",
"md5": "383679c66ab066e0088f2f612d91e22f",
"sha256": "8e3ea285ccd422c7c739dc93c39e6cc74613adf1ff817686aa429303ea061cba"
},
"downloads": -1,
"filename": "nd_okta_auth-1.0.6-py3-none-any.whl",
"has_sig": false,
"md5_digest": "383679c66ab066e0088f2f612d91e22f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 20745,
"upload_time": "2023-01-25T01:41:43",
"upload_time_iso_8601": "2023-01-25T01:41:43.450864Z",
"url": "https://files.pythonhosted.org/packages/52/28/5ecc0bb285480a14c62285c1b7b8dbe0b512245456968f11533ea05af4f3/nd_okta_auth-1.0.6-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "aa6ce74acc8f0eefe945a9285c6bbac9479a6deecec8324ac64193a272e8a3a1",
"md5": "19a26873cf02deb4227e456a4025bdff",
"sha256": "3b4fb889a431bb6696d6ee00ea49d65155a3c893a15037806af6e319960f5ef6"
},
"downloads": -1,
"filename": "nd_okta_auth-1.0.6.tar.gz",
"has_sig": false,
"md5_digest": "19a26873cf02deb4227e456a4025bdff",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 17946,
"upload_time": "2023-01-25T01:41:45",
"upload_time_iso_8601": "2023-01-25T01:41:45.299286Z",
"url": "https://files.pythonhosted.org/packages/aa/6c/e74acc8f0eefe945a9285c6bbac9479a6deecec8324ac64193a272e8a3a1/nd_okta_auth-1.0.6.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-01-25 01:41:45",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "Nextdoor",
"github_project": "nd_okta_auth",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"circle": true,
"requirements": [
{
"name": "bs4",
"specs": [
[
">=",
"0.0.1"
]
]
},
{
"name": "rainbow-logging-handler",
"specs": [
[
">=",
"2.2.2"
]
]
},
{
"name": "requests",
"specs": [
[
">=",
"2.10.0"
]
]
},
{
"name": "boto3",
"specs": [
[
">=",
"1.4.0"
]
]
},
{
"name": "future",
"specs": [
[
"==",
"0.18.3"
]
]
},
{
"name": "configparser",
"specs": [
[
"==",
"3.5.0"
]
]
},
{
"name": "fido2",
"specs": [
[
"==",
"0.8.1"
]
]
}
],
"lcname": "nd-okta-auth"
}
JSON
