<p align="center">
<img src="https://raw.githubusercontent.com/dowjones/tokendito/main/docs/tokendito.png"/>
</p>
## Generate temporary AWS credentials via Okta.
[](https://github.com/dowjones/tokendito/actions)
[](https://pypi.org/project/tokendito/)
[](https://github.com/dowjones/tokendito/actions)
[](https://github.com/dowjones/tokendito/blob/main/LICENSE.txt)
[](https://github.com/dowjones/tokendito/)
[](https://coveralls.io/github/dowjones/tokendito) [](https://pypistats.org/packages/tokendito)
<p>
<img src="https://raw.githubusercontent.com/dowjones/tokendito/main/docs/tokendito-scaled.gif">
</p>
Use `tokendito` to generate temporary AWS credentials via Okta for
programmatic authentication to AWS. Tokendito signs you into Okta and
uses your existing AWS integration to broker a SAML assertion into
your AWS accounts, returning
[STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
tokens into your local `~/.aws/credentials` file.
## What's new
See [Releases](https://github.com/dowjones/tokendito/releases) for a detailed Changelog.
### Tokendito 2.3.0
Version 2.3.0 of Tokendito introduces the following new features:
- Basic OIE support while forcing Classic mode.
- Misc bug fixes
Note: This feature currently works with locally enabled OIE organizations, but it does not for Organizations with chained Authentication in mixed OIE/Classic environments.
### Tokendito 2.2.0
Version 2.2.0 of Tokendito introduces the following new features:
- Shared HTTP Client to leverage keepalives and Python's connection pool (by @fsilvamaia)
- Support for Step-Up Authorization (by @ruhulio)
- Misc bug fixes
### Tokendito 2.1.0
Version 2.1.0 of Tokendito introduces the following new features:
- IdP redirection
- Docker support (by @opis-mark)
- Interactive support for AWS profile names (by @opis-mark)
- Docker container signing to ensure you are on a 'certified' Tokendito container
- Misc bug fixes
### Tokendito 2.0.0
With the release of tokendito 2.0, many changes and fixes were introduced. **It is a breaking release**: your configuration needs to be updated, the command line arguments have changed, and support for Python \< 3.7 has been removed.
The following changes are part of this release:
- Set the config file to be platform dependent, and follow the XDG standard.
- Extend configuration capabilities.
- Modernize output.
- Change the MFA method from strict match to partial match.
- Mask secrets from output logs.
- Automatically discover AWS URLs.
- Fix authentication with DUO.
- Add support for setting the logging level via both the INI file and ENV vars.
- Add support for Python 3.9, 3.10, and 3.11.
- And many fixes.
Consult [additional notes](https://github.com/dowjones/tokendito/blob/main/docs/README.md) for how to use tokendito.
## Requirements
- Python 3.7+, or a working Docker environment
- AWS account(s) federated with Okta
Tokendito is compatible with Python 3 and can be installed with either
pip or pip3.
## Getting started
1. Install (via PyPi): `pip install tokendito`
1. Run `tokendito --configure`.
1. Run `tokendito`.
**NOTE**: Advanced users may shorten the `tokendito` interaction to a [single
command](https://github.com/dowjones/tokendito/blob/main/docs/README.md#single-command-usage).
Have multiple Okta tiles to switch between? View our [multi-tile
guide](https://github.com/dowjones/tokendito/blob/main/docs/README.md#multi-tile-guide).
## Docker
Using Docker eliminates the need to install tokendito and its requirements. We are providing experimental Docker image support in [Dockerhub](https://hub.docker.com/r/tokendito/tokendito)
### Running the container image
Run tokendito with the `docker run` command. Tokendito supports [DCT](https://docs.docker.com/engine/security/trust/), and we encourage you to enforce image signature validation before running any containers.
```shell
export DOCKER_CONTENT_TRUST=1
```
then
```shell
docker run --rm -it tokendito/tokendito --version
```
You must map a volume in the Docker command to allow tokendito to write AWS credentials to your local filesystem for use. This is done with the `-v` flag. See [Docker documentation](https://docs.docker.com/engine/reference/commandline/run/#-mount-volume--v---read-only) for help setting the syntax. The following directories are used by tokendito and should be considered when mapping volumes:
- `/app/.aws/` (AWS credential storage)
- `/app/.config/tokendito/` (tokendito profile storage)
These can be covered by mapping a single volume to both the host and container users' home directories (`/app` is the home directory in the container and must be explicitly defined). You may also map multiple volumes if you have custom configuration locations and require granularity.
Be sure to set the `-it` flags to enable an interactive terminal session.
On Windows, you can do the following:
```powershell
docker run --rm -it -v "%USERPROFILE%\.aws":/app/.aws -v "%USERPROFILE%\.config":/app/.config tokendito/tokendito
```
In a Mac OS system, you can run:
```shell
docker run --rm -it -v "$HOME/.aws":/app/.aws -v "$HOME/.config":/app/.config tokendito/tokendito
```
On a Linux system, however, you must specify the user and group IDs for the mount mappings to work as expected.
Additionally the mount points within the container move to a different location:
```shell
docker run --user $(id -u):$(id -g) --rm -it -v "$HOME/.aws":/.aws -v "$HOME/.config":/.config tokendito/tokendito
```
Tokendito command line arguments are supported as well.
**NOTE**: In the following examples the entire home directory is exported for simplicity. This is not recommended as it exposes too much data to the running container:
```shell
docker run --rm -it -v "$HOME":/ tokendito/tokendito \
--okta-tile https://acme.okta.com/home/amazon_aws/000000000000000000x0/123 \
--username username@example.com \
--okta-mfa push \
--aws-output json \
--aws-region us-east-1 \
--aws-profile my-profile-name \
--aws-role-arn arn:aws:iam::000000000000:role/role-name \
```
Tokendito profiles are supported while using containers provided the proper volume mapping exists.
```shell
docker run --rm -ti -v "$HOME":/app tokendito/tokendito \
--profile my-profile-name
```
## Tips, tricks, troubleshooting, examples, and more docs are [here](https://github.com/dowjones/tokendito/blob/main/docs/README.md)
[Contributions are welcome](https://github.com/dowjones/tokendito/blob/main/docs/CONTRIBUTING.md)!
Raw data
{
"_id": null,
"home_page": "https://github.com/dowjones/tokendito",
"name": "tokendito",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "",
"keywords": "okta,aws,sts",
"author": "tokendito",
"author_email": "tokendito@dowjones.com",
"download_url": "https://files.pythonhosted.org/packages/ca/de/babfca624521ab3141bd054d629805d4ab49fea544716a20a1d761a8171e/tokendito-2.3.1.tar.gz",
"platform": null,
"description": "<p align=\"center\">\n <img src=\"https://raw.githubusercontent.com/dowjones/tokendito/main/docs/tokendito.png\"/>\n</p>\n\n## Generate temporary AWS credentials via Okta.\n\n[](https://github.com/dowjones/tokendito/actions)\n[](https://pypi.org/project/tokendito/)\n[](https://github.com/dowjones/tokendito/actions)\n[](https://github.com/dowjones/tokendito/blob/main/LICENSE.txt)\n[](https://github.com/dowjones/tokendito/)\n[](https://coveralls.io/github/dowjones/tokendito) [](https://pypistats.org/packages/tokendito)\n\n<p>\n <img src=\"https://raw.githubusercontent.com/dowjones/tokendito/main/docs/tokendito-scaled.gif\">\n</p>\n\nUse `tokendito` to generate temporary AWS credentials via Okta for\nprogrammatic authentication to AWS. Tokendito signs you into Okta and\nuses your existing AWS integration to broker a SAML assertion into\nyour AWS accounts, returning\n[STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)\ntokens into your local `~/.aws/credentials` file.\n\n## What's new\n\nSee [Releases](https://github.com/dowjones/tokendito/releases) for a detailed Changelog.\n\n### Tokendito 2.3.0\n\nVersion 2.3.0 of Tokendito introduces the following new features:\n\n- Basic OIE support while forcing Classic mode.\n- Misc bug fixes\n\nNote: This feature currently works with locally enabled OIE organizations, but it does not for Organizations with chained Authentication in mixed OIE/Classic environments.\n\n### Tokendito 2.2.0\n\nVersion 2.2.0 of Tokendito introduces the following new features:\n\n- Shared HTTP Client to leverage keepalives and Python's connection pool (by @fsilvamaia)\n- Support for Step-Up Authorization (by @ruhulio)\n- Misc bug fixes\n\n### Tokendito 2.1.0\n\nVersion 2.1.0 of Tokendito introduces the following new features:\n\n- IdP redirection\n- Docker support (by @opis-mark)\n- Interactive support for AWS profile names (by @opis-mark)\n- Docker container signing to ensure you are on a 'certified' Tokendito container\n- Misc bug fixes\n\n### Tokendito 2.0.0\n\nWith the release of tokendito 2.0, many changes and fixes were introduced. **It is a breaking release**: your configuration needs to be updated, the command line arguments have changed, and support for Python \\< 3.7 has been removed.\nThe following changes are part of this release:\n\n- Set the config file to be platform dependent, and follow the XDG standard.\n- Extend configuration capabilities.\n- Modernize output.\n- Change the MFA method from strict match to partial match.\n- Mask secrets from output logs.\n- Automatically discover AWS URLs.\n- Fix authentication with DUO.\n- Add support for setting the logging level via both the INI file and ENV vars.\n- Add support for Python 3.9, 3.10, and 3.11.\n- And many fixes.\n\nConsult [additional notes](https://github.com/dowjones/tokendito/blob/main/docs/README.md) for how to use tokendito.\n\n## Requirements\n\n- Python 3.7+, or a working Docker environment\n- AWS account(s) federated with Okta\n\nTokendito is compatible with Python 3 and can be installed with either\npip or pip3.\n\n## Getting started\n\n1. Install (via PyPi): `pip install tokendito`\n1. Run `tokendito --configure`.\n1. Run `tokendito`.\n\n**NOTE**: Advanced users may shorten the `tokendito` interaction to a [single\ncommand](https://github.com/dowjones/tokendito/blob/main/docs/README.md#single-command-usage).\n\nHave multiple Okta tiles to switch between? View our [multi-tile\nguide](https://github.com/dowjones/tokendito/blob/main/docs/README.md#multi-tile-guide).\n\n## Docker\n\nUsing Docker eliminates the need to install tokendito and its requirements. We are providing experimental Docker image support in [Dockerhub](https://hub.docker.com/r/tokendito/tokendito)\n\n### Running the container image\n\nRun tokendito with the `docker run` command. Tokendito supports [DCT](https://docs.docker.com/engine/security/trust/), and we encourage you to enforce image signature validation before running any containers.\n\n```shell\nexport DOCKER_CONTENT_TRUST=1\n```\n\nthen\n\n```shell\ndocker run --rm -it tokendito/tokendito --version\n```\n\nYou must map a volume in the Docker command to allow tokendito to write AWS credentials to your local filesystem for use. This is done with the `-v` flag. See [Docker documentation](https://docs.docker.com/engine/reference/commandline/run/#-mount-volume--v---read-only) for help setting the syntax. The following directories are used by tokendito and should be considered when mapping volumes:\n\n- `/app/.aws/` (AWS credential storage)\n- `/app/.config/tokendito/` (tokendito profile storage)\n\nThese can be covered by mapping a single volume to both the host and container users' home directories (`/app` is the home directory in the container and must be explicitly defined). You may also map multiple volumes if you have custom configuration locations and require granularity.\n\nBe sure to set the `-it` flags to enable an interactive terminal session.\n\nOn Windows, you can do the following:\n\n```powershell\ndocker run --rm -it -v \"%USERPROFILE%\\.aws\":/app/.aws -v \"%USERPROFILE%\\.config\":/app/.config tokendito/tokendito\n```\n\nIn a Mac OS system, you can run:\n\n```shell\ndocker run --rm -it -v \"$HOME/.aws\":/app/.aws -v \"$HOME/.config\":/app/.config tokendito/tokendito\n```\n\nOn a Linux system, however, you must specify the user and group IDs for the mount mappings to work as expected.\nAdditionally the mount points within the container move to a different location:\n\n```shell\ndocker run --user $(id -u):$(id -g) --rm -it -v \"$HOME/.aws\":/.aws -v \"$HOME/.config\":/.config tokendito/tokendito\n```\n\nTokendito command line arguments are supported as well.\n\n**NOTE**: In the following examples the entire home directory is exported for simplicity. This is not recommended as it exposes too much data to the running container:\n\n```shell\ndocker run --rm -it -v \"$HOME\":/ tokendito/tokendito \\\n --okta-tile https://acme.okta.com/home/amazon_aws/000000000000000000x0/123 \\\n --username username@example.com \\\n --okta-mfa push \\\n --aws-output json \\\n --aws-region us-east-1 \\\n --aws-profile my-profile-name \\\n --aws-role-arn arn:aws:iam::000000000000:role/role-name \\\n```\n\nTokendito profiles are supported while using containers provided the proper volume mapping exists.\n\n```shell\ndocker run --rm -ti -v \"$HOME\":/app tokendito/tokendito \\\n --profile my-profile-name\n```\n\n## Tips, tricks, troubleshooting, examples, and more docs are [here](https://github.com/dowjones/tokendito/blob/main/docs/README.md)\n\n[Contributions are welcome](https://github.com/dowjones/tokendito/blob/main/docs/CONTRIBUTING.md)!\n",
"bugtrack_url": null,
"license": "Apache 2.0",
"summary": "Get AWS STS tokens from Okta SSO",
"version": "2.3.1",
"project_urls": {
"Homepage": "https://github.com/dowjones/tokendito"
},
"split_keywords": [
"okta",
"aws",
"sts"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "868a455b76b04bceede6f0271b8a391d307fd54944150d3ce65dbf4383ebd33b",
"md5": "9ff1e1fefe7cbe4c220906f3c78dcf1d",
"sha256": "ecb56c67d19de50e536956dff78f0feed581dca7f5e127a9b64a5f0a0ebcb439"
},
"downloads": -1,
"filename": "tokendito-2.3.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "9ff1e1fefe7cbe4c220906f3c78dcf1d",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 37232,
"upload_time": "2023-11-17T20:15:58",
"upload_time_iso_8601": "2023-11-17T20:15:58.079186Z",
"url": "https://files.pythonhosted.org/packages/86/8a/455b76b04bceede6f0271b8a391d307fd54944150d3ce65dbf4383ebd33b/tokendito-2.3.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "cadebabfca624521ab3141bd054d629805d4ab49fea544716a20a1d761a8171e",
"md5": "1e1852372405e7f9d064e018382a4feb",
"sha256": "c806a87661f8e5e0c662facf55dda2daa6658b8f10f3967eee4e2b473cf8fc8f"
},
"downloads": -1,
"filename": "tokendito-2.3.1.tar.gz",
"has_sig": false,
"md5_digest": "1e1852372405e7f9d064e018382a4feb",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 37269,
"upload_time": "2023-11-17T20:15:59",
"upload_time_iso_8601": "2023-11-17T20:15:59.802167Z",
"url": "https://files.pythonhosted.org/packages/ca/de/babfca624521ab3141bd054d629805d4ab49fea544716a20a1d761a8171e/tokendito-2.3.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-17 20:15:59",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dowjones",
"github_project": "tokendito",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"tox": true,
"lcname": "tokendito"
}
JSON
