def main(okta_profile, profile, verbose, version, debug, force, cache,
awscli_args, token):
""" Authenticate to awscli using Okta """
if version:
print(__version__)
exit(0)
logging.basicConfig(format='%(levelname)s - %(message)s',
level=(debug and logging.DEBUG
or verbose and logging.INFO or logging.WARN))
if not okta_profile:
okta_profile = "default"
aws_auth = AwsAuth(profile, okta_profile, verbose, logger)
if not aws_auth.check_sts_token(profile) or force:
if force and profile:
logger.info("Force option selected, \
getting new credentials anyway.")
elif force:
logger.info("Force option selected, but no profile provided. \
Option has no effect.")
get_credentials(aws_auth, okta_profile, profile, verbose, logger,
token, cache)
if awscli_args:
cmdline = ['aws', '--profile', profile] + list(awscli_args)
logger.info('Invoking: %s', ' '.join(cmdline))
call(cmdline)
def main(okta_profile, profile, verbose, version, debug, force, cache,
awscli_args, token, alias):
""" Authenticate to awscli using Okta """
if version:
print(__version__)
exit(0)
# Set up logging
logger = logging.getLogger('okta-awscli')
logger.setLevel(logging.DEBUG)
handler = logging.StreamHandler()
handler.setLevel(logging.WARN)
formatter = logging.Formatter('%(levelname)s - %(message)s')
handler.setFormatter(formatter)
if verbose and not debug:
handler.setLevel(logging.INFO)
if debug:
handler.setLevel(logging.DEBUG)
logger.addHandler(handler)
if not okta_profile:
okta_profile = "default"
if alias:
okta_profile = "temporary-cli-aws-profile"
profile = None
force = True
aws_auth = AwsAuth(profile, okta_profile, verbose, logger)
okta_auth_config = OktaAuthConfig(logger)
if not aws_auth.check_sts_token(profile) or force:
if force and profile:
logger.info(
"Force option selected, getting new credentials anyway.")
elif force:
logger.info(
"Force option selected, but no profile provided. Option has no effect."
)
profile = get_credentials(aws_auth, okta_profile, profile, verbose,
logger, token, cache, alias,
okta_auth_config)
if awscli_args:
cmdline = ['aws', '--profile', profile] + list(awscli_args)
logger.info('Invoking: %s', ' '.join(cmdline))
call(cmdline)
def setUp(cls) -> None:
cls.logger = logging.getLogger('okta-awscli')
cls.handle = io.StringIO()
cls.okta_auth_config = OktaAuthConfig(cls.logger, cls.handle)
cls.aws_auth = AwsAuth('profile', 'profile', True, cls.logger)
option_tuple = namedtuple("OptionTuple", ["option_text", "alias_name", "role_name"])
cls.options = []
cls.options.append(option_tuple("Hi I'm text", "role-name", "role-name2"))
cls.options.append(option_tuple("Hi I'm text2", "role-name2", "role-name3"))
cls.options.append(option_tuple("Hi I'm text3", "role-name3", "role-name4"))
def main(okta_profile, profile, verbose, force, awscli_args):
""" Authenticate to awscli using Okta """
if not okta_profile:
okta_profile = "default"
aws_auth = AwsAuth(profile, verbose)
if not aws_auth.check_sts_token(profile) or force:
if verbose and force and profile:
click.echo(
"Force option selected, getting new credentials anyway.")
elif verbose and force:
click.echo(
"Force option selected, but no profile provided. Option has no effect."
)
get_credentials(aws_auth, okta_profile, profile, verbose)
if awscli_args:
cmdline = ['aws', '--profile', profile] + list(awscli_args)
if verbose:
click.echo('Invoking: %s' % ' '.join(cmdline))
call(cmdline)
def main(okta_profile, profile, verbose, version, debug, force, cache, lookup,
awscli_args, refresh_role, token, okta_username, okta_password,
config, switch):
""" Authenticate to awscli using Okta """
if version:
print(__version__)
sys.exit(0)
# Set up logging
logger = logging.getLogger('okta-awscli')
logger.setLevel(logging.DEBUG)
handler = logging.StreamHandler()
handler.setLevel(logging.WARN)
formatter = logging.Formatter('%(levelname)s - %(message)s')
handler.setFormatter(formatter)
if verbose:
handler.setLevel(logging.INFO)
if debug:
handler.setLevel(logging.DEBUG)
logger.addHandler(handler)
if config:
OktaAuthConfig.configure(logger)
if not okta_profile:
okta_profile = "default"
if switch:
okta_profile = okta_switch(logger)
aws_auth = AwsAuth(profile, okta_profile, lookup, verbose, logger)
if force or not aws_auth.check_sts_token():
if force and profile:
logger.info("Force option selected, \
getting new credentials anyway.")
get_credentials(aws_auth, okta_profile, profile, verbose, logger,
token, cache, refresh_role, okta_username,
okta_password)
if awscli_args:
aws_auth.execute_aws_args(awscli_args, logger)
def main(okta_profile, profile, verbose, version, debug, force, cache,
awscli_args, token, assertion, assertion_from_file, full, prefix,
postfix):
""" Authenticate to awscli using Okta """
if version:
print(__version__)
exit(0)
# Set up logging
logger = logging.getLogger('okta-awscli')
logger.setLevel(logging.DEBUG)
handler = logging.StreamHandler()
handler.setLevel(logging.WARN)
formatter = logging.Formatter('%(levelname)s - %(message)s')
handler.setFormatter(formatter)
if verbose:
handler.setLevel(logging.INFO)
if debug:
handler.setLevel(logging.DEBUG)
logger.addHandler(handler)
if not okta_profile:
okta_profile = "default"
aws_auth = AwsAuth(profile, okta_profile, verbose, logger)
if not aws_auth.check_sts_token(profile) or force:
if force and profile:
logger.info("Force option selected, \
getting new credentials anyway.")
elif force:
logger.info("Force option selected, but no profile provided. \
Option has no effect.")
get_credentials(aws_auth, okta_profile, profile, verbose, logger,
token, cache, assertion, assertion_from_file, full,
prefix, postfix)
if awscli_args:
cmdline = ['aws', '--profile', profile] + list(awscli_args)
logger.info('Invoking: %s', ' '.join(cmdline))
call(cmdline)
def main(okta_profile, profile, verbose, version, debug, force, cache, lookup,
awscli_args, token, okta_username, okta_password):
""" Authenticate to awscli using Okta """
if version:
print(__version__)
sys.exit(0)
# Set up logging
logger = logging.getLogger('okta-awscli')
logger.setLevel(logging.DEBUG)
handler = logging.StreamHandler()
handler.setLevel(logging.WARN)
formatter = logging.Formatter('%(levelname)s - %(message)s')
handler.setFormatter(formatter)
if verbose:
handler.setLevel(logging.INFO)
if debug:
handler.setLevel(logging.DEBUG)
logger.addHandler(handler)
if not okta_profile:
okta_profile = "default"
aws_auth = AwsAuth(profile, okta_profile, lookup, verbose, logger)
if not aws_auth.check_sts_token(profile) or force:
if force and profile:
logger.info("Force option selected, \
getting new credentials anyway.")
refresh_role = True if force else False
get_credentials(aws_auth, okta_profile, profile, verbose, logger,
token, cache, refresh_role, okta_username,
okta_password)
if awscli_args:
cmdline = ['aws', '--profile', profile] + list(awscli_args)
logger.info('Invoking: %s', ' '.join(cmdline))
call(cmdline)
def get_credentials(okta_profile,
profile,
account,
write_default,
verbose,
logger,
totp_token,
cache,
export,
reset,
force,
region,
debug=False):
""" Gets credentials from Okta """
okta_auth_config = OktaAuthConfig(logger, reset)
aws_auth = AwsAuth(
profile=profile,
okta_profile=okta_profile,
account=account,
verbose=verbose,
logger=logger,
region=region or okta_auth_config.region_for(okta_profile),
reset=reset,
debug=debug,
)
check_creds = okta_auth_config.get_check_valid_creds(okta_profile)
if not force and not export and check_creds and aws_auth.check_sts_token(
profile):
if write_default:
aws_auth.copy_to_default(profile)
print("Copying AWS profile creds to default")
exit(0)
okta = OktaAuth(okta_profile,
verbose,
logger,
totp_token,
okta_auth_config,
debug=debug)
_, assertion = okta.get_assertion()
role = aws_auth.choose_aws_role(assertion)
role_arn, principal_arn, alias = role
auto_write = okta_auth_config.get_auto_write_profile(okta_profile)
if auto_write == "True" and profile is None:
profile_name = "default" if alias == "unknown" else alias
else:
profile_name = profile
store_role = okta_auth_config.get_store_role(okta_profile)
if store_role == "True":
okta_auth_config.save_chosen_role_for_profile(okta_profile, role_arn)
duration = okta_auth_config.get_session_duration(okta_profile)
sts_token = aws_auth.get_sts_token(role_arn, principal_arn, assertion,
duration)
access_key_id = sts_token['AccessKeyId']
secret_access_key = sts_token['SecretAccessKey']
session_token = sts_token['SessionToken']
print("Credentials valid for %s hours" % round(duration / 3600, 1))
if (profile_name is None or export) and not write_default:
logger.info(
"Either profile name not given or export flag set, will output to console."
)
exports = console_output(access_key_id, secret_access_key,
session_token, verbose)
if cache:
cache = open(
"%s/.okta-credentials.cache" % (os.path.expanduser('~'), ),
'w')
cache.write(exports)
cache.close()
exit(0)
else:
# Check okta config again for region, but now with manually chosen account alias
default_region = okta_auth_config.region_for('default')
okta_region = okta_auth_config.region_for(okta_profile, default=None)
account_region = okta_auth_config.region_for(profile_name,
default=None)
if region:
logger.debug("Keeping CLI region: %s", region)
elif okta_region is not None and okta_region != default_region:
region = okta_region
logger.debug("Setting region=%s via okta-profile=%s", region,
okta_profile)
elif account_region is not None and account_region != default_region:
region = account_region
logger.debug("Setting region=%s via account profile=%s", region,
profile_name)
else:
region = default_region
logger.debug("Setting region=%s via defaults", region)
logger.info(
"Export flag not set, will write credentials to ~/.aws/credentials."
)
aws_auth.write_sts_token(
profile=profile_name,
access_key_id=access_key_id,
secret_access_key=secret_access_key,
session_token=session_token,
region=region,
)
if write_default:
print("Writing to default AWS profile")
aws_auth.write_sts_token(
profile='default',
access_key_id=access_key_id,
secret_access_key=secret_access_key,
session_token=session_token,
region=region,
)
# Only print usage message if account argument wasn't specified
elif account is None:
usage_msg = "".join([
"\nTo start using these temporary credentials, run:\n",
"\n export AWS_PROFILE=%s\n" % profile_name
])
print(usage_msg)
exit(0)