nd_okta_auth's Introduction

Nextdoor Okta Auth-er

This is a simple command-line tools for logging into Okta and generating temporary Amazon AWS Credentials. This tool makes it easy and secure for your developers to generate short-lived, logged and user-attributed credentials that can be used for any of the Amazon SDK libraries or CLI tools.

Features

We have support for logging into Okta, optionally handling MFA Authentication, and then generating new SAML authenticated AWS sessions. In particular, this tool has a few core features.

Optional MFA Authentication

If your organization requires MFA for the initial login into Okta, we will automatically detect that requirement on a per-user basis and prompt the user to complete the Multi Factor Authentication. The following factors are supported by nd_okta_auth:

FIDO U2F (eg yubikey)
Okta Verify with Push
TOTP (Okta Verify, Duo, and Google Authenticator)

If a user has multiple factors they will be prompted in the above order. A user can hit Control-C to skip a factor.

Re-Up Mode .. Automatic Credential Re-Generation

Amazon IAM only supports Federated Login sessions that last up to 1 hour. For developers, it can be painful to re-authenticate every hour during your work day. This is made much worse if your organization requires MFA on each login.

You may run the Okta Auth-er tool in "reup" mode to get around this. The tool will stay running in a daemon-like mode, and it will reach out regularly to Okta, generate a new SAML Assertion, and then generate updated Amazon AWS credentials. This can run for as long as your Okta administrator has allowed your Login Session to be - often a full work day.

See the --reup commandline option for help here!

Usage

For detailed usage instructions, see the --help commandline argument. Basic instructions though:

$ nd_okta_auth -a <application id> -o <your org name> -u <your username>
08:27:44   (INFO) Nextdoor Okta Auther v0.0.1
Password: 
08:27:48   (WARNING) Okta Verify Push being sent...
08:27:48   (INFO) Waiting for Okta Verification...
...
08:28:09   (INFO) Waiting for Okta Verification...
08:28:10   (INFO) Successfully authed Matt Wise
08:28:10   (INFO) Getting SAML Assertion from foobar
08:28:11   (INFO) Found credentials in shared credentials file: ~/.aws/credentials
08:28:11   (INFO) Wrote profile "default" to /Users/diranged/.aws/credentials
08:28:11   (INFO) Session expires at 2017-07-24 16:28:13+00:00
$

Okta Setup

Before you can use this tool, your Okta administrator needs to set up Amazon/Okta integration using SAML roles.

Inspiration

This code is heavily based on the previous work done by ThoughtWorksInc on their OktaAuth and AWS Role Credentials tools. We took their general purpose code and re-wrote them into a singularly focused tool that added some new features.

In particular, we found it clumsy to use two CLI tools together to do a single task. Additionally, the tools did not have support for Okta Verify with Push.

Developer Setup

If you are interested in working on the codebase, setting up your development environment is quick and easy.

$ virtualenv .venv
$ source .venv/bin/activate
$ pip install -r requirements.txt

Python Versions

Python 2.7.1+ and Python 3.5.0+ are supported

Running Tests

$ nosetests -vv --with-coverage --cover-erase --cover-package=nd_okta_auth

nd_okta_auth's People

Contributors

Stargazers

Watchers

nd_okta_auth's Issues

Permissions on aws credentials file is too wide

File is created with 744 permissions. Should probably be 600

handle connection issues more gracefully

If there is a network issue on the first attempt the script fails and does not retry.

Traceback (most recent call last):
  File "/Users/slava/src/dotfiles/.venv/bin/nd_okta_auth", line 11, in <module>
    load_entry_point('nd-okta-auth==0.0.1', 'console_scripts', 'nd_okta_auth')()
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/nd_okta_auth/main.py", line 182, in entry_point
    raise SystemExit(main(sys.argv))
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/nd_okta_auth/main.py", line 141, in main
    okta_client.auth()
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/nd_okta_auth/okta.py", line 214, in auth
    ret = self._request(path, data)
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/nd_okta_auth/okta.py", line 97, in _request
    allow_redirects=False)
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/requests/sessions.py", line 549, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
    resp = self.send(prep, **send_kwargs)
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
    r = adapter.send(request, **kwargs)
  File "/Users/slava/src/dotfiles/.venv/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='xxxxx.okta.com', port=443): Max retries exceeded with url: /api/v1/authn (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x105b024d0>: Failed to establish a new connection: [Errno 8] nodename nor servname provided, or not known',))

nextdoor / nd_okta_auth Goto Github PK