Skip to content

Coderrs/kerb-sts

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS CLI Kerberos Adapter

Based on the ADSF-CLI script [originally posted by Quint Van Deman] (https://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI-Access-Using-SAML-2-0-and-AD-FS)

Overview

This script provides a seamless mechanism for federating the AWS CLI. When properly configured this script allows a user to get a short lived set of credentials for each authorized role.

The script leverages Kerberos and ADFS to avoid any need for the user to enter a AD domain password or provide AWS credentials. The script gracefully degrades as follows

  • If kerberos auth fails, we fallback to NTLM username/password prompt
  • The user may opt to Ctrl-C the script and initialized a kerberos session instead

This script does not work if the user is not on a corporate network or VPN when such conditions cause ADFS to not work or to prompt for 2FA. It would be highly desirable to support off network access via a SecurID or other 2FA solutions when encountered.

Installation

  • Note: This script has not been tested on Linux
  • Note: Python 2.7.10 is the minimal version supported
  • Note: This script has only been tested on Windows 7 and OSX Yosemite

OSX

  1. Install python - The script has been tested with the default instal of 2.7 on OSX
  2. Install pip - $ sudo easy_install pip
  3. Install required packages - $ sudo -H pip install -U boto beautifulsoup4 requests-ntlm requests-kerberos
  4. Install aws cli - $ sudo -H pip install -U awscli
  5. Update ~/.bash_profile - $ echo 'export PYTHONPATH="/Library/Python/2.7/site-packages:$PYTHONPATH"' >> ~/.bash_profile && source ~/.bash_profile
  6. Add to your search $PATH - $ ln -s ./sts-init.py /usr/local/bin/sts-init

Windows

The currently released version (0.7) of requests-kerberos does not correctly support Win32. This repo includes a recently merged changeset which includes the [necessary fix] (https://github.com/requests/requests-kerberos/commit/27e5d006d9e8182b05e9e366301a7fc890529113).

  1. Install python - Tested with 2.7.x. Not tested with 3.x but feel free to try it.
  2. Ensure python and python/scripts are on the PATH
  3. Install required packages - pip install -U boto beautifulsoup4 requests-ntlm requests-ntlm
  4. Install requests-kerberos from this repo - cd to requests-kerberos and type 'pip install --replace'
  5. Install the aws cli - You need the MSI directly from amazon

Usage

OSX

  $ sts-init

Windows

  C\:> python \location\of\script\sts-init.py

Configuration

The script creates default configurations if none are found.

Credential File

The AWS default location for the credential file is ~/.aws. For this script to work there must be a minimal file in place. The script attempts to create this file at start up. If an existing file is malformed, please remove it.

Localsite file

This script creates an additional configuration file, ~/.aws/localsite. This file contains any custom configurations such as the location of the ADFS server. At startup you will be asked for the domain of the ADFS server. There is no validation of the input value and you will not be prompted again to provide a value. Remove this file if you need to be prompted again for a new value.

The localsite file is used to store the ARN to nickname mapping used to determine what section to add the credentials to in the credential file.

Releases

No releases published

Packages

No packages published

Languages