{ "info": { "author": "Doug Coker", "author_email": "dcoker@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Console", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Topic :: Security" ], "description": "======\nawsmfa\n======\n\n.. image:: https://img.shields.io/pypi/v/awsmfa.svg?maxAge=600 :target:\n\nawsmfa helps AWS users use two factor authentication (MFA) with their\n``~/.aws/credentials`` file. awsmfa also makes it easy to rotate your\naccess keys and to use role assumption. MFA, key rotation, and role\nassumption are three best practices to use when securing your AWS\nenvironment from attacks.\n\nawsmfa is ideal for engineering teams that have long-lived AWS access\nkeys sitting on developer machines. If you are looking for an easy way\nto improve your team's security, this might be a good starting\npoint for you.\n\n--------------------------\nWhen do I want to use MFA?\n--------------------------\n\nMost teams give their engineers an AWS Access Key pair and they are\nwritten to an ``~/.aws/credentials`` file, or stuffed in a ``.bashrc``,\nand forgotten about. This is a security problem because those\ncredentials are stored in plaintext and can be exfiltrated by malware,\ncopied off of stolen laptops, etc.\n\nOne simple solution to this is to configure your AWS account so that\nthose credentials are not useful unless the user has also asserted\ntheir identity by way of two-factor authentication.\n\nIAM, S3, and other types of AWS Policies allow you to require that the user has\nrecently verified their identity using two-factor authentication (MFA).\nThis criteria is specified in the policy documents using a ``Condition``\nblock, like this::\n\n \"Condition\": {\n \"Bool\": {\n \"aws:MultiFactorAuthPresent\": \"true\"\n }\n }\n\nTypical deployments involve attaching policies to your users that create two\nlevels of access.\n\n1. The first level allows very few privileges, such as\nonly those necessary to identify themselves (iam:GetUser), enable an MFA\ndevice (iam:EnableMFADevice), list or resync their MFA devices (iam:ListMFADevices,\niam:ResyncMFADevice), and to acquire temporary credentials (sts:GetSessionToken).\nThese are available to the user just by merely proving they have the AWS Access Key ID\nand the AWS Secret Access Key.\n\n2. The second level grants more privileges, but requires that the user has recently\nauthenticated themselves using two-factor authentication. In small teams, the privileges\nmay be as generous as full administrative access of the AWS account. In more secure\nenvironments, the policies can be arbitrarily fine.\n\nYou can read more about using MFA with AWS Policies in the\n`AWS documentation `_.\n\n--------\nPolicies\n--------\n\nIf you have pre-existing IAM policies, the easiest way to get started is to just attach the\n``sts:MultiFactorAuthPresent`` condition to any of your existing policies that you want to secure.\n\nIf you don't have any IAM policies yet, consider using the `starter kit of basic IAM policies\n`_ included\nwith awsmfa. Most teams -- even teams of one -- will be able to use that template as-is\nand as a starting point for more customized policies. You can install these\npolicies using the CloudFormation Console or using the command line examples from\nthe template.\n\n---------------\nGetting Started\n---------------\n\nTo use awsmfa, you'll need:\n\n#. an IAM account (or a root account)\n#. an MFA device attached to that account\n#. to be allowed to call iam:GetUser, iam:ListMfaDevices, and iam:GetSessionToken.\n#. your ``~/.aws/credentials`` file configured with your long-lived AWS Access Key pair. If you don't have this, create one with::\n\n $ pip install --user awscli\n $ aws configure --profile identity\n\nInstalling awsmfa is as easy as installing a pip package::\n\n $ pip install --user awsmfa\n ...\n\nOnce installed, running ``awsmfa`` will verify your MFA devices and then prompt you for the MFA code. Once AWS\nverifies your MFA code, awsmfa will write out your new temporary credentials to the ``[default]`` section of your\n``~/.aws/credentials`` file. The default section is read by most AWS SDKs automatically. Here's an example::\n\n $ awsmfa\n MFA Token Code: 123456\n Temporary credentials will expire in 5:59:59.746453.\n\nBy default, the long-lived credentials (access key and secret key) are read from a profile called ``[identity]`` and\nthe temporary credentials (access key, secret key, session token) are written to ``[default]``. These are\nconfigurable with the ``--identity-profile`` and ``--target-profile`` flags,\nor ``AWS_MFA_IDENTITY_PROFILE`` and ``AWS_MFA_TARGET_PROFILE`` environment variables,\nrespectively.\n\nYou can also provide the code from the command line::\n\n $ awsmfa --token-code 123456\n Temporary credentials will expire in 5:59:59.746453.\n\nMost awsmfa behaviors are controlled by command line flags or environment variables. Run with ``--help`` for more\ndetails.\n\n::\n\n $ awsmfa --help\n usage: awsmfa [-h] [--version] [--aws-credentials AWS_CREDENTIALS]\n [-d DURATION] [-i IDENTITY_PROFILE]\n [--serial-number SERIAL_NUMBER] [-t TARGET_PROFILE]\n [--role-session-name ROLE_SESSION_NAME] [-c TOKEN_CODE]\n [--rotate-identity-keys]\n [role-to-assume]\n ...\n\n------------\nSkipping MFA\n------------\n\nBy default, awsmfa sends your MFA token code to AWS when acquiring temporary credentials. This is optional behavior.\nIf you don't want to use MFA, pass ``-c skip`` or set the ``AWS_MFA_TOKEN_CODE`` environment variable to ``skip``.\nExample::\n\n $ awsmfa -c skip\n\nNote that the temporary credentials obtained in this way will not satisfy the ``sts::MultiFactorAuthPresent`` condition\nvariable.\n\n---------------\nRole Assumption\n---------------\n\nawsmfa can also help you with `role assumption `_.\nIf you'd like to assume a role, pass the full ARN of the role as the\nfirst parameter to awsmfa. Example::\n\n $ awsmfa arn:aws:iam::123456789012:role/s3access\n\nYou can also customize the role session name::\n\n $ awsmfa --role-session-name ingest arn:aws:iam::123456789012:role/s3access\n\n------------\nKey Rotation\n------------\n\nRotating your access keys regularly is a good security practice. If your IAM user is allowed to call\niam:ListAccessKeys, iam:DeleteAccessKeys, and iam:CreateAccessKey, awsmfa can also\nautomatically rotate your access keys automatically when you acquire temporary credentials. Example::\n\n $ awsmfa --rotate-identity-keys\n MFA Token Code:\n Temporary credentials will expire in 5:59:59.677774.\n Rotating from AKIAIM55UP4UAQDYGNHA to AKIAJCB6F3RJ3GJFIUGQ.\n work-eng profile updated.\n\nIf you want to rotate your identity keys every time you acquire temporary credentials, you can set the\nAWS_MFA_ROTATE_IDENTITY_KEYS environment variable. Example::\n\n $ echo AWS_MFA_ROTATE_IDENTITY_KEYS=True >> ~/.bashrc\n\n-----------------------------\nSetting Environment Variables\n-----------------------------\n\nSome AWS tools can only read credentials from environment variables (``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``,\nand ``AWS_SESSION_TOKEN``). ``awsmfa --env`` will print shell commands to define those variables. Example::\n\n $ awsmfa --env\n Enter MFA Code: 123456\n Temporary credentials will expire in 5:59:59.945582.\n AWS_ACCESS_KEY_ID=ASIAIYM...; export AWS_ACCESS_KEY_ID;\n AWS_SECRET_ACCESS_KEY=uyug...; export AWS_SECRET_ACCESS_KEY;\n AWS_SESSION_TOKEN=FQoDY...; export AWS_SESSION_TOKEN;\n AWS_SECURITY_TOKEN=FQoDY...; export AWS_SECURITY_TOKEN;\n\nThe prompt and expiration notice are written to stderr, and the environment variables are written to stdout, so\nyou can also `eval` the output::\n\n $ eval $(awsmfa --env)\n Enter MFA Code: 123456\n Temporary credentials will expire in 5:59:59.945582.\n $ echo ${AWS_ACCESS_KEY_ID}\n ASIA...\n\nNote: both ``AWS_SESSION_TOKEN`` (the new standard name for the session token used in multiple SDKs) and\n``AWS_SECURITY_TOKEN`` (used by older versions of boto) are emitted for backwards compatibility.\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/dcoker/awsmfa/", "keywords": "", "license": "https://www.apache.org/licenses/LICENSE-2.0", "maintainer": "", "maintainer_email": "", "name": "awsmfa", "package_url": "https://pypi.org/project/awsmfa/", "platform": "", "project_url": "https://pypi.org/project/awsmfa/", "project_urls": { "Homepage": "https://github.com/dcoker/awsmfa/" }, "release_url": "https://pypi.org/project/awsmfa/0.2.9/", "requires_dist": null, "requires_python": "", "summary": "Manage temporary MFA AWS credentials.", "version": "0.2.9" }, "last_serial": 4186899, "releases": { "0.2": [ { "comment_text": "", "digests": { "md5": "836b264c1997b94e347eea775e861e04", "sha256": "238b608f9c4912dc2c605d32e9288c78938b92a4914960f413226ccef9a65b75" }, "downloads": -1, "filename": "awsmfa-0.2.tar.gz", "has_sig": false, "md5_digest": "836b264c1997b94e347eea775e861e04", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5029, "upload_time": "2016-01-04T00:58:17", "url": "https://files.pythonhosted.org/packages/cb/70/db9967267b4ccbefdc90d0b79104132a511a330e61d55a20e27c489fe818/awsmfa-0.2.tar.gz" } ], "0.2.1": [ { "comment_text": "", "digests": { "md5": "370380880438cd69d4edcf6a840da928", "sha256": "fdd41080e11b7a758382bd2134ca5daaabd853bd03cf4c25c2ea95c492a09b22" }, "downloads": -1, "filename": "awsmfa-0.2.1.tar.gz", "has_sig": false, "md5_digest": "370380880438cd69d4edcf6a840da928", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5402, "upload_time": "2016-01-07T02:37:12", "url": "https://files.pythonhosted.org/packages/46/7c/526e458381b7bb776a38cae3ad711bf9c239866c7b9c97b3f00ea2ed5e63/awsmfa-0.2.1.tar.gz" } ], "0.2.2": [ { "comment_text": "", "digests": { "md5": "c968582918202c1c48a42ff46e6609e8", "sha256": "69da0365f3b4e505dcf34b05dfe50ea42b0fb46f29a4dd07299c295259df4af8" }, "downloads": -1, "filename": "awsmfa-0.2.2.tar.gz", "has_sig": false, "md5_digest": "c968582918202c1c48a42ff46e6609e8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6123, "upload_time": "2016-04-08T21:42:28", "url": "https://files.pythonhosted.org/packages/a3/8f/83c7d9432bee969b81d883307c265e922828f4ea1d0fad4590d2ef5972fa/awsmfa-0.2.2.tar.gz" } ], "0.2.3": [ { "comment_text": "", "digests": { "md5": "ee36c8334ce123ec53dac6b6efdc07ae", "sha256": "2dac4c9f9702b53d9a2978db2293244915ebcf57383b443833494357497f2061" }, "downloads": -1, "filename": "awsmfa-0.2.3.tar.gz", "has_sig": false, "md5_digest": "ee36c8334ce123ec53dac6b6efdc07ae", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6717, "upload_time": "2016-04-21T02:18:28", "url": "https://files.pythonhosted.org/packages/7f/cc/d813f9cc5195ee704e52541e8df8667c9af53eb12438d4db44a517623827/awsmfa-0.2.3.tar.gz" } ], "0.2.4": [ { "comment_text": "", "digests": { "md5": "0e7f037116bf4889e614f82eee414c74", "sha256": "c6566b6436f2cfdc3a4543dafd9976d73868f2956bed5f3d0a79a7f75c557dcf" }, "downloads": -1, "filename": "awsmfa-0.2.4.tar.gz", "has_sig": false, "md5_digest": "0e7f037116bf4889e614f82eee414c74", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 9288, "upload_time": "2016-05-07T23:42:25", "url": "https://files.pythonhosted.org/packages/34/f4/17fc2f069302b7c70b5c59b60bd70f5eddd4a145b15ff8b8077b30b39e7f/awsmfa-0.2.4.tar.gz" } ], "0.2.5": [ { "comment_text": "", "digests": { "md5": "9323c423098e793331d6f93d4ec80673", "sha256": "ccc47538ea8c6ce5a4b761a3516bacf805ec18820ecd6a865b729ab879433a36" }, "downloads": -1, "filename": "awsmfa-0.2.5.tar.gz", "has_sig": false, "md5_digest": "9323c423098e793331d6f93d4ec80673", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10184, "upload_time": "2016-05-11T18:53:21", "url": "https://files.pythonhosted.org/packages/2c/cc/bf5a0c4b6e111a18f3d40c066dcede1e364546c919081da0ae51b343331e/awsmfa-0.2.5.tar.gz" } ], "0.2.6": [ { "comment_text": "", "digests": { "md5": "069de1613ebab88008d184095d69a4cb", "sha256": "a9e58cc89948cd56151f45b08890c4fb5fdbf431eada1b5841c12e98aaad4c5b" }, "downloads": -1, "filename": "awsmfa-0.2.6.tar.gz", "has_sig": false, "md5_digest": "069de1613ebab88008d184095d69a4cb", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10189, "upload_time": "2016-05-11T19:01:48", "url": "https://files.pythonhosted.org/packages/08/19/bbd3e3f345bbef135c12e5b04be3d6d4e873bef3c7709ce2af80c8a4199e/awsmfa-0.2.6.tar.gz" } ], "0.2.7": [ { "comment_text": "", "digests": { "md5": "462a667ee23e7b0d291be8156dd89aa5", "sha256": "22da73a94373568fa4ae8a9c7377b6d9f08776ab6c9baec15984936e049e0eb7" }, "downloads": -1, "filename": "awsmfa-0.2.7.tar.gz", "has_sig": false, "md5_digest": "462a667ee23e7b0d291be8156dd89aa5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10310, "upload_time": "2016-06-22T18:28:34", "url": "https://files.pythonhosted.org/packages/3d/2b/ae6d2963638a3744f9e21d47fd1c195b36362da4a6dd5daf691db2af7c41/awsmfa-0.2.7.tar.gz" } ], "0.2.8": [ { "comment_text": "", "digests": { "md5": "aca61fbbeb2715925721a60b15579a36", "sha256": "29f049101e830289f8eaa28f250ba011ef8fb889238217569d1dd51fe6daa765" }, "downloads": -1, "filename": "awsmfa-0.2.8.tar.gz", "has_sig": false, "md5_digest": "aca61fbbeb2715925721a60b15579a36", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10479, "upload_time": "2017-05-02T03:40:42", "url": "https://files.pythonhosted.org/packages/9d/84/a9c017d8c99488f2d9e94fc5cb21a2bbd97744426c4f3e7cf165a1dd93da/awsmfa-0.2.8.tar.gz" } ], "0.2.9": [ { "comment_text": "", "digests": { "md5": "aee1a241e3f97c8d6c8d44dc6497b2b6", "sha256": "f9f9ace0bc065f083c8a3b2c997724b4252fcd9e7a3645e6a3aa595e9fe0f3a8" }, "downloads": -1, "filename": "awsmfa-0.2.9.tar.gz", "has_sig": false, "md5_digest": "aee1a241e3f97c8d6c8d44dc6497b2b6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10458, "upload_time": "2018-08-20T03:18:30", "url": "https://files.pythonhosted.org/packages/e0/5a/6fc938137f9eb6c46b5e6ff04ffa7d29b6b3ae02c493f2285e8b989f4abf/awsmfa-0.2.9.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "aee1a241e3f97c8d6c8d44dc6497b2b6", "sha256": "f9f9ace0bc065f083c8a3b2c997724b4252fcd9e7a3645e6a3aa595e9fe0f3a8" }, "downloads": -1, "filename": "awsmfa-0.2.9.tar.gz", "has_sig": false, "md5_digest": "aee1a241e3f97c8d6c8d44dc6497b2b6", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10458, "upload_time": "2018-08-20T03:18:30", "url": "https://files.pythonhosted.org/packages/e0/5a/6fc938137f9eb6c46b5e6ff04ffa7d29b6b3ae02c493f2285e8b989f4abf/awsmfa-0.2.9.tar.gz" } ] }