Metadata-Version: 2.1
Name: awscli-login
Version: 0.1.0a6
Summary: Plugin for the AWS CLI that retrieves and rotates credentials using SAML ECP and STS.
Home-page: https://github.com/techservicesillinois/awscli-login
Author: David D. Riddle
Author-email: ddriddle@illinois.edu
License: UNKNOWN
Project-URL: Bug Reports, https://github.com/techservicesillinois/awscli-login/issues
Project-URL: Source, https://github.com/techservicesillinois/awscli-login
Keywords: Amazon AWS SAML login access keys
Platform: UNKNOWN
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Natural Language :: English
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Requires-Python: >=3.5
Requires-Dist: awscli
Requires-Dist: boto3
Requires-Dist: botocore
Requires-Dist: daemoniker
Requires-Dist: keyring
Requires-Dist: lxml
Requires-Dist: psutil
Requires-Dist: requests
Provides-Extra: test
Requires-Dist: Sphinx ; extra == 'test'
Requires-Dist: coverage ; extra == 'test'
Requires-Dist: sphinx-autodoc-typehints ; extra == 'test'
Requires-Dist: sphinx-rtd-theme ; extra == 'test'
Requires-Dist: tblib ; extra == 'test'
Requires-Dist: tox ; extra == 'test'
Requires-Dist: tox-pyenv ; extra == 'test'
Requires-Dist: wurlitzer ; extra == 'test'

The awscli-login plugin allows retrieving temporary Amazon credentials by
authenticating against a SAML Identity Provider (IdP).
This application is supported under Linux, MacOS, and the `Windows Subsystem for Linux
<https://docs.microsoft.com/en-us/windows/wsl/about>`_.
Currently, Windows PowerShell, Command Prompt, and Git Shell
for Windows are not supported.

.. |--| unicode:: U+2013   .. en dash

Installation
------------

The simplest way to install the awscli-login plugin is to use pip::

    $ pip install awscli-login

After awscli-login has been installed, run the following command
to enable the plugin::

    $ aws configure set plugins.login awscli_login

Getting Started
-------------------

Before using awscli-login to retrieve temporary credentials, configure
one or more profiles for use with the plugin. To configure this
plugin, you must know the URL of the ECP Endpoint for your IdP.  If
you do not have this information, contact your IdP administrator.

Here is an example configuring the default profile for use with the University
of Illinois at Urbana-Champaign's IdP::

    $ aws login configure
    ECP Endpoint URL [None]: https://shibboleth.illinois.edu/idp/profile/SAML2/SOAP/ECP
    Username [None]: 
    Enable Keyring [False]: 
    Duo Factor [None]: 
    Role ARN [None]:

To log in, type the following command::

    $ aws login
    Username [username]: netid
    Password: ********
    Factor: passcode
    Code: 123456789

The ``username`` and ``password`` are the values needed to authenticate
against the IdP configured for the selected profile.  The ``factor``
is only required if your IdP requires Duo for authentication.  If
it does not, leave ``factor`` blank. If your IdP does require Duo
then ``Factor`` may be one of ``auto``, ``push``, ``passcode``,
``sms``, or ``phone``.  If ``factor`` is left blank, ``auto`` is
the default. The ``code`` is a Duo code useful for use with a
YubiKey, SMS codes, or other one-time codes.

If you have access to more than one role, you will be prompted to choose
one. For example::

    $ aws login
    Username [username]: netid
    Password: ********
    Factor: 
    Please choose the role you would like to assume:
        Account: 978517677611
            [ 0 ]: Admin
        Account: 520135271718
            [ 1 ]: ReadOnlyUser
            [ 2 ]: S3Admin
    Selection: 2

To switch roles, first log out, then log in again selecting a different
role. Note that if you log in to the same IdP using the same username,
you will not be prompted for your password or Duo factor until
the IdP session expires::

    $ aws logout
    $ aws login
    Username [netid]: 
    Please choose the role you would like to assume:
        Account: 520135271718
            [ 0 ]: TestUser
            [ 1 ]: IAMUser
    Selection: 0

Advanced Example
-------------------

It is possible to be logged in to more than one role at the same
time using multiple profiles. For example, consider the following
configuration involving two profiles |--| one called ``prod``, and the other
``test``::

    $ aws --profile prod login configure
    ECP Endpoint URL [None]: https://shibboleth.illinois.edu/idp/profile/SAML2/SOAP/ECP
    Username [None]: netid
    Enable Keyring [False]: True
    Duo Factor [None]: auto
    Role ARN [None]: arn:aws:iam::999999999999:role/Admin

    $ aws --profile test login configure
    ECP Endpoint URL [None]: https://shibboleth.illinois.edu/idp/profile/SAML2/SOAP/ECP
    Username [None]: netid
    Enable Keyring [False]: True
    Duo Factor [None]: passcode
    Role ARN [None]: arn:aws:iam::111111111111:role/Admin

This example involves several advanced features. First, we are
setting the username, factor, and role. This means we will not be
prompted for this information when logging in to these two profiles.
In addition, we are using a keyring. On the first login using one
of the profiles, the user will be prompted for his password.  On
subsequent logins the user will not be prompted for his password
because it has been stored in a secure keyring.

For example, when we initially log in to prod::

    $ export AWS_PROFILE=test
    $ aws login
    Password: ********
    Code: 123456789

We are only prompted for the password and code. We're prompted for
the password because this is the initial login, and the code because
this profile is configured for use with a passcode device such as
a YubiKey. We are now no longer prompted when we log in to test::

    $ aws --profile prod login

Even if the IdP session has expired in this case, we will not be
prompted for a password because it is stored in the keyring. The
user will receive either a phone call or a push to the default
Duo device.

Known Issues
------------

**Unable to authenticate after changing password**

After the user changes his IdP password, subsequent logins fail.
To remedy the situation, change the data stored in the keyring as follows:

    $ keyring set awscli_login username@hostname_of_your_IdP

You may be prompted for your user login password by your operating
system, depending on how your key store is configured.

**Windows issues**

Windows PowerShell, Command Prompt, and Git Shell for Windows are not
currently supported because of problems with auto-renewal of AWS credentials,
and other known issues.


