Ellosoft AWS Credentials Manager CLI Ellosoft Limited
winget install --id=Ellosoft.AWSCredentialsManager -e A friendly tool for managing AWS credentials when OKTA authentication is used
Ellosoft AWS Credentials Manager CLI is a command-line interface tool designed to simplify managing local AWS credentials, particularly for users employing Okta authentication. It streamlines the process of configuring Okta authentication, creating and managing AWS credential profiles, and handling RDS tokens.
Key Features:
- Okta Authentication Setup: Easily configure Okta authentication with interactive mode or specific domain and username.
- Credential Management: Create, list, and manage AWS credential profiles efficiently.
- RDS Token Management: Securely obtain RDS passwords for databases using straightforward commands.
- Secure Credential Storage: On Windows, credentials are encrypted using DPAPI; on macOS, they're stored with the Keychain API.
- Flexible Configuration: Utilize YAML files to specify variables, templates, and configurations, enhancing customization.
Audience & Benefits: Ideal for developers and DevOps professionals who use AWS and Okta. This tool offers:
- Simplified management of AWS credentials and RDS tokens.
- Secure storage of sensitive information on supported platforms.
- Reduced setup time with interactive configuration options.
- Compliance support through flexible configurations, aiding in meeting organizational security standards.
Installation is straightforward via winget for Windows users, ensuring easy access to enhance your workflow efficiency.
README
AWS Credential Manager (aws-cred-mgr)
AWS Credential Manager (aws-cred-mgr) is a command-line interface (CLI) tool designed to simplify the management of local AWS credentials (including AWS RDS), especially for users authenticating with Okta. This utility offers a seamless experience for configuring Okta authentication, creating and managing AWS credential profiles, and handling RDS tokens effectively.
Features
- Okta Authentication: Easily setup Okta authentication for you user
- Credential Management: Create and list AWS credentials, manage profiles with ease.
- RDS Token Management: Obtain RDS passwords for your databases securely.
Request new features here
Demo
Installation
MacOS
curl https://raw.githubusercontent.com/ellosoft/aws-cred-mgr/main/scripts/install-aws-cred-mgr.sh | bash
Windows
winget install ellosoft-aws-cred-mgr
PowerShell (in case winget is blocked by your organization)
iwr -useb https://raw.githubusercontent.com/ellosoft/aws-cred-mgr/main/scripts/install-aws-cred-mgr.ps1 | iex
Manual
You can manually install aws-cred-mgr by downloading the latest version from the GitHub Release page.
> [!Note]
> On Linux or MacOs systems you need to make the binary executable before you can use it. You can do this by running chmod +x aws-cred-mgr in the terminal.
Usage
Okta Configuration
aws-cred-mgr okta setup
Examples
- Simply run
aws-cred-mgr okta setupto use interactive mode. - Set up with domain and username:
aws-cred-mgr okta setup -d https://xyz.okta.com -u john --mfa push
Credential Management
aws-cred-mgr cred [COMMAND]
Subcommands
new: Create a new credential profile.get: Get AWS credentials for an existing credential profilelist(aliasls): List all saved credential profiles.
Examples
- Create a new credential profile named
prod:aws-cred-mgr cred new prod - List credentials:
aws-cred-mgr cred ls - Get the AWS credentials for
prodand stores it in ~/.aws/credentials:aws-cred-mgr cred get prod
RDS Token Management
aws-cred-mgr rds [COMMAND]
Examples
- Get RDS password :
aws-cred-mgr rds pwd - Get RDS password for
prod_db:aws-cred-mgr rds pwd prod_db - Get RDS password with all options:
aws-cred-mgr rds pwd -h localhost -p 5432 -u john
Config Files
aws-cred-mgr config
Examples
- Open user config:
aws-cred-mgr config - Open AWS credentials file:
aws-cred-mgr config aws
Configuration
The config section in the YAML file allows you to set global tool configurations:
copy_to_clipboard: When set totrue, the tool will automatically copy generated passwords to the clipboard. Default istrue.aws_ignore_configured_endpoints: When set totrue, the tool will ignore any pre-configured AWS endpoints. This can be useful in certain network environments. Default istrue.
Security Note for Windows and macOS Users
On Windows systems, aws-cred-mgr securely stores your Okta credentials using the Data Protection API (DPAPI).
This ensures that your sensitive information is encrypted and can only be accessed by your user account on your computer.
On macOs systems, aws-cred-mgr securely stores your Okta credentials using the native Keychain API.
Linux support is still under development
Full Configuration Example
You can specify additional variables, templates, credentials, and RDS configurations in the YAML file aws_cred_mgr.yml located in your home folder
variables:
rds_username: my.user
default_pwd_lifetime: 15
# any variable can be specified here
---
authentication:
okta:
default: # default Okta profile name, additional profiles can also be created
okta_domain: https://xyz.okta.com/
preferred_mfa_type: push
auth_type: classic
credentials:
my_aws_dev_account: # credentials can be interactively created with `aws-cred-mgr cred new`
role_arn: arn:aws:iam::123:role:/my_aws_role_arn
aws_profile: default
okta_app_url: https://xyz.okta.com/home/amazon_aws/abc/272
okta_profile: default
...
templates:
rds:
orders_db: # templates can be created to simply configurations
hostname: rds-hostname.aws.endpoint
port: 5432
username: ${rds_username} # variable usage
region: us-east-2
...
environments:
dev:
credential: my_aws_dev_account
rds:
orders_db:
hostname: dev.endpoint # overrides the template value
template: orders_db
products_db:
hostname: rds-hostname.aws.endpoint
port: 5432
username: ${rds_username}
ttl: ${default_pwd_lifetime}
region: us-east-2
credential: products_db # override env credential
test:
credential: my_aws_dev_account
rds:
orders_db:
hostname: test.endpoint
template: orders_db
...
# config:
# copy_to_clipboard: true
# aws_ignore_configured_endpoints: true
Support
If you encounter any issues or require assistance, please open an issue on the project's GitHub page.
Contribution
Contributions are welcome! Please fork the repository and submit a pull request with your changes or improvements.
> Note: I know I don't have unit tests, I'm working on it...
Code of Conduct
This project has adopted the code of conduct defined by the Contributor Covenant to clarify expected behavior in our community. For more information see the Code of Conduct.
Credits and Acknowledgements
aws-cred-mgr makes use of several open-source libraries. We extend our gratitude to the developers and contributors of these libraries:
- AngleSharp: A .NET library for parsing, manipulating, and rendering HTML and CSS documents.
- AWSSDK: The official AWS SDK for the .NET Framework.
- Serilog.Extensions.Logging: An extension to
Microsoft.Extensions.Loggingthat integrates Serilog. - Serilog.Sinks.File: A Serilog sink that writes log events to text files.
- Spectre.Console: A library for building command line interfaces.
- YamlDotNet: A .NET library for YAML serialization and deserialization.
Each of these libraries may be licensed differently, so we recommend you to review their licenses if you plan to use aws-cred-mgr in your own projects.
Trademarks
This repository makes use of libraries and technologies related to AWS (Amazon Web Services) and Okta. Please note that “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com, Inc. or its affiliates. Similarly, “Okta” is a trademark or registered trademark of Okta, Inc. All other trademarks and registered trademarks are the property of their respective owners.
This repository is not affiliated with, endorsed by, or sponsored by Amazon.com, Inc., Okta, Inc., or any of their subsidiaries or affiliates. The use of these names is solely for descriptive purposes to identify the relevant technologies.
License
This project is licensed under the terms of the MIT license.