Use tokendito
to generate temporary AWS credentials via Okta for
programmatic authentication to AWS. Tokendito signs you into Okta and
uses your existing AWS integration to broker a SAML assertion into
your AWS accounts, returning
STS
tokens into your local ~/.aws/credentials
file.
With the release of tokendito 2.0, many changes and fixes were introduced. It is a breaking release: your configuration needs to be updated, the command line arguments have changed, and support for Python < 3.7 has been removed. The following changes are part of this release:
- Set the config file to be platform dependent, and follow the XDG standard.
- Extend configuration capabilities.
- Modernize output.
- Change the MFA method from strict match to partial match.
- Mask secrets from output logs.
- Automatically discover AWS URLs.
- Fix authentication with DUO.
- Add support for setting the logging level via both the INI file and ENV vars.
- Add support for Python 3.9, 3.10, and 3.11.
- And many fixes.
Consult additional notes for how to use tokendito.
- Python 3.7+, or a working Docker environment
- AWS account(s) federated with Okta
Tokendito is compatible with Python 3 and can be installed with either pip or pip3.
- Install (via PyPi):
pip install tokendito
- Run
tokendito --configure
. - Run
tokendito
.
NOTE: Advanced users may shorten the tokendito
interaction to a single
command.
Have multiple Okta tiles to switch between? View our multi-tile guide.
Using Docker eliminates the need to install tokendito and its requirements. We are providing experimental Docker image support in Dockerhub
Run tokendito with the docker run
command. Tokendito supports DCT, and we encourage you to enforce image signature validation before running any containers.
export DOCKER_CONTENT_TRUST=1
then
docker run --rm -it tokendito/tokendito --version
You must map a volume in the Docker command to allow tokendito to write AWS credentials to your local filesystem for use. This is done with the -v
flag. See Docker documentation for help setting the syntax. The following directories are used by tokendito and should be considered when mapping volumes:
/app/.aws/
(AWS credential storage)/app/.config/tokendito/
(tokendito profile storage)
These can be covered by mapping a single volume to both the host and container users' home directories (/app
is the home directory in the container and must be explicitly defined). You may also map multiple volumes if you have custom configuration locations and require granularity.
Be sure to set the -it
flags to enable an interactive terminal session.
On Windows, you can do the following:
docker run --rm -it -v "%USERPROFILE%\.aws":/app/.aws -v "%USERPROFILE%\.config":/app/.config tokendito/tokendito
In a Mac OS system, you can run:
docker run --rm -it -v "$HOME/.aws":/app/.aws -v "$HOME/.config":/app/.config tokendito/tokendito
On a Linux system, however, you must specify the user and group IDs for the mount mappings to work as expected. Additionally the mount points within the container move to a different location:
docker run --user $(id -u):$(id -g) --rm -it -v "$HOME/.aws":/.aws -v "$HOME/.config":/.config tokendito/tokendito
Tokendito command line arguments are supported as well.
NOTE: In the following examples the entire home directory is exported for simplicity. This is not recommended as it exposes too much data to the running container:
docker run --rm -it -v "$HOME":/ tokendito/tokendito \
--okta-tile https://acme.okta.com/home/amazon_aws/000000000000000000x0/123 \
--username [email protected] \
--okta-mfa push \
--aws-output json \
--aws-region us-east-1 \
--aws-profile my-profile-name \
--aws-role-arn arn:aws:iam::000000000000:role/role-name \
Tokendito profiles are supported while using containers provided the proper volume mapping exists.
docker run --rm -ti -v "$HOME":/app tokendito/tokendito \
--profile my-profile-name