Name: lp-aws-saml
Owner: Kik Interactive
Description: Tools for using AWS CLI with LastPass SAML
Forked from: lastpass/lp-aws-saml
Created: 2017-02-07 14:43:24.0
Updated: 2017-02-07 14:43:26.0
Pushed: 2017-06-25 15:00:10.0
Homepage: null
Size: 22
Language: Python
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
This repository contains the LastPass AWS SAML login tool.
If you are using LastPass Enterprise SAML with AWS, then this script eases the
process of using the AWS CLI utility. It retrieves a SAML assertion from
LastPass and then converts it into credentials for use with aws.
You will need python with the Amazon boto3 module and the AWS CLI tool. The latter may be installed with pip:
# pip install boto3 awscli
On recent Mac platforms, you may need to pass –ignore-installed:
# pip install boto3 awscli --ignore-installed
You will also need to have integrated AWS with LastPass SAML through the AWS and LastPass management consoles. See the SAML setup instructions on the LastPass AWS configuration page for more information.
First you will need to look up the LastPass SAML configuration ID for the AWS
instance you wish to control. This can be obtained from the generated
Launch URL (which is shown in the last-pass extension if you try to edit the details to that entry): if the launch URL is https://lastpass.com/saml/launch/cfg/25
then the configuration ID is 25.
Then launch the tool to login to lastpass. You will be prompted for password and optionally the AWS role to assume:
lp-aws-saml.py --username user@example.com --saml-config-id 25
word:
w AWS CLI profile 'user@example.com' has been added.
may now invoke the aws CLI tool as follows:
aws --profile user@example.com [...]
token expires in one hour.
Once completed, the aws tool may be used to execute commands as that
user by specifying the appropriate profile.
You can put a config file in your home dir instead of passing parameters to the script.
Name the file ~/.lp_config with the following content:
]
name = username@example.com
_config_id = 12345
ile_name = username@example.com
If profile_name is not specified, [default] section in ~/.aws/credentials will be used.
A file named ~/.lp_session stores the lastpass session so a second execution of this script which cookie timeout doesn't require password entry.
In order for the created aws credentials to be available as environment variables put the following in your .bashrc (just replace the generic email with yours and call this AFTER you call the lp-aws-saml.py script:
rt AWS_ACCESS_KEY_ID=$(sed -nr "/^\[username@example.com\]/ { :l /^aws_access_key_id[ ]*=/ { s/aws_access_key_id = [ ]*//; p; q;}; n; b l;}" ~/.aws/credentials)
rt AWS_SESSION_TOKEN=$(sed -nr "/^\[username@example.com\]/ { :l /^aws_session_token[ ]*=/ { s/aws_session_token = [ ]*//; p; q;}; n; b l;}" ~/.aws/credentials)
rt AWS_SECRET_ACCESS_KEY=$(sed -nr "/^\[username@example.com\]/ { :l /^aws_secret_access_key[ ]*=/ { s/aws_secret_access_key = [ ]*//; p; q;}; n; b l;}" ~/.aws/credentials)
rt AWS_SECURITY_TOKEN=$AWS_SESSION_TOKEN