Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Feature to Store Okta Credentials in macOS or OS-Native Keystore #43

Open
farvour opened this issue Jun 23, 2021 · 4 comments
Open

Comments

@farvour
Copy link

farvour commented Jun 23, 2021

Hello! I have been using this tool for a few weeks now. It's pretty solid and is a nice replacement for aws-okta (an older/deprecated tool). One of the features it had was that the Okta credentials could be retrieved from the macOS keychain (for macOS) or on Linux the keychain there or whatever OS was being used I guess.

This is more of a feature request, but it would be nice to have this option in this tool. Whenever the SAML session expires, one has to enter their password for the credential_process to move forward. This is great security and in most cases, fine. However, sometimes automated tooling may not be so smart and understand credential_process is prompting for input and can sometimes hang. I know this is that app's implementation fault; nevertheless, it might be useful and convenient to allow users to store the Okta credentials securely in their keystore and only be bothered with Okta 2FA requires a re-validation.

@farvour farvour changed the title Okta Credentials in mac or OS native Keystore New Feature to Store Okta Credentials in macOS or OS-Native Keystore Jun 23, 2021
@lorengordon
Copy link
Contributor

Ooh, good idea! A bit like the git credential helpers... (Not a maintainer, just another happy user!)

@jfalkenstein
Copy link

So it'd be nice if aws-okta-processor supported this. In the meantime, I just whipped up this little script to execute instead of aws-okta-processor directly:

#!/bin/bash
password=$(security find-generic-password -w -a aws-okta-processor -s aws-okta-processor)
credentials=$(aws-okta-processor authenticate --pass $password $@)
echo $credentials

@neelakansha85
Copy link

I like the idea as well to integrate with OS-Native Keychain (another happy user of this project). For now, you can use @jfalkenstein solution by plugging that bash script to be executed by credential_process in AWS Config file. This works seamlessly with AWS CLI based on your Keychain permissions.

Sample bash file

#!/bin/bash
aws-okta-processor authenticate --pass $(security find-generic-password -w -a aws-okta-processor -s aws-okta-processor)

AWS Config file:

[profile aws-test]
credential_process = "/Users/abc/.aws/aws-okta-processor.sh"

@jfalkenstein
Copy link

Improvement upon my script:

#! /bin/bash

####################################################################################################
# This script can be used with aws-okta-processor to store and access the user's okta password
# in a special MacOS keychain entry where this script can pull it out whenever it needs to after
# that.
#
# In order to use this script, first execute it directly from your terminal. This will prompt
# you a few times to create a keychain password and then to enter your okta password.
# After this is done once, you can set this script as your credential_process and pass it the args
# you would otherwise pass directly to aws-okta-processor.
####################################################################################################

KEYCHAIN="aws-okta-processor"
SERVICE="okta-login"
CREDENTIAL="okta password"

# Create the keychain if it doesn't exist
security create-keychain -P "$KEYCHAIN" > /dev/null 2>&1

# Unlock the keychain so that successive calls to this script don't result in lots of password prompts
# Unlocking the keychain the first time will prompt the user to unlock; Successive attempts will have
# no effect as long as it's unlocked.
security unlock-keychain -u "$KEYCHAIN" > /dev/null 2>&1
# Check if there is already an "okta password" entry in the keychain
if ! security find-generic-password -a "$CREDENTIAL" -s "$SERVICE" "$KEYCHAIN" > /dev/null 2>&1; then
    # If not, create it by prompting the user for the password and then add it to the new keychain
    echo "You must enter your okta password so it can be stored into the keychain"
    read -s password
    security add-generic-password -a "$CREDENTIAL" -s "$SERVICE" -w "$password" "$KEYCHAIN"
else
    # If we already have an "okta password" entry, get it
    password=$(security -q find-generic-password -w -a "$CREDENTIAL" -s "$SERVICE" "$KEYCHAIN")
fi
# This is an env used by aws-okta-processor for the password
export AWS_OKTA_PASS="$password"
credentials=$(aws-okta-processor authenticate -s $@)

# Determine whether the attempt to get credentials was successful
success=$?
if [ $success != 0 ]; then
    echo "Attempting to get credentials failed! To diagnose this error, run the following command:"
    echo "aws-okta-processor authenticate $@"
    exit 1
fi
# if there were no args passed to this script, we assume we're running it directly
if [[ $# -eq 0 ]] ; then
    echo "Congratulations! Authentication was successful!"
else
    # Echo the credentials as the credential_process
    echo "$credentials"
fi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants