Skip to content

pyauth/exile

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
exile
exile
 
 
test
test
 
 
.gitignore
.gitignore
 
 
Changes.rst
Changes.rst
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.rst
README.rst
 
 
common.mk
common.mk
 
 
setup.cfg
setup.cfg
 
 
setup.py
setup.py
 
 

Repository files navigation

Exile: Python YubiKey AWS signature library

Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.

Installation

pip install exile

On Linux, install pcsc-lite (apt install pcscd, yum install pcsc-lite).

Exile requires Python 3.6+.

Synopsis

import boto3, botocore.auth
from exile import YKOATH, botocore_signers

def write_active_aws_key_to_yubikey():
    credentials = boto3.Session().get_credentials()

    key_name = "exile-{}-SigV4".format(credentials.access_key)
    secret = b"AWS4" + credentials.secret_key.encode()
    print("Writing YubiKey OATH SigV4 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256)

    key_name = "exile-{}-HmacV1".format(credentials.access_key)
    secret = credentials.secret_key.encode()
    print("Writing YubiKey OATH HmacV1 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA1)

write_active_aws_key_to_yubikey()
botocore_signers.install()

print("Using YubiKey credential to perform AWS call")
print(boto3.client("sts").get_caller_identity())

print("Using YubiKey credential to presign an S3 URL")
print(boto3.client("s3").generate_presigned_url(ClientMethod="get_object", Params={"Bucket": "foo", "Key": "bar"}))

Storing the secret key on a YubiKey instead of in the home directory (~/.aws/credentials) protects it in case the host computer or its filesystem is compromised. The YubiKey acts as an HSM, and can optionally be further configured to require user interaction (pressing a button on the key) to sign the request:

YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256, require_touch=True)

TOTP

Because exile uses the YubiKey OATH protocol, you can also use it to store TOTP 2FA tokens, generate and verify codes:

from exile import TOTP
TOTP().save("google", "JBSWY3DPEHPK3PXP")  # Or TOTP.save_otpauth_uri("otpauth://...")
TOTP().get("google")  # Returns a standard 6-digit TOTP code as a string
TOTP().verify("260153", label="google", at=datetime.datetime.fromtimestamp(1297553958))

Authors

  • Andrey Kislyuk

Links

Bugs

Please report bugs, issues, feature requests, etc. on GitHub.

License

Licensed under the terms of the Apache License, Version 2.0.

https://codecov.io/github/pyauth/exile/coverage.svg?branch=master https://readthedocs.org/projects/exile/badge/?version=latest

About

Python YubiKey AWS signature library

en.wikipedia.org/wiki/Keymaker

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

42 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases 4

v0.1.1 Latest
Sep 24, 2021
+ 3 releases

Packages

No packages published

Languages