Python YubiKey AWS signature library

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for kislyuk from gravatar.com kislyuk

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache Software License)
  • Author: Andrey Kislyuk
Classifiers
Report project as malware

Project description

Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.

Installation

pip install exile

On Linux, install pcsc-lite (apt install pcscd, yum install pcsc-lite).

Exile requires Python 3.6+.

Synopsis

import boto3, botocore.auth
from exile import YKOATH, botocore_signers

def write_active_aws_key_to_yubikey():
    credentials = boto3.Session().get_credentials()

    key_name = "exile-{}-SigV4".format(credentials.access_key)
    secret = b"AWS4" + credentials.secret_key.encode()
    print("Writing YubiKey OATH SigV4 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256)

    key_name = "exile-{}-HmacV1".format(credentials.access_key)
    secret = credentials.secret_key.encode()
    print("Writing YubiKey OATH HmacV1 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA1)

write_active_aws_key_to_yubikey()
botocore_signers.install()

print("Using YubiKey credential to perform AWS call")
print(boto3.client("sts").get_caller_identity())

print("Using YubiKey credential to presign an S3 URL")
print(boto3.client("s3").generate_presigned_url(ClientMethod="get_object", Params={"Bucket": "foo", "Key": "bar"}))

Storing the secret key on a YubiKey instead of in the home directory (~/.aws/credentials) protects it in case the host computer or its filesystem is compromised. The YubiKey acts as an HSM, and can optionally be further configured to require user interaction (pressing a button on the key) to sign the request:

YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256, require_touch=True)

TOTP

Because exile uses the YubiKey OATH protocol, you can also use it to store TOTP 2FA tokens, generate and verify codes:

from exile import TOTP
TOTP().save("google", "JBSWY3DPEHPK3PXP")  # Or TOTP.save_otpauth_uri("otpauth://...")
TOTP().get("google")  # Returns a standard 6-digit TOTP code as a string
TOTP().verify("260153", label="google", at=datetime.datetime.fromtimestamp(1297553958))

Authors

  • Andrey Kislyuk

Bugs

Please report bugs, issues, feature requests, etc. on GitHub.

License

Licensed under the terms of the Apache License, Version 2.0.

https://img.shields.io/travis/com/pyauth/exile.svg https://codecov.io/github/pyauth/exile/coverage.svg?branch=master https://img.shields.io/pypi/v/exile.svg https://img.shields.io/pypi/l/exile.svg https://readthedocs.org/projects/exile/badge/?version=latest

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page