Skip to content

Latest commit

 

History

History
95 lines (71 loc) · 3.75 KB

README.rst

File metadata and controls

95 lines (71 loc) · 3.75 KB

Exile: Python YubiKey AWS signature library

Exile stores your AWS access key on your YubiKey device and uses it to sign your AWS API requests, protecting you against credential theft.

Installation

pip install exile

On Linux, install pcsc-lite (apt install pcscd, yum install pcsc-lite).

Exile requires Python 3.6+.

Synopsis

import boto3, botocore.auth
from exile import YKOATH, botocore_signers

def write_active_aws_key_to_yubikey():
    credentials = boto3.Session().get_credentials()

    key_name = "exile-{}-SigV4".format(credentials.access_key)
    secret = b"AWS4" + credentials.secret_key.encode()
    print("Writing YubiKey OATH SigV4 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256)

    key_name = "exile-{}-HmacV1".format(credentials.access_key)
    secret = credentials.secret_key.encode()
    print("Writing YubiKey OATH HmacV1 credential", key_name, "for", credentials.access_key)
    YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA1)

write_active_aws_key_to_yubikey()
botocore_signers.install()

print("Using YubiKey credential to perform AWS call")
print(boto3.client("sts").get_caller_identity())

print("Using YubiKey credential to presign an S3 URL")
print(boto3.client("s3").generate_presigned_url(ClientMethod="get_object", Params={"Bucket": "foo", "Key": "bar"}))

Storing the secret key on a YubiKey instead of in the home directory (~/.aws/credentials) protects it in case the host computer or its filesystem is compromised. The YubiKey acts as an HSM, and can optionally be further configured to require user interaction (pressing a button on the key) to sign the request:

YKOATH().put(key_name, secret, algorithm=YKOATH.Algorithm.SHA256, require_touch=True)

TOTP

Because exile uses the YubiKey OATH protocol, you can also use it to store TOTP 2FA tokens, generate and verify codes:

from exile import TOTP
TOTP().save("google", "JBSWY3DPEHPK3PXP")  # Or TOTP.save_otpauth_uri("otpauth://...")
TOTP().get("google")  # Returns a standard 6-digit TOTP code as a string
TOTP().verify("260153", label="google", at=datetime.datetime.fromtimestamp(1297553958))

Authors

  • Andrey Kislyuk

Links

Bugs

Please report bugs, issues, feature requests, etc. on GitHub.

License

Licensed under the terms of the Apache License, Version 2.0.

https://codecov.io/github/pyauth/exile/coverage.svg?branch=master https://readthedocs.org/projects/exile/badge/?version=latest