Skip to content
/ auther Public

Command line tool for AWS CLI authentication

License

Notifications You must be signed in to change notification settings

trewq34/auther

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

auther

Auther is a CLI tool which authenticates your AWS CLI using various identity providers - all in one tool!

Currently supported Identity Providers

  • Azure Active Directory - azuread

Installation

Pip

$ pip install auther

Further info on PyPi.

Docker

$ docker run -it --rm -v ~/.aws:/root/.aws trewq34/auther

When looking at usage information, the above command is a direct replacement for auther. Although you may wish to create a command alias with your chosen shell for ease.

Further info on Docker Hub.

Usage

Configure

Before using auther to authenticate your AWS CLI, you need to configure it. This can be done quite using auther configure

# Uses the default options, most importantly: AWS config file path, AWS region, AWS profile and Auther provider
$ auther configure
Your Azure AD Tenant ID: 30e04ef1-fb0d-4844-87a5-8720745de01b
Your Azure AD Application ID: 94ab3a5d-1b99-416a-bcaf-669f7b6bcaba
The username you use to sign in: [email protected]

If you need to use a different AWS CLI profile or AWS region, you can override these by passing in options to the configure command

$ auther configure --profile saml --region us-east-1

This will create/update a CLI profile called saml for use in the us-east-1 region.

For all available configuration options and their defaults, you can use the following command

$ auther configure --help

Login

Once you have configured your AWS CLI profile for use with auther for authentication, you can login simply using the following command

# Uses the default options, most importantly: AWS config file path, AWS credential file path, AWS profile and Auther provider
$ auther login

If you wish to override override any of the defaults, you can do so by passing in options to the login command. A list of available options and their defailts is available using the following command

$ auther login --help

Troubleshooting

Chromium failed to download

A common cause for this is a corporate proxy/firewall blocking such downloads. To work around this, you can set the AUTHER_CHROME_BIN environment variable pointing to your preinstalled Google Chrome, Chromium or Microsoft Edge installation (this will probably work with other Chromium based browsers too, although hasn't been tested).

Some examples per OS can be seen below

macOS

# Google Chrome
$ export AUTHER_CHROME_BIN="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"

# Microsoft Edge
$ export AUTHER_CHROME_BIN="/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge"

# Chromium
$ export AUTHER_CHROME_BIN="/Applications/Chromium.app/Contents/MacOS/Chromium"

Windows

# Google Chrome
PS C:\Users\username> $env:AUTHER_CHROME_BIN="C:\Program Files\Google\Chrome\Application\chrome.exe"

# Microsoft Edge
PS C:\Users\username> $env:AUTHER_CHROME_BIN="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

# Chromium - this depends on how you installed it. Assuming you installed it the same way I did, the path will be
PS C:\Users\username> $env:AUTHER_CHROME_BIN="C:\Users\username\AppData\Local\Chromium\Application\chrome.exe"

Linux

This will vary vastly depending on which distro you use. I've tested on RHEL 7.9, so this may not be the same as your distro. In any case, you can verify the path using the which command.

# Google Chrome
$ export AUTHER_CHROME_BIN="/usr/bin/google-chrome"

# Microsoft Edge
$ export AUTHER_CHROME_BIN="/usr/bin/microsoft-edge"

# Chromium
$ export AUTHER_CHROME_BIN="/usr/bin/chromium-browser"

Can I run Auther in a way that lets me see what it's doing?

Yep! Simply set the environment variable AUTHER_HEADLESS to "1" and run auther login. Your chosen browser or Chromium will appear and perform its actions. NOTE clicking on other elements on the loaded page could interfere with Auther and result in failed authentication attempts that would have otherwise succeeded, so please be careful in headless mode.