-
Notifications
You must be signed in to change notification settings - Fork 25
/
tool.py
69 lines (51 loc) · 2.08 KB
/
tool.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# vim: set filetype=python ts=4 sw=4
# -*- coding: utf-8 -*-
"""This module retrieves AWS credentials after authenticating with Okta."""
import logging
import sys
from tokendito import aws
from tokendito import config
from tokendito import okta
from tokendito import user
logger = logging.getLogger(__name__)
def cli(args):
"""Tokendito retrieves AWS credentials after authenticating with Okta."""
args = user.parse_cli_args(args)
# Early logging, in case the user requests debugging via env/CLI
user.setup_early_logging(args)
# Set some required initial values
user.process_options(args)
# Late logging (default)
user.setup_logging(config.user)
# Validate configuration
message = user.validate_configuration(config)
if message:
logger.error(f"Could not validate configuration: {' '.join(message)}")
sys.exit(1)
# Authenticate okta and AWS also use assumerole to assign the role
session_token = okta.authenticate_user(config)
session_cookies = None
if config.okta["app_url"]:
app_label = ""
config.okta["app_url"] = (config.okta["app_url"], app_label)
else:
session_cookies = user.request_cookies(config.okta["org"], session_token)
config.okta["app_url"] = user.discover_app_url(config.okta["org"], session_cookies)
auth_apps = aws.authenticate_to_roles(
session_token, config.okta["app_url"], cookies=session_cookies
)
(role_response, role_name) = aws.select_assumeable_role(auth_apps)
identity = aws.assert_credentials(role_response=role_response)
if "Arn" not in identity and "UserId" not in identity:
logger.error(
f"There was an error retrieving and verifying AWS credentials: {role_response}"
)
sys.exit(1)
user.set_role_name(config, role_name)
user.set_local_credentials(
response=role_response,
role=config.aws["profile"],
region=config.aws["region"],
output=config.aws["output"],
)
user.display_selected_role(profile_name=config.aws["profile"], role_response=role_response)