AWS Credential Manager (aws-cred-mgr
) is a command-line interface (CLI) tool designed to simplify the management of AWS RDS credentials, specifically for users authenticating with Okta. This utility offers a seamless experience for configuring Okta authentication, creating and managing AWS credential profiles, and handling RDS tokens effectively.
- Okta Authentication: Easily setup Okta authentication for you user
- Credential Management: Create and list AWS credentials, manage profiles with ease.
- RDS Token Management: Obtain RDS passwords for your databases securely.
To install aws-cred-mgr, download the latest version from the GitHub Release page
aws-cred-mgr okta setup
- Simply run
aws-cred-mgr okta setup
to use interactive mode. - Set up with domain and username:
aws-cred-mgr okta setup -d https://xyz.okta.com -u john --mfa push
aws-cred-mgr cred [COMMAND]
new
: Create a new credential profile.get
: Get AWS credentials for an existing credential profilelist
(aliasls
): List all saved credential profiles.
- Create a new credential profile named
prod
:aws-cred-mgr cred new prod
- List credentials:
aws-cred-mgr cred ls
- Get the AWS credentials for
prod
and stores it in ~/.aws/credentials:aws-cred-mgr cred get prod
aws-cred-mgr rds [COMMAND]
- Get RDS password :
aws-cred-mgr rds pwd
- Get RDS password for
prod_db
:aws-cred-mgr rds pwd prod_db
- Get RDS password with all options:
aws-cred-mgr rds pwd -h localhost -p 5432 -u john
aws-cred-mgr config
- Open user config:
aws-cred-mgr config
- Open AWS credentials file:
aws-cred-mgr config aws
On Windows systems, aws-cred-mgr
securely stores your Okta credentials using the Data Protection API (DPAPI). This ensures that your sensitive information is encrypted and can only be accessed by your user account on your computer.
MacOS support is still under development
You can specify additional variables, templates, credentials, and RDS configurations in the YAML file aws_cred_mgr.yml
located in your home folder
variables:
rds_username: my.user
default_pwd_lifetime: 15
# any variable can be specified here
---
authentication:
okta:
default: # default Okta profile name, additional profiles can also be created
okta_domain: https://xyz.okta.com/
preferred_mfa_type: push
auth_type: classic
credentials:
my_aws_dev_account: # credentials can be interactively created with `aws-cred-mgr cred new`
role_arn: arn:aws:iam::123:role:/my_aws_role_arn
aws_profile: default
okta_app_url: https://xyz.okta.com/home/amazon_aws/abc/272
okta_profile: default
...
templates:
rds:
orders_db: # templates can be created to simply configurations
hostname: rds-hostname.aws.endpoint
port: 5432
username: ${rds_username} # variable usage
region: us-east-2
...
environments:
dev:
credential: my_aws_dev_account
rds:
orders_db:
hostname: dev.endpoint # overrides the template value
template: orders_db
products_db:
hostname: rds-hostname.aws.endpoint
port: 5432
username: ${rds_username}
ttl: ${default_pwd_lifetime}
region: us-east-2
credential: products_db # override env credential
test:
credential: my_aws_dev_account
rds:
orders_db:
hostname: test.endpoint
template: orders_db
...
If you encounter any issues or require assistance, please open an issue on the project's GitHub page.
Contributions are welcome! Please fork the repository and submit a pull request with your changes or improvements.
Note: I know I don't have unit tests, I'm working on it...
This project has adopted the code of conduct defined by the Contributor Covenant to clarify expected behavior in our community. For more information see the Code of Conduct.
aws-cred-mgr
makes use of several open-source libraries. We extend our gratitude to the developers and contributors of these libraries:
- AngleSharp: A .NET library for parsing, manipulating, and rendering HTML and CSS documents.
- AWSSDK: The official AWS SDK for the .NET Framework.
- Serilog.Extensions.Logging: An extension to
Microsoft.Extensions.Logging
that integrates Serilog. - Serilog.Sinks.File: A Serilog sink that writes log events to text files.
- Spectre.Console: A library for building command line interfaces.
- YamlDotNet: A .NET library for YAML serialization and deserialization.
Each of these libraries may be licensed differently, so we recommend you to review their licenses if you plan to use aws-cred-mgr
in your own projects.
This project is licensed under the terms of the MIT license.