A tool to generate access keys for AWS using Okta. If you want a backronym, try 'Your AWS Kredentials'.
We produce builds of yak
for OSX and Linux. Windows is not currently supported.
The easiest option for macOS users is to install yak
via Homebrew.
This will also help keep yak
up-to-date when you run brew upgrade
as usual.
brew tap redbubble/yak
brew install yak
This will also put ZSH and Bash completions in the right spot; they should be usable next time you reload your shell config.
yak
can be installed from our APT repo. This should get you up and
running:
sudo apt install curl gnupg2
# This is the Redbubble GPG key, to verify releases:
curl https://raw.githubusercontent.com/redbubble/yak/master/static/delivery-engineers.pub.asc | sudo apt-key add -
echo "deb http://apt.redbubble.com/ stable main" | sudo tee /etc/apt/sources.list.d/yak.list
sudo apt update
sudo apt install yak
We generate Deb and RPM packages as part of our release.
Download the package appropriate for your distro from the latest release page. Unfortunately, this won't give you nice automatic updates.
We've seen issues using tab-completion on older versions of ZSH. It seems that version 5.1 or newer will work correctly.
Download the latest release for your architecture. The yak
executable is statically linked,
so all you should need to do is put the executable somewhere in your $PATH
.
This method will not give you tab-completion; if you'd like that, the completions files are available in /static/completions.
You can run yak
like this:
yak <role> [<command>]
and will run command
as role
.
More specifically, yak
runs command
in the same environment it was called from, with the credentials for role
injected as environment variables.
When run without a command, yak
prints those variables as export
statements; this is intended to allow easy sourcing
into your shell.
If run with the --list-roles
flag like this:
yak --list-roles
yak
will print a list of available roles and exit.
Note that if you want to pass -/-- flags to subcommands, you'll need to put a '--' before the to let yak
know
you're done passing flags to it, like this:
yak [flags] -- <role> <command --with-flags>
-d, --aws-session-duration int The session duration to request from AWS (in seconds)
--cache-only Only use cache, do not make external requests. Mutually exclusive with --no-cache
--clear-cache Delete all data from yak's cache. If no other arguments are given, exit without error
-h, --help Display this help message and exit
-l, --list-roles List available AWS roles and exit
--no-cache Ignore cache for this request. Mutually exclusive with --cache-only
--okta-aws-saml-endpoint string The app embed path for the AWS app within Okta
--okta-domain string The domain to use for requests to Okta
--okta-mfa-provider string The Okta MFA provider name for login
--okta-mfa-type string The Okta MFA type for login
-u, --okta-username string Your Okta username
-o, --output-format string Can be set to either 'json' or 'env'. The format in which to output credential data
--version Print the current version and exit
-- Terminator for -/-- flags. Necessary if you want to pass -/-- flags to subcommands
Variable | Effect |
---|---|
OKTA_PASSWORD |
The value set in this variable will be passed to Okta as the 'password' component of login |
Please note that setting the OKTA_PASSWORD
variable in plain text, especially on the command-line, is not a good idea
from a security perspective. A suggested mode of use for this variable would be something like:
OKTA_PASSWORD=$(get-password-from-password-manager) yak ...
Yak can be configured with a configuration file at ~/.config/yak/config.toml
(~/.yak/config.toml
is also supported).
[okta]
# Required. The URL for your okta domain.
domain = "https://<my_okta_domain>.okta.com"
# Required. The path for fetching the SAML assertion from okta.
aws_saml_endpoint = "/home/<okta_app_name>/<generic_id>/<app_id>"
# Optional. Your okta username.
username = "<my_okta_username>"
# Optional. Your okta MFA device type and provider so that you don't have to choose.
# Yak supports the following values for mfa_type: token:software:totp, token:hardware or push
# For a full list of Okta-supported factors and providers see [this page](https://developer.okta.com/docs/api/resources/factors#supported-factors-for-providers)
mfa_type = "<mfa_type>"
mfa_provider = "<mfa_provider>"
domain
: This the same domain where you log in to Okta.
aws_saml_endpoint
: To get this value, you'll need to:
- Log in to Okta
- Find the AWS application
- Copy the URL for the AWS application, e.g. by right-clicking and selecting "Copy Link Address" or similar
- Remove everything up to
okta.com/
(inclusive) - Remove everything from the
?
onwards
OR ask your organisation's Okta administrator.
If you're an Okta administrator, you can also:
- Log in to Okta
- Click the "Admin" button
- Navigate to Applications
- Open the "Amazon Web Services" application
- On the General tab, copy the App Embed Link
- Remove everything up to
okta.com/
(inclusive)
username
: The username you use when logging in to Okta. If in doubt, consult
your organisation's Okta administrator.
[aws]
# Optional. Duration in seconds for the AWS credentials to last. Default 1 hour, maximum 12 hours.
session_duration = 3600
[login]
# Optional. Duration in seconds from the start of the login process until it times out.
timeout = 180
You can configure role aliases in the [alias]
section of your config file; these can be used instead of having to
remember the whole ARN:
[alias]
prod = "arn:aws:some:long:role:path"
This configuration would allow you to log in with:
yak prod [<command>]
To hack on yak
, you'll want to get a copy of the source. To do
that:
go get -u github.com/redbubble/yak
You'll need the dep tool (if you're
on macOS, brew install dep
. Linux is a bit tricker; see the dep
README for details).
Then run (inside your $GOPATH/src/github.com/redbubble/yak
directory):
make vendor
This will install all your dependencies into the vendor
directory.
If you want to do releases, you'll also want the deb-s3
package.
You'll also want gnupg2
to be able to sign releases, but i'll leave
installation of that up to you.
gem install deb-s3
The make install
target will compile the application and 'install' it into your $GOPATH
.
You can then run $GOPATH/bin/yak
.
To run all the tests in the project through go-passe, run:
make test
To run them without go-passe, or to run the tests for any individual package, you can run:
go test <package-directory>
yak
is provided under an MIT license. See the LICENSE file for
details.