Giter Club home page Giter Club logo

masl's Introduction

Release Software License Go Report Card CircleCI build workflow

MASL

MASL

Pronounced [mɑzəl] form the Dutch word 'mazzel', meaning luck. 'masl' is also an anagram from the word 'SAML'. This tool allows you to use onelogin to assume an AWS role through SAML authentication.

Getting Started

Installation

Just download the latest release under https://github.com/glnds/masl/releases. Don't forget to make it executable and link it from somewhere in your $PATH on UNIX-like platforms.

OS X

  • Open Masl.dmg
  • Move the file masl-vx.x.x-darwin-amd64 to /usr/local/bin and rename it to masl.
  • done :)

Windows

  • rename masl-vx.x.x-windows-amd64 to masl.exe and execute to install.

Configuration

All configuration is done using a .masl/config.toml file in your user's home directory. An example toml config file is included: masl-example.toml. Copy masl-example.toml and rename it to .masl/config.toml. Adjust the values to reflect your environment.

The minimal configuration should look like this:


BaseURL = 'https://api.eu.onelogin.com/'
ClientID = 'onelogin client id'
ClientSecret = 'onelogin client secret'
AppID = 'onelogin app id'
Subdomain = 'subdomain of the onelogin user'
Username = 'onelogin username or email'

Optional settings:

Duration = 'Assume role maximum session duration' (default 3600)
LegacyToken = true/false (configures legacy aws_security_token (for Boto support))
Debug = true/false (Set to true for debug logging, default off)
Profile = 'Value for environment variable AWS_PROFILE' (default = 'masl')
DefaulMFADevice = 'name of your default MFA device (for example 'Yubico YubiKey')'

If specifying a custom duration assure this duration is allowed on the AWS role itself as well. See: Enable Federated API Access to your AWS Resources for up to 12 hours Using IAM Roles

Multi-Account management

One of the main drivers to develop another Onelogin CLI authenticator was to ease the management of multiple AWS accounts. Most of the tools currently lack those features and that makes switching AWS accounts bothersome. For this purpose .masl/config.toml supports the following features:

Account naming

You can provide account names (aliases) for all accounts you have access to:

...
[[Accounts]]
ID = '1234567890'
Name = 'account-x'

[[Accounts]]
ID = '1122334455'
Name = 'account-y'

[[Accounts]]
ID = '0987654321'
Name = 'account-z'
...
Environments containing account subsets

If your account list grows too big it is often handy to limit the list to your current work context. This can be achieved by defining environments:

...
[[Environments]]
Name = 'governance'
Accounts = ['1234567890', '1122334455']
...

Furthermore accounts can be marked as 'Environment Independent`, in that case they will show up in all your environments.

...
[[Accounts]]
ID = '1234567890'
Name = 'base-account'
EnvironmentIndependent = true
...

usage: masl -env [environment_name]

Usage

Just run masl on your command line.

Optional command line arguments:

  -account string
        AWS Account ID or name
  -env string
        Work environment
  -legacy-token
        configures legacy aws_security_token (for Boto support)
  -profile string
        AWS profile name (default "masl")
  -role string
        AWS role name
  -version
        prints MASL version

Assure the environment variable AWS_PROFILE is set to masl (or the overrided value specified in .masl/config.toml or the -profile command line option).

Non-interactive usage

If you use command line tools to manage your passwords and generate otp tokens then you can set environment variables for the password and otp token. For example if you use pass to manage your passwords and totp-cli to generate tokens, then you can write a script like this:

#!/usr/bin/env bash
PASSWORD=$(pass <the-service>) OTP=$(totp <the-service>) masl

Development

Makefile

This project includes a ```makefile`` to make your life easy.

  • make clean: clean up your workspace
  • make build: build this project
  • make lint: run golangci-lint run

Running the tests

TODO: Explain how to run the automated tests for this system

Built With

Logging

A log file masl.log is created and added on your user's home directory. The default log level is 'INFO'. For debug logging set Debug = true in .masl/config.toml.

Contributing

  1. Fork it!
  2. Create your feature branch: git checkout -b my-new-feature
  3. Commit your changes: git commit -am 'Add some feature'
  4. Push to the branch: git push origin my-new-feature
  5. Submit a pull request :Do us.

Versioning

SemVer is used for versioning. For the versions available, see the tags on this repository.

FAQ

My login is successful but I'm unable to access my AWS account?

The AWS CLI uses default as default for the variable AWS_PROFILE. MASL uses masl as default AWS profile name to store the AWS credentials (as a safety net for not overriding your default settings).

To fix this do one of the following:

  • set the value of AWS_PROFILE to masl
  • in your .masl/config.toml add the line Profile = 'default'
  • start masl with the -profile default option

I have multiple MFA devices defined, is it possible to set one of them as default?

yes in your .masl/config.toml set a value for the variable DefaulMFADevice

License

This project is licensed under the MIT License - see the LICENSE.md file for details

masl's People

Contributors

agcooke avatar glnds avatar goreleaserbot avatar jessedijkstra avatar jmaciasluque avatar lvlrt avatar siwyd avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

lvlrt vincentvdk lvstb vascovisser asemy

masl's Issues

masl log somewhere else

If everything we run would log to our home directories it would become quickly a mess.

Can we put it in a default log location? /var/log/masl?

name of mfa

hi!

I'm using multiple MFA options, which I gave names in our onelogin security settings. But when I masl the program seems to prompt with the type, not the name, which is ambiguous if you have multiple options of the same type:

[ 1] > Google Authenticator       
[ 2] > Yubico YubiKey             
[ 3] > OneLogin Protect           
[ 4] > Google Authenticator

Is it possible to list the name that is shown in onelogin?

Use same file permissions as 'aws configure'

If no files exist, I think it would be appropriate to chmod them the same as when you generate the files using 'aws configure':

archlinux% ls -la ~ | grep .aws
drwxr-xr-x 1 siwyd siwyd    34 Feb 11 16:14 .aws
archlinux% ls -la ~/.aws
total 8
drwxr-xr-x 1 siwyd siwyd  34 Feb 11 16:14 .
drwx------ 1 siwyd siwyd 344 Feb 11 16:14 ..
-rw------- 1 siwyd siwyd  46 Feb 11 16:14 config
-rw------- 1 siwyd siwyd  90 Feb 11 16:14 credentials

I think only credentials is written, correct? 0600 for the file would be suitable.

MASL config rework?

Right now, MASL looks for a config file called masl.toml in the user's home dir. It's conceivable people want to use MASL for multiple companies. Storing the config(s) in ~/.masl might be a good start. Having multiple masl profiles similar to AWS boto profiles in .aws perhaps?

MASL version 2.0.7 can't install on windows

Trying to install v2.0.7 on a windows machine doesn't work. Double clicking the .exe file results in the cmd popping up and then it closes itself.

v2.0.6 does work as an .exe. But only the OneLogin password: fields appears and it closes itself after filling it in without doing anything it seems.

Request: Auto-create .aws folder if not existent

After a setup & execution on Windows no error was thrown if the 'credentials' file could not be placed in the ~/.aws folder (because it did not exist yet).
Would it be possible to check it's existence / create the .aws folder?

#GreatestFan #MaslFTW

Aligning the '=' in the credentials file leads to the aws-go-sdk failing

After some debugging I found that the aws-go-sdk cant read the .aws/credentials file if there is more than 1 space between the variable name and the equation sign.
Haven't seen a place in the code to easily fix this:

Before (not working):

aws_access_key_id     = ***
aws_secret_access_key = ***
aws_session_token     = ***

After (working):

aws_access_key_id = ***
aws_secret_access_key = ***
aws_session_token = ***

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.