{"id":23169440,"url":"https://github.com/dowjones/tokendito","last_synced_at":"2025-10-25T08:37:25.354Z","repository":{"id":35042360,"uuid":"197783469","full_name":"dowjones/tokendito","owner":"dowjones","description":"Generate temporary AWS credentials via Okta.","archived":false,"fork":false,"pushed_at":"2025-03-22T02:03:49.000Z","size":543,"stargazers_count":69,"open_issues_count":4,"forks_count":29,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-09T20:12:36.367Z","etag":null,"topics":["aws","okta","python","sso","sts"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dowjones.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"docs/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-19T14:07:52.000Z","updated_at":"2025-04-07T09:32:36.000Z","dependencies_parsed_at":"2023-12-19T04:29:54.407Z","dependency_job_id":"edd02b8b-2c89-4b27-b149-be1c2bc6410b","html_url":"https://github.com/dowjones/tokendito","commit_stats":{"total_commits":78,"total_committers":10,"mean_commits":7.8,"dds":0.4487179487179487,"last_synced_commit":"2f45f192ba9a98666e07f8d5dbb1b362896741e6"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dowjones%2Ftokendito","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dowjones%2Ftokendito/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dowjones%2Ftokendito/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dowjones%2Ftokendito/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dowjones","download_url":"https://codeload.github.com/dowjones/tokendito/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103872,"owners_count":21048245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","okta","python","sso","sts"],"created_at":"2024-12-18T03:17:25.072Z","updated_at":"2025-10-25T08:37:20.309Z","avatar_url":"https://github.com/dowjones.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tokendito\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/dowjones/tokendito/main/docs/tokendito.png\"/\u003e\n\u003c/p\u003e\n\n## Generate temporary AWS credentials via Okta.\n\n[![image](https://img.shields.io/github/actions/workflow/status/dowjones/tokendito/test.yml)](https://github.com/dowjones/tokendito/actions)\n[![image](https://img.shields.io/pypi/pyversions/tokendito?color=blueviolet)](https://pypi.org/project/tokendito/)\n[![image](https://img.shields.io/github/actions/workflow/status/dowjones/tokendito/woke.yml?label=woke)](https://github.com/dowjones/tokendito/actions)\n[![image](https://img.shields.io/badge/license-Apache%202.0-ff69b4)](https://github.com/dowjones/tokendito/blob/main/LICENSE.txt)\n[![image](https://img.shields.io/badge/OS-Mac%2C%20Windows%2C%20Linux-9cf)](https://github.com/dowjones/tokendito/)\n[![image](https://img.shields.io/coverallsCoverage/github/dowjones/tokendito)](https://coveralls.io/github/dowjones/tokendito) [![image](https://img.shields.io/pypi/dm/tokendito)](https://pypistats.org/packages/tokendito)\n\n\u003cp\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/dowjones/tokendito/main/docs/tokendito-scaled.gif\"\u003e\n\u003c/p\u003e\n\nUse `tokendito` to generate temporary AWS credentials via Okta for\nprogrammatic authentication to AWS. Tokendito signs you into Okta and\nuses your existing AWS integration to broker a SAML assertion into\nyour AWS accounts, returning\n[STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)\ntokens into your local `~/.aws/credentials` file.\n\n## What's new\n\nSee [Releases](https://github.com/dowjones/tokendito/releases) for a detailed Changelog.\n\n### Tokendito 2.4.0\n\nVersion 2.4.0 of Tokendito introduces the following new features:\n\n- Add support for Okta question MFA.\n- Many bug fixes and contributions.\n\n### Tokendito 2.3.0\n\nVersion 2.3.0 of Tokendito introduces the following new features:\n\n- Basic OIE support while forcing Classic mode.\n- Support for saving the Device Token ID for later reuse.\n- Misc bug fixes\n\nNote: This feature currently works with locally enabled OIE organizations, but it does not for Organizations with chained Authentication in mixed OIE/Classic environments.\n\n### Tokendito 2.2.0\n\nVersion 2.2.0 of Tokendito introduces the following new features:\n\n- Shared HTTP Client to leverage keepalives and Python's connection pool (by @fsilvamaia)\n- Support for Step-Up Authorization (by @ruhulio)\n- Misc bug fixes\n\n### Tokendito 2.1.0\n\nVersion 2.1.0 of Tokendito introduces the following new features:\n\n- IdP redirection\n- Docker support (by @opis-mark)\n- Interactive support for AWS profile names (by @opis-mark)\n- Docker container signing to ensure you are on a 'certified' Tokendito container\n- Misc bug fixes\n\n### Tokendito 2.0.0\n\nWith the release of tokendito 2.0, many changes and fixes were introduced. **It is a breaking release**: your configuration needs to be updated, the command line arguments have changed, and support for Python \\\u003c 3.7 has been removed.\nThe following changes are part of this release:\n\n- Set the config file to be platform dependent, and follow the XDG standard.\n- Extend configuration capabilities.\n- Modernize output.\n- Change the MFA method from strict match to partial match.\n- Mask secrets from output logs.\n- Automatically discover AWS URLs.\n- Fix authentication with DUO.\n- Add support for setting the logging level via both the INI file and ENV vars.\n- Add support for Python 3.9, 3.10, and 3.11.\n- And many fixes.\n\nConsult [additional notes](https://github.com/dowjones/tokendito/blob/main/docs/README.md) for how to use tokendito.\n\n## Requirements\n\n- Python 3.9+, or a working Docker environment\n- AWS account(s) federated with Okta\n\nTokendito is compatible with Python 3 and can be installed with either\npip or pip3.\n\n## Getting started\n\n1. Install (via PyPi): `pip install tokendito`\n1. Run `tokendito --configure`.\n1. Run `tokendito`.\n\n**NOTE**: Advanced users may shorten the `tokendito` interaction to a [single\ncommand](https://github.com/dowjones/tokendito/blob/main/docs/README.md#single-command-usage).\n\nHave multiple Okta tiles to switch between? View our [multi-tile\nguide](https://github.com/dowjones/tokendito/blob/main/docs/README.md#multi-tile-guide).\n\n## Docker\n\nUsing Docker eliminates the need to install tokendito and its requirements. We are providing experimental Docker image support in [Dockerhub](https://hub.docker.com/r/tokendito/tokendito)\n\n### Running the container image\n\nRun tokendito with the `docker run` command. Tokendito supports [DCT](https://docs.docker.com/engine/security/trust/), and we encourage you to enforce image signature validation before running any containers.\n\n```shell\nexport DOCKER_CONTENT_TRUST=1\n```\n\nthen\n\n```shell\ndocker run --rm -it tokendito/tokendito  --version\n```\n\nYou must map a volume in the Docker command to allow tokendito to write AWS credentials to your local filesystem for use.  This is done with the `-v` flag.  See [Docker documentation](https://docs.docker.com/engine/reference/commandline/run/#-mount-volume--v---read-only) for help setting the syntax.  The following directories are used by tokendito and should be considered when mapping volumes:\n\n- `/app/.aws/` (AWS credential storage)\n- `/app/.config/tokendito/` (tokendito profile storage)\n\nThese can be covered by mapping a single volume to both the host and container users' home directories (`/app` is the home directory in the container and must be explicitly defined).  You may also map multiple volumes if you have custom configuration locations and require granularity.\n\nBe sure to set the `-it` flags to enable an interactive terminal session.\n\nOn Windows, you can do the following:\n\n```powershell\ndocker run --rm -it -v \"%USERPROFILE%\\.aws\":/app/.aws  -v \"%USERPROFILE%\\.config\":/app/.config tokendito/tokendito\n```\n\nIn a Mac OS system, you can run:\n\n```shell\ndocker run --rm -it -v \"$HOME/.aws\":/app/.aws  -v \"$HOME/.config\":/app/.config tokendito/tokendito\n```\n\nOn a Linux system, however, you must specify the user and group IDs for the mount mappings to work as expected.\nAdditionally the mount points within the container move to a different location:\n\n```shell\ndocker run --user $(id -u):$(id -g) --rm -it -v \"$HOME/.aws\":/.aws  -v \"$HOME/.config\":/.config tokendito/tokendito\n```\n\nTokendito command line arguments are supported as well.\n\n**NOTE**: In the following examples the entire home directory is exported for simplicity. This is not recommended as it exposes too much data to the running container:\n\n```shell\ndocker run --rm -it -v \"$HOME\":/ tokendito/tokendito \\\n  --okta-tile https://acme.okta.com/home/amazon_aws/000000000000000000x0/123 \\\n  --username username@example.com \\\n  --okta-mfa push \\\n  --aws-output json \\\n  --aws-region us-east-1 \\\n  --aws-profile my-profile-name \\\n  --aws-role-arn arn:aws:iam::000000000000:role/role-name \\\n```\n\nTokendito profiles are supported while using containers provided the proper volume mapping exists.\n\n```shell\ndocker run --rm -ti -v \"$HOME\":/app tokendito/tokendito \\\n  --profile my-profile-name\n```\n\n## Tips, tricks, troubleshooting, examples, and more docs are [here](https://github.com/dowjones/tokendito/blob/main/docs/README.md)\n\n[Contributions are welcome](https://github.com/dowjones/tokendito/blob/main/docs/CONTRIBUTING.md)!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdowjones%2Ftokendito","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdowjones%2Ftokendito","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdowjones%2Ftokendito/lists"}