{"id":22314302,"url":"https://github.com/hgschmie/ofa","last_synced_at":"2026-05-04T03:35:46.873Z","repository":{"id":48476330,"uuid":"322675119","full_name":"hgschmie/ofa","owner":"hgschmie","description":"ofa - command line AWS credential management with an IdP","archived":false,"fork":false,"pushed_at":"2023-03-07T00:19:36.000Z","size":304,"stargazers_count":3,"open_issues_count":6,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-26T02:45:51.765Z","etag":null,"topics":["aws","golang","iam","idp","saml2"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hgschmie.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-18T18:31:23.000Z","updated_at":"2022-01-14T23:54:45.000Z","dependencies_parsed_at":"2024-06-20T00:12:18.749Z","dependency_job_id":"3a0dea36-5d38-4404-8eb9-d29de6f22fef","html_url":"https://github.com/hgschmie/ofa","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/hgschmie/ofa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hgschmie%2Fofa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hgschmie%2Fofa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hgschmie%2Fofa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hgschmie%2Fofa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hgschmie","download_url":"https://codeload.github.com/hgschmie/ofa/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hgschmie%2Fofa/sbom","scorecard":{"id":463633,"data":{"date":"2025-08-11","repo":{"name":"github.com/hgschmie/ofa","commit":"6fa790800127d3e9aa2c63b81483e2019b322521"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":10,"reason":"SAST tool detected: CodeQL","details":["Info: SAST configuration detected: CodeQL","Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Token-Permissions","score":9,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/hgschmie/ofa/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/hgschmie/ofa/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/hgschmie/ofa/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/hgschmie/ofa/codeql-analysis.yml/main?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v3.0.2 not signed: https://api.github.com/repos/hgschmie/ofa/releases/57201312","Warn: release artifact v3.0.1 not signed: https://api.github.com/repos/hgschmie/ofa/releases/57201026","Warn: release artifact v3.0.0 not signed: https://api.github.com/repos/hgschmie/ofa/releases/57193648","Warn: release artifact v2.0.1 not signed: https://api.github.com/repos/hgschmie/ofa/releases/47316850","Warn: release artifact v2.0.0 not signed: https://api.github.com/repos/hgschmie/ofa/releases/46704020","Warn: release artifact v3.0.2 does not have provenance: https://api.github.com/repos/hgschmie/ofa/releases/57201312","Warn: release artifact v3.0.1 does not have provenance: https://api.github.com/repos/hgschmie/ofa/releases/57201026","Warn: release artifact v3.0.0 does not have provenance: https://api.github.com/repos/hgschmie/ofa/releases/57193648","Warn: release artifact v2.0.1 does not have provenance: https://api.github.com/repos/hgschmie/ofa/releases/47316850","Warn: release artifact v2.0.0 does not have provenance: https://api.github.com/repos/hgschmie/ofa/releases/46704020"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":0,"reason":"20 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2022-0968 / GHSA-gwc9-m7rh-j2ww","Warn: Project is vulnerable to: GO-2021-0356 / GHSA-8c26-wmh5-6g9v","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8","Warn: Project is vulnerable to: GO-2022-1059 / GHSA-69ch-w2m2-3vjp"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-19T11:51:40.505Z","repository_id":48476330,"created_at":"2025-08-19T11:51:40.505Z","updated_at":"2025-08-19T11:51:40.505Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32593945,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T22:12:39.696Z","status":"online","status_checked_at":"2026-05-04T02:00:06.625Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","golang","iam","idp","saml2"],"created_at":"2024-12-03T22:09:36.514Z","updated_at":"2026-05-04T03:35:46.857Z","avatar_url":"https://github.com/hgschmie.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ofa - Command line AWS credential management with an IdP\n\nCommand line access to IdP Authentication and AWS IAM role assignment without a browser.\n\nSee the [Changes](CHANGES.md) file for a list of changes and [Development](DEVELOPMENT.md) for information on how to\nbuild and contribute to this project.\n\nThis software is provided *as is* under MIT license. It may contain bugs and does not work in all possible corner cases.\nI have access to developer accounts on OneLogin and Auth0. There is no usable, permanent free tier on Okta.\n\n## Installation\n\nThe preferred way to install `ofa` is by downloading the latest release for your system architecture from the [package repository](https://github.com/hgschmie/ofa/releases). When running on macOS, please [see the note about code signing](https://github.com/hgschmie/ofa/blob/main/DEVELOPMENT.md#note-about-macos-code-signing) when running `ofa` for the first time.\n\nAlternatively, install `ofa` from source through the golang package system by running\n\n```bash\n$ go install github.com/hgschmie/ofa/v3@latest\n```\n\nThis also sidesteps the signing problems with macOS. If the security policy on your computer does not allow unsigned binaries, this is the best way to install `ofa`.\n\nA release version of `ofa` reports\n\n```bash\n$ ofa version\nINFO ofa 3.0.2, commit d6df9685bd926a7fe09c0959f729ee6bbfe1ab1b, built at 2022-01-15T18:27:52Z by goreleaser\n```\n\nwhile a self-built or development version reports\n\n```bash\n$ ofa version\nINFO ofa dev, commit none, built at unknown by unknown\n```\n## State of IdPs\n\n* Okta - Supported, Functional\n* OneLogin - Supported, Functional\n* Auth0 - Partially supported, Not functional\n\n### Okta\n\nThe Okta code is brittle as it uses\na [a semi-documented way that needs to parse a HTML page](https://developer.okta.com/docs/guides/session-cookie/overview/#retrieving-a-session-cookie-via-openid-connect-authorization-endpoint)\nto access the necessary SAML Assertion.\n\n### OneLogin\n\nOnly documented APIs are used. Does not support all available authentication methods (patches for WebAuthn wanted!).\n\nSupports the Multi-Account application (will prompt for matching accounts and roles).\n\nThere are some minor issues when Push notifications get denied on the mobile app,\nsee [SAML verify factor API call with authentication denied](https://stackoverflow.com/questions/68478392/onelogin-saml-assertion-verify-factor-with-authentication-denied)\n.\n\n### Auth0\n\n**Auth0 does not work**. I could not figure out how to get this to\nwork [Auth0 Forum Thread](https://community.auth0.com/t/exchange-a-bearer-token-for-a-saml-assertion/59354).\n\n## Bonus feature: Command line completion\n\n`ofa` supports command line completion for `bash`, `fish` and `zsh`, e.g. for bash:\n\n```bash\n$ eval $(ofa completion bash)\n```\n\nwill activate TAB-completion for all `ofa` commands.\n\n## Using Okta\n\n### Prerequisite: Setting up Okta and AWS\n\nThe `ofa` tool assumes that your Okta/AWS setup is using the \"AWS Account Federation\"\nOkta application [AWS Account Federation](https://www.okta.com/integrations/aws-account-federation/).\n\nThis requires a regular Okta account or at least an Okta trial account; developer accounts do not allow installation of\napplications.\n\n### Okta configuration reference\n\n| Key | Flag | Function |\n| --- | ---- | -------- |\n| `url` | `--set-url` \u003cbr\u003e `--url` | Base/Organization URL. `https://\u003csubdomain\u003e.okta.com/` |\n| `okta_app_url` | `--set-okta-app-url` \u003cbr\u003e `--okta-app-url` | Application URL. See below. |\n| `okta_auth_method` | `--set-okta-auth-method` \u003cbr\u003e `--auth-method` | Supported methods are  `push`, `sms` and `totp`. |\n\n* Use the `Okta organization URL`, usually `https://\u003ccompany name\u003e.okta.com/` as the Base/Organization URL.\n* Locate the application URL by logging into the Okta organization, then hover over the AWS application icon in the web\n  view and selecting \"Copy Link Address\" in the browser. Stripping the query section (`?fromHome=true`) from this URL\n  gives the Okta application URL.\n\n#### Supported Authentication methods\n\nWhen using MFA, the user account must be already enrolled using the MFA. `ofa` does not support the enrollment flow.\n\n* `push` - Using the Okta Mobile application. Approve/Deny directly on the mobile application.\n* `sms` - Sending a text message, then prompting for the code from the text message.\n* `totp` - Using an Authentication application (Google Authenticator, Authy etc.), prompts for the TOTP code.\n\n## Using OneLogin\n\n### Prerequisite: Setting up OneLogin and AWS\n\nThe `ofa` tool assumes that your OneLogin/AWS setup is using the \"Amazon Web Services\", \"Amazon Web Services (AWS) Multi\nAccount\" or \"Amazon Web Services (AWS) Multi Role\"\napplication. There is a [great walkthrough](https://onelogin.service-now.com/kb_view.do?sysparm_article=KB0010344) which\ndescribes the setup in detail.\n\nMake sure that you can log into your AWS Account or Accounts using the OneLogin Application portal.\n\nThis setup works with the OneLogin free / developer tier (\"Developer Basic\") available\nat https://www.onelogin.com/developer-signup\n\nUnlike the Okta Trial Accounts, these do not expire (see the /subscription/edit tab in the developer account).\n\n### Prerequisite: Setup API Access\n\n* Using \"Developers\" -\u003e \"API Credentials\" -\u003e \"New Credential\", create a new credential.\n* Choose \"Authentication only\" for permissions.\n\nCopy the \"Client ID\" and \"Client Secret\" values.\n\nThis credential needs to be shared between all users of the ofa application within an application. It allows users to\nauthenticate with the API so it should be kept confidential. However, it does require a second (login and password) and\npotentially a third factor (MFA) to actually acccess any service. It is most useful to track all users that use\nthe `ofa` client tool to authenticate.\n\n### OneLogin configuration reference\n\n| Key | Flag | Function |\n| --- | ---- | -------- |\n| `url` | `--set-url` \u003cbr\u003e `--url` | Base/Organization URL. `https://\u003csubdomain\u003e.onelogin.com/` |\n| `onelogin_auth_method` | `--set-onelogin-auth-method` \u003cbr\u003e `--onelogin-auth-method` |  Supported methods are `push`, `sms`, `email`, `totp` |\n| `onelogin_client_id` | `--set-onelogin-client-id` \u003cbr\u003e `--onelogin-client-id` | API Credential client id |\n| `onelogin_client_secret` | `--set-onelogin-client-secret` \u003cbr\u003e `--onelogin-client-secret` | API Credential client secret |\n| `onelogin_app_id` | `--set-onelogin-app-id` \u003cbr\u003e `--onelogin-app-id` | OneLogin application id |\n| `onelogin_api_url` | `--set-onelogin-api-url` \u003cbr\u003e `--onelogin-api-url` | OneLogin API endpoint |\n\n* The tool assumes that it can determine the actual subdomain by taking the first part of the host name of the\n  Base/Organization URL.\n* Administrators can locate the application id by opening the application settings page in the Administration portal.\n  The app-id is in the URL: `/apps/\u003capp-id\u003e/edit`.\n* OneLogin has multiple API endpoints around the world. If unset, it defaults to `https://api.us.onelogin.com/`.\n\n#### Supported Authentication methods\n\nWhen using MFA, the user account must be already enrolled using the MFA. `ofa` does not support the enrollment flow.\n\n* `push` - Using the OneLogin Protect application. Approve/Deny directly on the mobile application.\n* `sms` - Sending a text message, then prompting for the code from the text message.\n* `email` - Sending an email, then prompting for the code from the mail.\n* `totp` - Using an Authentication application (Google Authenticator, Authy etc.), prompts for the TOTP code.\n\n#### OneLogin Multi Account setup\n\nOneLogin allows using a single OneLogin application to log into multiple AWS accounts. When using the Application from a\nbrower, AWS will present a selection screen where the accounts and roles are listed for user selection.\n\nThis is the preferred way to setup multiple accounts and roles. The selection screen for role selection will either\nlist the numeric AWS account id or, if an account alias is configured, the account alias.\n\n## Usage\n\n### For all IdPs\n\n`ofa` manages global settings and profiles to log into an IdP and assume an AWS role.\n\nEach profile contains\n\n* IdP Type and configuration\n* Login information and authentication method\n* AWS account and role to assume\n* AWS session time\n\n`ofa` uses four sources for each value in order of precedence:\n\n* command line arguments\n* profile settings (requires profile selection)\n* global settings\n* interactive prompt (if running in interactive mode)\n\nprofile selection happens through a default profile setting, or a command line flag.\n\n#### commands and flags\n\nThe `ofa` application supports the `--help` flag and the `help` command everywhere.\n\n* `ofa defaults set`\n* `ofa defaults show`\n* `ofa profile create`\n* `ofa profile list`\n* `ofa profile show`\n* `ofa profile update`\n* `ofa profile remove`\n* `ofa password set`\n* `ofa password remove`\n* `ofa login`\n\nThe `ofa version` command displays the version and build information.\n\n##### global flags\n\nEvery `ofa` command supports the following global flags:\n\n* `--no-config`\n\nIgnore any config file. Parameters and interactive input must provide all parameters.\n\n* `--interactive`\n\nForce interactive mode (overrides default). `ofa` will prompt for input if required. This is the default unless\nconfigured otherwise.\n\n* `--batch`\n\nNever prompt for input. `ofa` will never prompt the user for input.\n\n* `--quiet`\n\nOnly output minimal or no information.\n\n* `--verbose`\n\nOutput more information during operation. This is the default unless configured otherwise.\n\n#### ofa defaults command\n\n`ofa` manages a set of defaults to use when neither flags or profile settings are available.\n\nBy default, `ofa` will prompt for every setting interactively when executing the `set` subcommand.\n\nTo set a single flag without prompting:\n\n```\nofa --set-interactive=false --batch\n```\n\n`ofa` manages the default state of the `interactive` and `verbose` flags and provides default settings for:\n\n* profile name (which profile to use unless overridden by a command line parameter)\n* Username\n* IdP type and authentication method\n* Base/Organization URL\n* IdP specific settings\n* AWS account and role to assume\n* AWS session time\n\n### ofa profile command\n\n`ofa` can manage multiple profiles for logging into AWS using an IdP. Profiles are independent and can refer to multiple\nIdP and AWS accounts.\n\nEach profile may consist of\n\n* Username\n* IdP type and authentication method\n* Base/Organization URL\n* IdP specific settings\n* AWS account and role to assume\n* AWS session time\n\nAll parameters are optional, the tool may fall back to its defaults or prompt in interactive mode.\n\nThe `ofa profile list` command lists all available profiles.\n\nThe `ofa profile show` command shows details for one or all profiles, depending on the `--profile` flag.\n\nTo create a new profile, the `ofa profile create` command will either use command line parameters or prompt for the\nprofile settings.\n\nThe `ofa profile update` command allows editing of existing profiles.\n\nThe `ofa profile delete` command removes an existing profile.\n\n#### ofa profiles and AWS profiles\n\n`ofa` maintains a configuration file that controls the login information for a profile. However, `ofa` was designed to\nwork with arbitrary profile names and having a profile in ofa itself is not necessary. This is intentional and not a\nbug.\n\nAs `ofa` can be used fully interactive or all settings could be covered by defaults, the following command actually does\nnothing:\n\n```bash\nofa profile create --profile=new_profile --batch`\n```\n\nbecause there is no setting associated with the profile. It can still be used for logging in:\n\n```bash\nofa login --profile=some_random_name\n```\n\nwill work well (and use either defaults or interactive inputs) to log into the IdP and then write credentials for \"\nsome_random_name\" into the AWS credentials file.\n\n### ofa password command (macOS only)\n\nOn macOS , `ofa` can store passwords in the user specific keychain.\n\nIdPs are single signon systems and identified by the Base/Organization URL, so each combination of this URL and a login\nis unique, even if used in multiple profiles.\n\n`ofa password set` sets a password in the keychain, `ofa password remove` removes it. The `set` command will override an\nexisting password.\n\nNote that the keychain might prompt (with a modal dialog) when using a password. It is not recommended to always\nallow `ofa` access to a keychain entry as this removes a security factor.\n\n### ofa login command\n\nThe `ofa login` command authenticates using the selected IdP and then uses the information to log into AWS, assume an\naccount and a role and create credentials.\n\nThis command uses all available sources (command line parameters, profile settings, default settings and interactive\ninput).\n\nA successful login and role selection creates a new set of AWS credentials. These credentials are written into the AWS\ncredentials file **using the profile name**.\n\nWriting the credentials file can be avoided by using the `--eval` flag. In this case, `ofa` prints output that can be\nevaluated in the calling shell.\n\nWhen setting default values for profile, AWS account and AWS role, `ofa login` can operate without any prompting the user.\nHowever, sometimes it is useful to explicitly force profile or role selection. The `--no-default-profile` and `--no-default-role`\nflags can be used for this.\n\n## Examples\n\n### Okta\n\n* Set up defaults and a profile:\n\n```\nofa defaults set --set-user=\u003cuser name\u003e --set-okta-auth-method=push --set-url=https://\u003corganization\u003e.okta.com/ --set-session-time=14400 --batch\n```\n\nCreate defaults for using Okta as IdP. When using a single Okta instance, the username, authentication method and Okta\nURL will always be the same. Setting them as default makes profile generation simpler.\n\n```\nofa password set\n```\n\nAs URL and username exist as defaults, this command only prompts for the password and stores it in the keychain.\n\n```\nofa profile create --profile=new_profile --set-profile-type=okta --set-role=\u003caws role to assume\u003e --set-okta-app-url=\u003c... okta aws app url as described above ...\u003e --batch\n```\n\nThis command assigns the remaining, profile specific settings to the `new_profile` profile.\n\n```\nofa defaults set --set-profile=new_profile --batch\n```\n\nMake the new profile the default unless there is a profile name set with a parameter.\n\n```\nofa login\n```\n\nwill initiate a login using the default IdP (Okta configured as described above), assume the role in the `new_profile`\nprofile and write AWS credentials in the `[new_profile]` section of the AWS credentials file.\n\n```\neval $(ofa login --eval)\n```\n\nallows setting of environment variables without touching the AWS credentials file.\n\n* Set up a second profile:\n\n```\nofa profile create --profile=dev --set-profile-type=okta --set-okta-app-url=\u003c... okta aws app url as described above ...\u003e --batch\n```\n\nUnlike the previous profile, this one does not contain an AWS role. If Okta returns more than one role, `ofa` will\nprompt:\n\n```\nofa login --profile dev\nINFO **** Global Flags:\nINFO Ignore Configuration:     false (default value)\nINFO Verbose:                  true (default value)\nINFO Interactive:              true (default value)\nINFO **** Login Session:\nINFO Profile name:             dev (flag: 'profile')\nINFO Okta username:            \u003cokta user name\u003e (global config, key: 'user')\nINFO Profile type:             okta (profile [dev], key: 'profile_type')\nINFO Base/organization URL:    https://\u003corganization\u003e.okta.com/ (global config, key: 'url')\nINFO Okta password:            \u003cconfigured\u003e (Keychain for Okta URL 'https://\u003corganization\u003e.okta.com/', username '\u003cokta user name\u003e')\nINFO Okta AWS app URL:         \u003c... okta app url ...\u003e (profile [dev], key: 'okta_app_url')\nINFO Okta auth method:         push (global config, key: 'okta_auth_method')\nINFO AWS session time:         14400 (global config, key: 'aws_session_time')\nINFO **** Logging into Okta\nINFO **** Initiating MFA Challenge\nINFO **** Okta login successful\nINFO **** Fetching Okta SAML response\nINFO **** Selecting AWS role from SAML response\n? Select AWS Role:\n  ▸ role_1 account-id\n    role_2 account-id\n    role_3 account-id\n```\n\nafter selecting a role, `ofa` writes credentials in the AWS credentials file and exits.\n\n---\n\n### OneLogin\n\n#### 1. Set up defaults\n\n```bash\nofa defaults set --batch \\\n                 --set-user=\u003cuser name\u003e \\\n                 --set-session-time=14400 \\\n                 --profile-type=onelogin \\\n                 --set-url=https://\u003csubdomain\u003e.onelogin.com/ \\\n                 --set-onelogin-auth-method=push \\\n                 --set-onelogin-api-url=https://api.\u003cregion\u003e.onelogin.com/ \\\n                 --set-onelogin-app-id=\u003conelogin app id\u003e \\\n                 --set-onelogin-client-id=\u003capi access client id\u003e \\\n                 --set-onelogin-client-secret=\u003capi access client secret\u003e\n```\n\nCreates defaults for `ofa`. As this will be using OneLogin, it configures all the OneLogin defaults for a single\nOneLogin instance where the username, base url and the client parameters will all be the same.\n\nMaking them defaults simplifies profile generation. All defaults can be overridden on a per-profile basis.\n\nNotes:\n\n* subdomain name and onelogin app id should be provided by the OneLogin administrator.\n* An API access credential (see above) must be set.\n* Choose the OneLogin region accordingly (e.g. `us` for US, `eu` for Europe).\n\n#### 2. Set the user password\n\n```bash\nofa password set\n```\n\nURL and username exist as defaults, this command only prompts for the password and stores it securely in the keychain.\n\n#### 3. Create a profile\n\n**The name of the profile must match the name of the AWS profile where the credentials are stored!**\n\n```bash\nofa profile create --batch \\\n                   --profile=new_profile \\\n                   --set-account=\u003caws account for role\u003e\n                   --set-role=\u003caws role to assume\u003e\n```\n\nThis command creates the `new_profile` profile and assigns a specific AWS account and role to assume.\nThe role and account parameter are optional, if any is missing, `ofa` will present a menu selection with all matching roles.\n\n#### Optional: Make the new profile the default\n\n```\nofa defaults set --set-profile=new_profile --batch\n```\n\nMake the new profile the default unless there is a profile name set with a parameter.\n\n#### 4. Retrieve AWS credentials using OneLogin IdP\n\n```\nofa login --profile=new_profile\n```\n\nwill initiate a login using OneLogin, assume the role in the `new_profile` profile and write AWS credentials in\nthe `[new_profile]` section of the AWS credentials file.\n\n```\neval $(ofa login --profile=new_profile --eval)\n```\n\nallows setting of environment variables without writing them to the AWS credentials file.\n\n#### Bonus: Setting multiple profiles\n\n```bash\nofa profile create --batch \\\n                   --profile=dev \\\n                   --set-session-time=3600\n```\n\nUnlike the previous profile, this one does not contain an AWS role. If OneLogin returns more than one role, `ofa` will\nprompt for role selection:\n\n```\nINFO **** Global Flags:\nINFO Ignore Configuration:               false (default value)\nINFO Verbose:                            true (flag: 'verbose')\nINFO Interactive:                        true (default value)\nINFO **** Login Session:\nINFO Profile name:                       dev (flag: 'profile')\nINFO Profile type:                       onelogin (global config, key: 'idp_type')\nINFO Username:                           \u003cusername\u003e (global config, key: 'user')\nINFO Base/organization URL:              https://\u003csubdomain\u003e.onelogin.com/ (global config, key: 'url')\nINFO Password:                           \u003cconfigured\u003e (Keychain for Okta URL 'https://\u003csubdomain\u003e.onelogin.com/', username '\u003cusername\u003e')\nINFO Onelogin auth method:               push (global config, key: 'onelogin_auth_method')\nINFO Onelogin Application Client Id:     \u003capi authencation client id\u003e (global config, key: 'onelogin_client_id')\nINFO Onelogin Application Client Secret: \u003cconfigured\u003e (global config, key: 'onelogin_client_secret')\nINFO Onelogin Application Id:            \u003capp id\u003e (global config, key: 'onelogin_app_id')\nINFO Onelogin API Url:                   https://api.us.onelogin.com/ (global config, key: 'onelogin_api_url')\nINFO AWS session duration:               3600 (profile [dev], key: 'aws_session_time')\nINFO **** Logging into Onelogin\nINFO **** Initiating MFA Challenge\nINFO **** Selecting AWS role from SAML response\n? Select AWS Role:\n  ▸ role_A aws_account 1\n    role_B aws_account 1\n    role_1 aws_account 2\n    role_2 aws_account 2\n    role_A aws_account 3\n    role_B aws_account 3\n```\n\nIn this example, there are multiple AWS accounts configured (aws_account 1-3) and for some of them, the role names\nare overlapping (role_A and role_B are present in aws_account 1 and aws_account 2).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhgschmie%2Fofa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhgschmie%2Fofa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhgschmie%2Fofa/lists"}