{"id":34083393,"url":"https://github.com/physera/onelogin-aws-cli","last_synced_at":"2026-04-06T07:02:45.745Z","repository":{"id":54421503,"uuid":"85412987","full_name":"physera/onelogin-aws-cli","owner":"physera","description":"Assume an AWS Role and cache credentials using Onelogin","archived":false,"fork":false,"pushed_at":"2022-11-10T00:48:54.000Z","size":153,"stargazers_count":68,"open_issues_count":22,"forks_count":31,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-09-19T03:55:41.132Z","etag":null,"topics":["aws-cli","onelogin","saml"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/physera.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-18T15:48:33.000Z","updated_at":"2025-08-25T19:21:50.000Z","dependencies_parsed_at":"2023-01-22T03:53:09.735Z","dependency_job_id":null,"html_url":"https://github.com/physera/onelogin-aws-cli","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/physera/onelogin-aws-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/physera%2Fonelogin-aws-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/physera%2Fonelogin-aws-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/physera%2Fonelogin-aws-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/physera%2Fonelogin-aws-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/physera","download_url":"https://codeload.github.com/physera/onelogin-aws-cli/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/physera%2Fonelogin-aws-cli/sbom","scorecard":{"id":732829,"data":{"date":"2025-08-11","repo":{"name":"github.com/physera/onelogin-aws-cli","commit":"582d8dce34042584f165aac911ee23c37243187c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.3,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":7,"reason":"Found 21/29 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 1.17 not signed: https://api.github.com/repos/physera/onelogin-aws-cli/releases/29391707","Warn: release artifact 1.17 does not have provenance: https://api.github.com/repos/physera/onelogin-aws-cli/releases/29391707"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"17 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2022-42986 / GHSA-43fp-rhv2-5gv8","Warn: Project is vulnerable to: PYSEC-2023-135 / GHSA-xqr8-7jwr-rhp7","Warn: Project is vulnerable to: PYSEC-2024-60 / GHSA-jjg7-2v4v-x38h","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v","Warn: Project is vulnerable to: PYSEC-2021-108 / GHSA-q2q7-5pp4-w6pg","Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f","Warn: Project is vulnerable to: PYSEC-2019-182 / GHSA-8867-vpm3-g98g","Warn: Project is vulnerable to: PYSEC-2012-8 / GHSA-p3h7-3c45-qj4v","Warn: Project is vulnerable to: PYSEC-2019-181 / GHSA-p86x-652p-6385","Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc","Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 26 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T14:55:12.761Z","repository_id":54421503,"created_at":"2025-08-22T14:55:12.761Z","updated_at":"2025-08-22T14:55:12.761Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31463015,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T21:22:52.476Z","status":"online","status_checked_at":"2026-04-06T02:00:07.287Z","response_time":112,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-cli","onelogin","saml"],"created_at":"2025-12-14T12:42:51.233Z","updated_at":"2026-04-06T07:02:45.720Z","avatar_url":"https://github.com/physera.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# onelogin-aws-cli\n\nA CLI utility that helps with using AWS CLI\nwhen using AWS Roles and OneLogin authentication.\n\n[![Build Status](https://travis-ci.org/physera/onelogin-aws-cli.svg?branch=master)](https://travis-ci.org/physera/onelogin-aws-cli)\n[![codecov](https://codecov.io/gh/physera/onelogin-aws-cli/branch/master/graph/badge.svg)](https://codecov.io/gh/physera/onelogin-aws-cli)\n\nThis package provides a CLI utility program that:\n\n- Authenticates against OneLogin.\n- Fetches a list of available Roles in AWS for a given OneLogin AWS App.\n- Allows the user to select a Role to assume.\n- Saves credentials for the assumed role in the AWS CLI Shared Credentials File.\n\nIn order to be able to use this program, you must first\n[Configure SAML for AWS in OneLogin][onelogin-configuring-saml-for-aws].\n\nNote that while the repo and the pip package are called `onelogin-aws-cli`,\nthe installed program is called `onelogin-aws-login`.\n\n\n\n## Installation\n\nTo install, use pip:\n\n```shell\n$ pip install onelogin-aws-cli\n```\n\nNote that `onelogin-aws-cli` requires Python 3.\n\nNote that it is not recommended to install Python packages globally\non your system.\n[Pyenv][pyenv-github] is a great tool for managing your Python environments.\n\nAnother possibility is to install from source using pip:\n\n```shell\n$ cd onelogin-aws-cli\n$ pip3 install .\n```\n\nYet another is to install using pipx:\n\n```shell\n$ cd onelogin-aws-cli\n$ pipx install --verbose --spec . onelogin-aws-cli\n```\n\n## Usage\n\nRunning `onelogin-aws-login`  will perform the authentication against OneLogin,\nand cache the credentials in the AWS CLI Shared Credentials File.\n\nFor every required piece of information, the program will present interactive\ninputs, unless that value has already been provided through either\n[command line parameters](#command-line-parameters),\n[environment variables](#environment-variables),\nor [configuration file directives](#configuration-file).\n\n```shell\n$ onelogin-aws-login\nOnelogin Username: myuser@mycompany.com\nOnelogin Password:\nGoogle Authenticator Token: 579114\nPick a role:\n[1]: arn:aws:iam::166878887401:role/onelogin-test-ec2\n[2]: arn:aws:iam::166878887401:role/onelogin-test-s3\n[3]: arn:aws:iam::772123451421:role/onelogin-test-s3\n? 3\nCredentials cached in '/Users/myuser/.aws/credentials'\nExpires at 2018-05-24 15:15:41+00:00\nUse aws cli with --profile 772123451421:role/onelogin-test-s3/myuser@mycompany.com\n```\n\n### Interactive Configuration\n\nPassing the `-c` or `--configure` command line parameter will start an\ninteractive configuration, that presents a series of interactive inputs to\ngather the required pieces of information,\nand save them to the [configuration file](#configuration-file) automatically.\n\n```shell\n$ onelogin-aws-login -c\n```\n\nThis is a special mode of operation for this program,\nand it is typically only used once, after installing the program.\n\nHowever, note that it only supports a basic use case.\nMore advanced use cases will require manual editing of the configuration file.\n\n### Command Line Parameters\n\n- `-c`, `--configure` - Start interactive configuration.\n- `--reset-password` - Forces a prompt for the user to re-enter their password\n  even if the value is saved to the OS keychain.\n- `-C`, `--config-name` - Config section to use.\n- `--profile` - See the corresponding directive in the\n  [configuration file](#configuration-file).\n- `-u`, `--username` - See the corresponding directive in the\n  [configuration file](#configuration-file).\n- `-d`, `--duration-seconds` - See the corresponding directive in the\n  [configuration file](#configuration-file).\n- `-v`, `--version` - Print the currently installed version.\n\n### Environment Variables\n\n- `AWS_SHARED_CREDENTIALS_FILE` - Location of the AWS credentials file\n  to write credentials to.  \n  See [AWS CLI Environment Variables][aws-cli-environment-variables]\n  for more information.\n- `ONELOGIN_AWS_CLI_CONFIG_NAME` - Config section to use.\n- `ONELOGIN_AWS_CLI_DEBUG` - Turn on debug mode.\n- `ONELOGIN_AWS_CLI_PROFILE` - See the corresponding directive in the\n  [configuration file](#configuration-file).\n- `ONELOGIN_AWS_CLI_USERNAME` - See the corresponding directive in the\n  [configuration file](#configuration-file).\n- `ONELOGIN_AWS_CLI_DURATION_SECONDS` - See the corresponding directive in the\n  [configuration file](#configuration-file).\n\n\n\n## Configuration File\n\nThe configuration file is located at `~/.onelogin-aws.config`.  \n\nIt is an `.ini` file where each section defines a config name,\nwhich can be provided using either the command line parameter `--config-name`\nor the environment variable `ONELOGIN_AWS_CLI_CONFIG_NAME`.\n\nIf no config name is provided, the `[defaults]` section is used automatically.\n\nAll other sections automatically inherit from the `[defaults]` section,\nand can define any additional directives as desired.\n\n### Directives\n\n- `base_uri` - OneLogin API base URI.  \n  One of either `https://api.us.onelogin.com/`,\n  or `https://api.eu.onelogin.com/` depending on your OneLogin account.\n- `subdomain` - The subdomain you authenticate against in OneLogin.  \n  This will be the first part of your onelogin domain.\n  Eg, In `http://my_company.onelogin.com`, `my_company` would be the subdomain.\n- `username` - Username to be used to authenticate against OneLogin with.  \n  Can also be set with the environment variable `ONELOGIN_AWS_CLI_USERNAME`.\n- `client_id` - Client ID for the user to use to authenticate against the\n  OneLogin api.  \n  See [Working with API Credentials][onelogin-working-with-api-credentials]\n  for more details.\n- `client_secret` - Client Secret for the user to use to authenticate against\n  the OneLogin api.  \n  See [Working with API Credentials][onelogin-working-with-api-credentials]\n  for more details.\n- `save_password` - Flag indicating whether `onlogin-aws-cli` can save the\n  onelogin password to an OS keychain.  \n  This functionality supports all keychains supported by\n  [keyring][keyring-pypi].\n- `profile` - AWS CLI profile to store credentials in.  \n  This refers to an AWS CLI profile name defined in your `~/.aws/config` file.\n- `duration_seconds` - Length of the IAM STS session in seconds.  \n  This cannot exceed the maximum duration specified in AWS for the given role.\n- `aws_app_id` - ID of the AWS App instance in your OneLogin account.  \n  This ID can be found by logging in to your OneLogin web dashboard\n  and navigating to `Administration` -\u003e `APPS` -\u003e `\u003cYour app instance\u003e`,\n  and copying it from the URL in the address bar.\n- `role_arn` - AWS Role ARN to assume after authenticating against OneLogin.  \n  Specifying this will disable the display of available roles and the\n  interactive choice to select a role after authenticating.\n- `otp_device` - Allow the automatic selection of an OTP device.  \n  This value is the human readable string name for the device.\n  Eg, `OneLogin Protect`, `Yubico YubiKey`, etc\n- `ip_address` - The client IP address to send to OneLogin.\n  Relevant when using OneLogin Policies with an IP whitelist.\n  If this is specified, `auto_determine_ip_address` is not used.\n- `auto_determine_ip_address` - Automatically determine the client IP address.\n  Relevant when using OneLogin Policies with an IP whitelist.\n  Can be used without specifying `ip_address`.\n\n### Example\n\n```ini\n[defaults]\nbase_uri = https://api.us.onelogin.com/\nsubdomain = mycompany\nusername = john@mycompany.com\nclient_id = f99ee51f00400649280db1028ffa3ca9b21b680f2189b238d342cc8158c401c7\nclient_secret = a85234b6db01a29a493e2422d7930dffe6f4d3a826270a18838574f6b8ef7c3e\nsave_password = yes\nprofile = mycompany-onelogin\nduration_seconds = 3600\nauto_determine_ip_address = yes\n\n[testing]\naws_app_id = 555029\n\n[staging]\naws_app_id = 555045\n\n[live]\naws_app_id = 555070\n\n[testing-admin]\naws_app_id = 555029\nrole_arn = arn:aws:iam::123456789123:role/Admin\n\n[staging-admin]\naws_app_id = 555045\nrole_arn = arn:aws:iam::123456789123:role/Admin\n\n[live-admin]\naws_app_id = 555070\nrole_arn = arn:aws:iam::123456789123:role/Admin\n```\n\nThis example will let you select from 6 config names,\nthat are variations of the same base values specified in `[defaults]`.\n\nThe first three, `testing`, `staging`, and `live`,\nall have different OneLogin application IDs.\n\nThe latter three, `testing-admin`, `staging-admin`, and `live-admin`,\nalso have `role_arn` specified,\nso they will automatically assume the role with that ARN.\n\nFor example, to use the `staging` config, you could run:\n\n```shell\n$ onelogin-aws-login -C staging\n```\n\nAnd to use the `live-admin` config, you could run:\n\n```shell\n$ onelogin-aws-login -C live-admin\n```\n\n\n\n## Developing onelogin-aws-cli\n\n#### Run tests\n\n```shell\n$ python3 -m venv env\n$ source env/bin/activate\n(env)$ pip install -r requirements.txt\n(env)$ python setup.py nosetests\n(env)$ deactivate\n```\n\n[onelogin-configuring-saml-for-aws]: https://support.onelogin.com/hc/en-us/articles/201174164-Configuring-SA-for-Amazon-Web-Services-AWS-Single-Role\n[onelogin-working-with-api-credentials]: https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials\n[aws-cli-environment-variables]: https://docs.aws.amazon.com/cli/latest/userguide/cli-environment.html\n[pyenv-github]: https://github.com/pyenv/pyenv\n[keyring-pypi]: https://pypi.python.org/pypi/keyring\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphysera%2Fonelogin-aws-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphysera%2Fonelogin-aws-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphysera%2Fonelogin-aws-cli/lists"}