Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/xeger/awsume-1password-plugin

Automates awsume MFA entry via 1Password CLI.
https://github.com/xeger/awsume-1password-plugin

1password 1password-cli aws awsume mfa

Last synced: 12 minutes ago
JSON representation

Automates awsume MFA entry via 1Password CLI.

Host: GitHub
URL: https://github.com/xeger/awsume-1password-plugin
Owner: xeger
License: mit
Created: 2023-02-05T00:42:38.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-07-19T09:58:51.000Z (4 months ago)
Last Synced: 2024-11-02T09:29:29.378Z (13 days ago)
Topics: 1password, 1password-cli, aws, awsume, mfa
Language: Python
Homepage:
Size: 85 KB
Stars: 9
Watchers: 1
Forks: 5
Open Issues: 2
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

# Awsume 1Password Plugin

_Awsume 4+ only_.

This is a plugin that automates the entry of MFA tokens using 1Password.
It replaces AWSume's `MFA Token:` prompt with a biometric unlock and delegates to 1Password for policies on how often unlock is required.
In other words: it saves you from ever having to type an MFA token, ever again!

## Support

If you experience any problems, please [file a bug report](https://github.com/xeger/awsume-1password-plugin/issues/new?assignees=xeger&template=bug_report.md).

## Installation

### Install This Plugin

```
pip3 install awsume-1password-plugin
```

If you've installed awsume with `pipx`, this will install the console plugin in awsume's virtual environment:

```
pipx inject awsume awsume-1password-plugin
```

### Set Up 1Password

1. Install the [1Password CLI](https://developer.1password.com/docs/cli)
2. Enable [biometric unlock](https://developer.1password.com/docs/cli/about-biometric-unlock) of the CLI in 1Password settings

### Configure AWSume

This plugin needs to know which 1Password vault item to use for each MFA token. You can specify this information in your AWSume configuration file.

```yaml
# ~/.awsume/config.yaml

colors: true
1password: AWS (12345, tony)
```

In this example, I have only one MFA token shared among all my accounts (which belong to the same organization).

I have a corresponding 1Password vault item that looks like this:

![Example 1Password Item](docs/screenshots/1p-item.png "Example 1Password Item")

### Multiple MFA Tokens

```yaml
# ~/.awsume/config.yaml

colors: true
fuzzy-match: false
1password:
"arn:aws:iam::12345:mfa/tony": "AWS for Tony Inc."
"arn:aws:iam::67890:mfa/xeger": "AWS for Xeger Enterprises"
```

In this example I have access to two unrelated accounts, so there are two MFA tokens and two 1Password vault items; the config subsection becomes a map of token serials to vault item names.

## Usage

This plugin works automatically in the background; just `awsume` roles as you normally would, and it will invoke the `op` command to obtain TOTP tokens whenever AWSume requires one.

## Troubleshooting

If you experience any trouble, invoke `awsume` with the `--debug` flag and look for log entries that contain `1password`.

The specific command that this plugin invokes is `op item get --otp "Profile Name Here"`; make sure it succeeds when you invoke it manually.

If you can't solve your problem, [create a GitHub issue](https://github.com/xeger/awsume-1password-plugin/issues/new) with diagnostic details and we'll try to help you.