Introducing yak
Over the last couple of months at Redbubble, we’ve been moving towards using Okta as our single sign-on provider. This has given us a bunch of improvements over our previous system, and one of the things we were most excited about was our newfound ability to get AWS credentials with SAML, on the command line, without having to keep access keys or secrets on our laptops.
To help us with this, we built a tool called yak. We called it yak for a couple of reasons:
a) It’s easy to type.
b) We could make a backronym for it (Your AWS Kredentials) without too many mental backflips.
c) Yaks are cool, and we all seem to spend a lot of time shaving them, so it felt right to give them some extra recognition.
Yak, as with other tools of this type, works by first asking the user to log in to Okta with a username, a password and an optional MFA token. Once Okta authenticates the user, yak is able to fetch AWS credentials for an IAM role the user is allowed to assume. These credentials permit access to AWS. With these, a user is able to perform any action that role has permissions to perform.
We designed yak primarily to act as a shim: yak <role> <command> will execute the <command> with the credentials for the <role> injected into the environment around it. This approach isn’t always adequate, though, so if a user needs to do something else with the credentials, they can get them in one of a couple of different formats with yak <role>.
Several of us had used tools similar to yak before — companies seem to build their own in-house versions of tools like this. To that end, we decided to make yak open source and focused pretty heavily on making it a configurable tool useful not just for Redbubble but for any other organisation using both AWS and Okta (there must be a couple of others out there, right?). It was also really important to us that once the tool was configured, it wasn’t too much of a pain to use. To this end, we added convenience features to smooth over some of the major pain points we’d seen in tools like this, including:
- Aliases for roles (so you can just type, for example,
yak staging <command>rather than needing to memorise the ARN). - Pretty heavy caching of credentials (so you don’t have to type your password/MFA token over and over again).
- Support for tab completion (for now, in bash and zsh) for roles, command-line switches and subcommands.
We’re pretty happy with the way yak turned out, and it’s now got all the features we need for it to work for us. We’d love to see issues or pull requests suggesting or implementing new features. We’re also open to supporting SAML providers other than Okta if anyone would like to help us implement it.
If you’d like to try out yak, the GitHub readme has instructions to get you started. We’re really excited to be able to release open-source tools like this, so if you notice any issues or have any feature requests, please let us know!
