TKI Client Download

AWS CLI Access via TKI Client

To access an Emory AWS Account from the command line, Emory requires the use of temporary API keys to reduce the incidence of accounts compromised by disclosure of persistent API keys. Temporary keys can be challenging to manage, so Emory has provided a command-line utility and a backend service to simplify the process of requesting and using temporary keys. These are called the Temporary Key Issuance Client (TKI Client) and the Temporary Key Issuance Service (TKI Service). Users will download and install the TKI Client on each workstation from which they would like to access the account. A link to download the TKI Client can be found below. After downloading the appropriate TKI Client package for your operating system, execute the TKI Client installer and follow the installer instructions.

Using the TKI Client

To obtain temporary keys with the TKI Client, run the TKI Client with the platform-specific instructions provided by the install process and respond to its prompts for:

  1. Emory NetID
  2. Emory Password
  3. If username and password authentication is successful, the user will be prompted to select a Duo authentication method
  4. If Duo authentication is successful and if the user is associated with more than one account or role, the user will be prompted to select an account and role to assume
  5. The user will be issued temporary keys and the TKI Client will write them to the user's AWS profile and return the profile name of the new temporary credentials

The user can then interact with the account from the command line using the profile name that contains the temporary credentials. Temporary credentials are valid for 12 hours. Once the credentials expire users must re-execute the TKI Client to obtain new temporary credentials.