TKI Client Download

General Info About Command Line Access to Emory AWS

To access an Emory AWS Account from the command line, Emory requires the use of temporary API keys to reduce the incidence of accounts compromised by disclosure of persistent API keys.

The methods for retreiving temporary keys are different depending on the Emory AWS environment you want to access.

AWS at Emory CLI Access

AWS at Emory is a self-service platform for Emory researchers. Users of AWS at Emory should follow this knowledgebsae article, AWS at Emory – How to Retrieve AWS Access Keys for Invoking API Calls with AWS IAM Identity Center to retreive temporary API keys.

Emory Cloud Services (ECS) Access via TKI Client

Emory has provided a command-line utility for ECS users and a backend service to simplify the process of requesting and using temporary keys.

These are called the Temporary Key Issuance Client (TKI Client) and the Temporary Key Issuance Service (TKI Service). Users will download and install the TKI Client on each workstation from which they would like to access the account.

The TKI client downloads can be found below:

• TKI Client for Linux
• TKI Client for MacOS
• TKI Client for Windows

Using the TKI Client

To obtain temporary keys with the TKI Client, run the TKI Client with the platform-specific instructions provided by the install process and respond to its prompts for:

1. Emory NetID
2. Emory Password
3. If username and password authentication is successful, the user will be prompted to select a Duo authentication method
4. If Duo authentication is successful and if the user is associated with more than one account or role, the user will be prompted to select an account and role to assume
5. The user will be issued temporary keys and the TKI Client will write them to the user's AWS profile and return the profile name of the new temporary credentials

The user can then interact with the account from the command line using the profile name that contains the temporary credentials. Temporary credentials are valid for 12 hours. Once the credentials expire users must re-execute the TKI Client to obtain new temporary credentials.