Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

from-profile for second switch #53

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Installation:
-------------
Option 1
```sh
$ pip install aws-mfa
$ pip install git+https://github.com/jdnrg/aws-mfa.git#egg=aws-mfa
```

Option 2
Expand Down Expand Up @@ -167,6 +167,8 @@ Usage
--role-session-name ROLE_SESSION_NAME
Friendly session name required when using --assume-
role. By default, this is your local username.
--from-profile
The profile to use to switch from a second time, does not need mfa.
```

**Argument precedence**: Command line arguments take precedence over environment variables.
Expand Down Expand Up @@ -286,4 +288,4 @@ INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:1
$> aws s3 list-objects —bucket my-production-bucket —profile myorganization-production

$> aws s3 list-objects —bucket my-staging-bucket —profile myorganization-staging
```
```
75 changes: 50 additions & 25 deletions awsmfa/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ def main():
help="The suffix appended to the profile name to"
"identify the long term credential section",
required=False)
parser.add_argument('--from-profile',
help="The profile to assume the role from",
required=False)
parser.add_argument('--short-term-suffix', '--short-suffix',
help="The suffix appended to the profile name to"
"identify the short term credential section",
Expand Down Expand Up @@ -126,13 +129,17 @@ def validate(args, config):
args.profile = os.environ.get('AWS_PROFILE')
else:
args.profile = 'default'

if not args.long_term_suffix:
long_term_name = '%s-long-term' % (args.profile,)
elif args.long_term_suffix.lower() == 'none':
long_term_name = args.profile
aws_security_token = None
if args.from_profile:
long_term_name = args.from_profile
aws_security_token = config.get(long_term_name, 'aws_security_token')
else:
long_term_name = '%s-%s' % (args.profile, args.long_term_suffix)
if not args.long_term_suffix:
long_term_name = '%s-long-term' % (args.profile,)
elif args.long_term_suffix.lower() == 'none':
long_term_name = args.profile
else:
long_term_name = '%s-%s' % (args.profile, args.long_term_suffix)

if not args.short_term_suffix or args.short_term_suffix.lower() == 'none':
short_term_name = args.profile
Expand All @@ -158,6 +165,7 @@ def validate(args, config):
try:
key_id = config.get(long_term_name, 'aws_access_key_id')
access_key = config.get(long_term_name, 'aws_secret_access_key')

except NoSectionError:
log_error_and_exit(logger,
"Long term credentials session '[%s]' is missing. "
Expand All @@ -174,9 +182,8 @@ def validate(args, config):
elif config.has_option(long_term_name, 'aws_mfa_device'):
args.device = config.get(long_term_name, 'aws_mfa_device')
else:
log_error_and_exit(logger,
'You must provide --device or MFA_DEVICE or set '
'"aws_mfa_device" in ".aws/credentials"')
logger.info('not using a mfa device')


# get assume_role from param or env var
if not args.assume_role:
Expand Down Expand Up @@ -273,23 +280,27 @@ def validate(args, config):
% (diff.total_seconds(), exp))

if should_refresh:
get_credentials(short_term_name, key_id, access_key, args, config)
get_credentials(short_term_name, key_id, access_key, args, config, aws_security_token)


def get_credentials(short_term_name, lt_key_id, lt_access_key, args, config):
def get_credentials(short_term_name, lt_key_id, lt_access_key, args, config, aws_security_token):
mfa_token = None
if args.token:
logger.debug("Received token as argument")
mfa_token = '%s' % (args.token)
else:
console_input = prompter()
mfa_token = console_input('Enter AWS MFA code for device [%s] '
'(renewing for %s seconds):' %
(args.device, args.duration))
if args.device:
console_input = prompter()
mfa_token = console_input('Enter AWS MFA code for device [%s] '
'(renewing for %s seconds):' %
(args.device, args.duration))

print(lt_key_id, lt_access_key)
client = boto3.client(
'sts',
aws_access_key_id=lt_key_id,
aws_secret_access_key=lt_access_key
aws_secret_access_key=lt_access_key,
aws_session_token=aws_security_token
)

if args.assume_role:
Expand All @@ -301,13 +312,23 @@ def get_credentials(short_term_name, lt_key_id, lt_access_key, args, config):
"via --role-session-name")

try:
response = client.assume_role(
if mfa_token:
response = client.assume_role(
RoleArn=args.assume_role,
RoleSessionName=args.role_session_name,
DurationSeconds=args.duration,
SerialNumber=args.device,
TokenCode=mfa_token
)
else:
print(args.assume_role,args.role_session_name,args.duration)

response = client.assume_role(
RoleArn=args.assume_role,
RoleSessionName=args.role_session_name,
DurationSeconds=args.duration,
SerialNumber=args.device,
TokenCode=mfa_token
DurationSeconds=args.duration
)

except ClientError as e:
log_error_and_exit(logger,
"An error occured while calling "
Expand All @@ -329,11 +350,15 @@ def get_credentials(short_term_name, lt_key_id, lt_access_key, args, config):
logger.info("Fetching Credentials - Profile: %s, Duration: %s",
short_term_name, args.duration)
try:
response = client.get_session_token(
DurationSeconds=args.duration,
SerialNumber=args.device,
TokenCode=mfa_token
)
if mfa_token:
response = client.get_session_token(
DurationSeconds=args.duration,
SerialNumber=args.device,
TokenCode=mfa_token
)
else :
log_error_and_exit(logger, "Cannot get a session token without a device")

except ClientError as e:
log_error_and_exit(
logger,
Expand Down