Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (pypi.python.org).
Help us improve Python packaging - Donate today!

Command line client for AWS federation proxy api

Project Description

Overview

The AFP CLI is the command line interface to access the AWS Federation Proxy (AFP).

Its main use case is starting a new shell where your temporary AWS credentials have been exported into the environment.

Installation

The tool is hosted on PyPi and can be installed using the usual Python specific mechanisms, e.g.:

$ pip install afp-cli

Configuration

The afp command can be configured through yaml files in the following directories:

  • /etc/afp-cli/*.yaml (global configuration)
  • $HOME/.afp-cli/*.yaml (per-user configuration)

The yaml files are read in lexical order and merged via yamlreader. The following configuration options are supported:

  • api_url: <api-url> Defaults to lookup a FQDN of a host named afp via DNS and construct the server url from it: https://{FQDN}/afp-api/latest The specified url must contain full server url (not just the FQDN). This option always takes precedence over server
  • server: <server> The AFP server to use. No default value. If not overridden by api_url (see above), api_url will become http://<server>//afp-api/latest
  • user: <username> Defaults to the currently logged in user-name
  • password-provider: <provider> Viable options are: prompt (default) to prompt for the password during every interaction with the AFP server or keyring to use the Python keyring module. For more info about using the keyring module, see below.

Example:

user: myuser
api_url: https://afp-server.my.domain/afp-api/latest
password-provider: keyring

Usage

Get Help Text

$ afp [-h | --help]

List Available Account Names and Roles

For the currently logged-in user:

$ afp

The same for another user:

$ afp --user=username

Output format:

<accountname>    <role1>,<role2>,...,<roleN>

Example output:

abc_account    some_role_in_abc_account
xyz_account    some_role_in_yxz_account,another_role_in_xyz

Obtain AWS Credentials

This starts a subshell in which the credentials have been exported into the environment. Use the exit command or press CTRL+D to terminate the subshell.

Use credentials for currently logged in user and specified account and role:

$ afp accountname rolename

Use credentials for the currently logged in user for the first role:

$ afp accountname

As above, but specifying a different user:

$ afp --user=username accountname rolename

Specify the URL of the AFP server, overriding any config file:

$ afp --api-url=https://afp-server.my.domain/afp-api/latest

Show and Export

In case you don’t want to start a subshell or are using something other than bash, you can use --show or --export to display the credentials. You can use the usual UNIX tools to add/remove them from your environment. --show will just show them and --export will show them in a format suitable for an export into your environment, i.e. prefixed with export for UNIX and set for Windows.

$ afp --show <myaccount> [<myrole>]
Password for myuser:
AWS_VALID_SECONDS='600'
AWS_SESSION_TOKEN='XXX'
AWS_SECURITY_TOKEN='XXX'
AWS_SECRET_ACCESS_KEY='XXX'
AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
AWS_ACCESS_KEY_ID='XXX'
$ afp --export <myaccount> [<myrole>]
Password for myuser:
export AWS_VALID_SECONDS='600'
export AWS_SESSION_TOKEN='XXX'
export AWS_SECURITY_TOKEN='XXX'
export AWS_SECRET_ACCESS_KEY='XXX'
export AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
export AWS_ACCESS_KEY_ID='XXX'

The following examples work in zsh, to add and remove them from your environment:

Adding credentials:

$ eval $(afp --export <accountname>)

Removing them again:

$ env | grep AWS | cut -f 1 -d'=' | while read line ; do ; unset $line ; done ;

Write to AWS Credentials File

The AWS tools read credentials specified with aws configure from a local file named credentials in a folder named .aws in your home directory. The afp-cli tool can write your temporary credentials to this file.

$ afp --write <myaccount> [<myrole>]

Configuration Settings and Precedence

Please read the section on Configuration Settings and Precedence from the AWS documentation.

Interface with the System Keyring

Starting with version 1.3.0, experimental support for the Python keyring module has been implemented. This has been tested with the Gnome Keyring and Max OS X Keychain but supposedly also works with Windows Credential Vault. You can configure this feature using the config file as shown above or with a command-line switch.

Example command-line:

$ afp --password-provider keyring
No password found in keychain, please enter it now to store it.
Password for user:

You will be prompted for your password the first time. Note that if you fail to enter the password correctly, the incorrect version will be stored. Note further that if you are using the Gnome-Keychain you can use the tool seahorse to update and delete saved passwords, in this case for the service afp.

Keyring on MacOS X

On some MacOS systems, storing the password works fine, but fetching it fails with Can’t fetch password from system. This is due to a change in the ‘keyring’ module, introduced in version 9.0. As a workaround, downgrade to the previous version with pip install keyring==8.7

Keyring with Gnome-Keychain

There is an intricate caveat when using the keyring module with Gnome-Keychain. But before discussing this, it is important to mention that the keyring module uses another module, namely secretstorage under the hood.

In order for the keyring module to correctly use the Gnome Keychain the Python module PyGObject aka gi is required. As stated on the project website: “PyGObject is a Python extension module that gives clean and consistent access to the entire GNOME software platform through the use of GObject Introspection.” Now, unfortunately, even though this project is available on PyPi it can not be installed from there using pip due to issues with the build system. It is however available as a system package for Ubuntu distributions as python-gi.

Long story short, in order to use the keyring module from afp-cli you need to have the gi module available to your Python interpreter. You can achieve this, for example, by doing a global install of afp-cli using something like sudo pip install afp-cli or install it into a virtual environment that uses the system site packages because it has been created with the --system-site-packages flag. In case the gi module is not available and you try to use the keyring module anyway, afp-cli will exit with an appropriate error message. Lastly, if in doubt, you can use the --debug switch to check at runtime which backend was selected.

License

Copyright 2015,2016 Immobilien Scout GmbH

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

See Also

See Hologram for another solution that brings temporary AWS credentials onto developer desktops.

Release History

Release History

This version
History Node

370.301

History Node

368.300

History Node

368.299

History Node

368.298

History Node

368.297

History Node

363.296

History Node

363.295

History Node

363.293

History Node

363.292

History Node

363.291

History Node

363.290

History Node

363.289

History Node

363.288

History Node

363.287

History Node

363.286

History Node

363.285

History Node

363.284

History Node

363.282

History Node

363.281

History Node

363.280

History Node

363.279

History Node

363.278

History Node

363.277

History Node

363.276

History Node

363.275

History Node

363.274

History Node

363.273

History Node

363.272

History Node

363.271

History Node

363.270

History Node

363.269

History Node

363.268

History Node

363.267

History Node

363.266

History Node

362.265

History Node

362.264

History Node

361.263

History Node

361.262

History Node

361.261

History Node

361.260

History Node

361.259

History Node

361.258

History Node

361.257

History Node

361.256

History Node

361.255

History Node

360.254

History Node

359.253

History Node

358.252

History Node

356.251

History Node

355.250

History Node

354.249

History Node

353.248

History Node

352.247

History Node

351.246

History Node

349.244

History Node

348.243

History Node

347.242

History Node

346.241

History Node

345.233

History Node

345.232

History Node

345.227

History Node

345.226

History Node

345.225

History Node

345.224

History Node

345.223

History Node

345.222

History Node

345.221

History Node

345.219

History Node

344.218

History Node

343.217

History Node

342.216

History Node

340.214

History Node

340.213

History Node

339.212

History Node

337

History Node

335

History Node

333

History Node

332

History Node

326

History Node

316

History Node

315

History Node

312

History Node

311

History Node

310

History Node

305

History Node

304

History Node

303

History Node

300

History Node

299

History Node

1.3.1.post184

History Node

1.3.1.post183

History Node

1.3.1.post182

History Node

1.3.1.post181

History Node

1.3.1.post180

History Node

1.3.1.post179

History Node

1.3.1.post175

History Node

1.3.1.post174

History Node

1.3.1.post173

History Node

1.3.1.post172

History Node

1.3.1.post166

History Node

1.3.1.post165

History Node

1.3.0.post164

History Node

1.3.0.post163

History Node

1.3.0.post162

History Node

1.3.0.post160

History Node

1.3.0.post159

History Node

1.3.0.post158

History Node

1.2.1.post157

History Node

1.2.1.post156

History Node

1.2.1.post155

History Node

1.2.1.post154

History Node

1.2.1.post153

History Node

1.2.1.post0

History Node

1.2.0.post0

History Node

1.1.6.post0

History Node

1.1.5.post0

History Node

1.1.4.post0

History Node

1.1.3.post0

History Node

1.1.2.post0

History Node

1.1.1-0

History Node

1.1.0-0

History Node

1.0.7-0

History Node

1.0.6-0

History Node

1.0.5-0

History Node

1.0.4-0

History Node

1.0.3-0

History Node

1.0.2-0

History Node

1.0.1-0

History Node

1.0.0

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
afp-cli-370.301.tar.gz (17.1 kB) Copy SHA256 Checksum SHA256 Source Oct 17, 2017

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting