Command line client for AWS federation proxy api
Project description
Overview
The AFP CLI is the command line interface to access the AWS Federation Proxy (AFP).
Its main use case is starting a new shell where your temporary AWS credentials have been exported into the environment.
Installation
The tool is hosted on PyPi and can be installed using the usual Python specific mechanisms, e.g.:
$ pip install afp-cli
Configuration
The afp command can be configured through yaml files in the following directories:
/etc/afp-cli/*.yaml (global configuration)
$HOME/.afp-cli/*.yaml (per-user configuration)
The yaml files are read in lexical order and merged via yamlreader. The following configuration options are supported:
api_url: <api-url> Defaults to lookup a FQDN of a host named afp via DNS and construct the server url from it: https://{FQDN}/afp-api/latest The specified url must contain full server url (not just the FQDN).
user: <username> Defaults to the currently logged in user-name
Example:
api_url: https://afp-server.my.domain/afp-api/latest
user: myuser
Usage
Get Help Text
$ afp [-h | --help]
List Available Account Aames and Roles
For the currently logged-in user:
$ afp
The same for another user:
$ afp --user=username
Output format:
<accountname> <role1>,<role2>,...,<roleN>
Example output:
abc_account some_role_in_abc_account xyz_account some_role_in_yxz_account,another_role_in_xyz
Obtain AWS Credentials
This starts a subshell in which the credentials have been exported into the environment. Use the exit command or press CTRL+D to terminate the subshell.
Use credentials for currently logged in user and specified account and role:
$ afp accountname rolename
Use credentials for the currently logged in user for the first role:
$ afp accountname
As above, but specifying a different user:
$ afp --user=username accountname rolename
Specify the URL of the AFP server, overriding any config file:
$ afp --api-url=https://afp-server.my.domain/afp-api/latest
Show and Export
In case you don’t want to start a subshell or are using something other than bash, you can use --show or --export to display the credentials. You can use the usual UNIX tools to add/remove them from your environment. --show will just show them and --export will show them in a format suitable for an export into your environment, i.e. prefixed with export for UNIX and set for Windows.
$ afp --show <myaccount> [<myrole>]
Password for myuser:
AWS_VALID_SECONDS='600'
AWS_SESSION_TOKEN='XXX'
AWS_SECURITY_TOKEN='XXX'
AWS_SECRET_ACCESS_KEY='XXX'
AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
AWS_ACCESS_KEY_ID='XXX'
$ afp --export <myaccount> [<myrole>]
Password for myuser:
export AWS_VALID_SECONDS='600'
export AWS_SESSION_TOKEN='XXX'
export AWS_SECURITY_TOKEN='XXX'
export AWS_SECRET_ACCESS_KEY='XXX'
export AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
export AWS_ACCESS_KEY_ID='XXX'
The following examples work in zsh, to add and remove them from your environment:
Adding credentials:
$ eval $(afp --export <accountname>)
Removing them again:
$ env | grep AWS | cut -f 1 -d'=' | while read line ; do ; unset $line ; done ;
Write to AWS Credentials File
The AWS tools reads credentials specified with aws configure from a local file named credentials in a folder named .aws in your home directory. The afp-cli tool can write your temporary credentials to this file.
$ afp --write <myaccount> [<myrole>]
Configuration Settings and Precedence
Please read the section on Configuration Settings and Precedence from the AWS documentation.
License
Copyright 2015 Immobilienscout24 GmbH
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
See Also
See Hologram for another solution that brings temporary AWS credentials onto developer desktops.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.