Skip to main content

Command line client for AWS federation proxy api

Project description

Travis build status image Coverage status Version

Overview

The AFP CLI is the command line interface to access the AWS Federation Proxy (AFP).

Its main use case is starting a new shell where your temporary AWS credentials have been exported into the environment.

Installation

The tool is hosted on PyPi and can be installed using the usual Python specific mechanisms, e.g.:

$ pip install afp-cli

Configuration

The afp command can be configured through yaml files in the following directories:

  • /etc/afp-cli/*.yaml (global configuration)

  • $HOME/.afp-cli/*.yaml (per-user configuration)

The yaml files are read in lexical order and merged via yamlreader. The following configuration options are supported:

  • api_url: <api-url> Defaults to lookup a FQDN of a host named afp via DNS and construct the server url from it: https://{FQDN}/afp-api/latest The specified url must contain full server url (not just the FQDN).

  • user: <username> Defaults to the currently logged in user-name

Example:

api_url: https://afp-server.my.domain/afp-api/latest
user: myuser

Usage

Get Help Text

$ afp [-h | --help]

List Available Account Aames and Roles

For the currently logged-in user:

$ afp

The same for another user:

$ afp --user=username

Output format:

<accountname>    <role1>,<role2>,...,<roleN>

Example output:

abc_account    some_role_in_abc_account
xyz_account    some_role_in_yxz_account,another_role_in_xyz

Obtain AWS Credentials

This starts a subshell in which the credentials have been exported into the environment. Use the exit command or press CTRL+D to terminate the subshell.

Use credentials for currently logged in user and specified account and role:

$ afp accountname rolename

Use credentials for the currently logged in user for the first role:

$ afp accountname

As above, but specifying a different user:

$ afp --user=username accountname rolename

Specify the URL of the AFP server, overriding any config file:

$ afp --api-url=https://afp-server.my.domain/afp-api/latest

Show and Export

In case you don’t want to start a subshell or are using something other than bash, you can use --show or --export to display the credentials. You can use the usual UNIX tools to add/remove them from your environment. --show will just show them and --export will show them in a format suitable for an export into your environment, i.e. prefixed with export for UNIX and set for Windows.

$ afp --show <myaccount> [<myrole>]
Password for myuser:
AWS_VALID_SECONDS='600'
AWS_SESSION_TOKEN='XXX'
AWS_SECURITY_TOKEN='XXX'
AWS_SECRET_ACCESS_KEY='XXX'
AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
AWS_ACCESS_KEY_ID='XXX'
$ afp --export <myaccount> [<myrole>]
Password for myuser:
export AWS_VALID_SECONDS='600'
export AWS_SESSION_TOKEN='XXX'
export AWS_SECURITY_TOKEN='XXX'
export AWS_SECRET_ACCESS_KEY='XXX'
export AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
export AWS_ACCESS_KEY_ID='XXX'

The following examples work in zsh, to add and remove them from your environment:

Adding credentials:

$ eval $(afp --export <accountname>)

Removing them again:

$ env | grep AWS | cut -f 1 -d'=' | while read line ; do ; unset $line ; done ;

Write to AWS Credentials File

The AWS tools reads credentials specified with aws configure from a local file named credentials in a folder named .aws in your home directory. The afp-cli tool can write your temporary credentials to this file.

$ afp --write <myaccount> [<myrole>]

Configuration Settings and Precedence

Please read the section on Configuration Settings and Precedence from the AWS documentation.

Interface with the System Keyring

Staring with version 1.3.0 experimental support for the Python keyring module has been implemented. This has only been testing with the Gnome Keyring but supposedly also works with other systems such as Mac OS X Keychain and Windows Credential Vault. If you have made it work with anything other than the Gnome Keyring, please submit a pull-request to modify this sentence.

You can configure to use the keychain by config-file or command-line switch. Viable options are: prompt to prompt for the password during every interaction with the AFP server. keyring to use the Python keyring module. And testing, which will simply send the hardcoded string PASSWORD every time. As the name suggests, this is only useful for testing.

Examples:

user: myuser
password-provider: keychain
$ afp --password-provider keychain
No password found in keychain, please enter it now to store it.
Password for vhaenel:

As you can see, you will be prompted for your password the first time. Note that if you fail to enter the password correctly, the incorrect version will be stored. Note further that if you are using the Gnome-Keychain you can use the tool seahorse to update and delete saved passwords, in this case for the service afp.

There are two intricate caveats when using the keyring module with Gnome-Keychain which is why this feature is considered experimental.

In order for the module to correctly use the Gnome Keychain the Python module PyGObject aka gi is required. As stated on the project website: “PyGObject is a Python extension module that gives clean and consistent access to the entire GNOME software platform through the use of GObject Introspection.” Now, unfortunately, even though this project is available on PyPi it can not be installed from there using pip due to issues with the build system. It is however available as a system package for Ubuntu distributions as package python-gi. Long story short; in order to use the keychain module from afp-cli you need to have the gi module available to your Python interpreter. You can achieve this, for example, by doing a global install of afp-cli using something like sudo pip install afp-cli or install it into a virtual environment that uses the system site packages because it has been created with the --system-site-packages flag.

A second issue arises when the gi module is not installed. In this case, the keyring library simply selects an insecure PlaintextKeyring which simply stores the base64 encoded password in it’s default location at: ~/.local/share/python_keyring/keyring_pass.cfg (!). Since we prefer a secure-by-default approach, the afp-cli will abort with an appropriate message in case this backend is detected.

Lastly, you can use the debug switch to check at runtime which backend was selected:

$ afp-cli --debug --password-provider keychain
...
Note: will use the backend: '<keyring.backends.Gnome.Keyring object at 0x7f48a13e9510>'
...

License

Copyright 2015 Immobilienscout24 GmbH

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

See Also

See Hologram for another solution that brings temporary AWS credentials onto developer desktops.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

afp-cli-1.2.1.post154.tar.gz (10.9 kB view details)

Uploaded Source

File details

Details for the file afp-cli-1.2.1.post154.tar.gz.

File metadata

File hashes

Hashes for afp-cli-1.2.1.post154.tar.gz
Algorithm Hash digest
SHA256 23190fa4ea2b6ee76beb13be5f4e51311f436c59a6cdca56448d07f068150aee
MD5 c58c0d7ee0a8a6eaf2ef31216f897130
BLAKE2b-256 c4fde89ad57d18c3c1f9dbf89d182abab714dcfee5903e272646b6ff2861608d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page