Project description

aws-assume-role-lib

Assumed role session chaining (with credential refreshing) for boto3

The typical way to use boto3 when programmatically assuming a role is to explicitly call sts.AssumeRole and use the returned credentials to create a new boto3.Session. However, these credentials expire, and the code must explicitly handle this situation.

When using ~/.aws/config, you have the option to have profiles that assume a role based on another profile, and this automatically handles refreshing expired credentials.

With aws-assume-role-lib, you can easily create assumed role sessions from parent sessions, that automatically refresh expired credentials.

Note that in a Lambda function that needs to assume a role, this means you don't need to make an assume role call in every invocation; you can create the assumed role session during initialization and use it for the lifetime of the execution environment.

Installation

pip install --user aws-assume-role-lib

Usage

import boto3
from aws_assume_role_lib import assume_role

# Get a session
session = boto3.Session()
# or with a profile:
# session = boto3.Session(profile_name="my-profile")

# Assume the session
assumed_role_session = assume_role(session, "arn:aws:iam::123456789012:role/MyRole")

print(assumed_role_session.client("sts").get_caller_identity()["Arn"])

assume_role() takes a session and a role ARN, and optionally other keyword arguments for sts.AssumeRole. Unlike the AssumeRole API call itself, RoleArn is required, but RoleSessionName is not; it's automatically generated if one is not provided. If any new arguments are added to AssumeRole in the future, they can be passed in via the additional_kwargs argument.

By default, assume_role() checks if the parent session does not have credentials or if the parameters are invalid. Without this validation, errors for these issues are more confusingly raised when the child session is first used to make an API call (boto3 does not try to retrieve credentials until they are needed). However, this incurs a small time penalty, so it can be disabled by passing validate=False.

The parent session is available on the child session in the assume_role_parent_session property. Note this property is added by this library; ordinary boto3 sessions do not have it.

Project details

These details have not been verified by PyPI

Project links

Release history Release notifications | RSS feed

2.10.0

May 14, 2022

2.9.0

Sep 28, 2021

2.8.0

Sep 6, 2021

1.7.0

May 18, 2021

1.6.0

May 16, 2021

1.5.0

May 16, 2021

1.4.0

May 15, 2021

1.3.0

Jan 5, 2021

1.2.0

Dec 23, 2020

1.1.0

Dec 19, 2020

This version

1.0.0

Dec 12, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws-assume-role-lib-1.0.0.tar.gz (7.7 kB view hashes)

Uploaded Dec 12, 2020 Source

Built Distribution

aws_assume_role_lib-1.0.0-py3-none-any.whl (8.3 kB view hashes)

Uploaded Dec 12, 2020 Python 3

Hashes for aws-assume-role-lib-1.0.0.tar.gz

Hashes for aws-assume-role-lib-1.0.0.tar.gz
Algorithm	Hash digest
SHA256	`90ec19b3305f1ed5fde2e7960d388bcc344fe9099a3efd3e2c42191d2c3eaae2`
MD5	`9bc5acf1831a25d1a6083cb726ab859b`
BLAKE2b-256	`e326fcada6840bd090eaeb66751df8f8bfa88499be258d76e6045ae69ecb4ac0`

Hashes for aws_assume_role_lib-1.0.0-py3-none-any.whl

Hashes for aws_assume_role_lib-1.0.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`09759e8c71ac2d208b356141ee7176d57e6fd1e1fc7e75749e208a634edc81bc`
MD5	`816fa9f14dca6a8ccf2d802e064625d6`
BLAKE2b-256	`71ef83c70e32b59c9dc612c759e7d2ec23e433c49a7d23a06dddbe49a57008d1`