AWS Credential Process
Project description
README
Description
Script to use as credential_process
for the AWS CLI (including boto3), it
caches your MFA session in a keyring and can use a Yubi key to authenticate.
This is useful if you are required to use MFA authenticated sessions or need an MFA authenticated session to assume a role.
Installing
You can install aws-credential-process using pip:
pip install aws_credential_process
I recommend to install aws-credential-process in a virtualenv:
virtualenv ~/venv/aws_credential_process
~/venv/aws_credential_process/bin/pip install aws_credential_process
After the above commands you should be able to run ~/venv/aws_credential_process/bin/aws-credential-process
Usage
You can use the following arguments to start aws-credential-process:
Usage: aws-credential-process [OPTIONS]
Get output suitable for aws credential process
Options:
--access-key-id TEXT
--secret-access-key TEXT
--mfa-oath-slot TEXT
--mfa-serial-number TEXT
--mfa-session-duration INTEGER
--assume-session-duration INTEGER
--assume-role-arn TEXT
--force-renew
--credentials-section TEXT
--pin-entry TEXT
--log-file TEXT
--config-section TEXT
--config-file TEXT
--help Show this message and exit.
aws-credential-process is meant to be used as credential_process
in your
.aws/config
file. For example:
[profile yourprofile]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --mfa-oath-slot "Amazon Web Services:test@example.com" --mfa-serial-number arn:aws:iam::123456789012:mfa/john.doe --assume-role-arn arn:aws:iam::123456789012:role/YourRole
If you've supplied the secret-access-key once you can omit it with the next call, it will be cached in your keyring.
When you don't supply the access-key-id it will be loaded from ~/.aws/credentials
.
You can use another section than "default" by using the credentials-section argument.
Configuration
aws-credential-process can also use a configuration file, the default location of
this file is ~/.config/aws-credential-process/config.toml
. This file contains
defaults so you don't have to supply all of the arguments.
You can configure a default pin-entry program like:
pin_entry = /usr/local/bin/pin_entry
Or you can define multiple config-sections:
[123457890123]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::123457890123:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"
[098765432101]
mfa_oath_slot="Amazon Web Services:user@098765432101"
credentials_section="098765432101"
mfa_serial_number="arn:aws:iam::098765432101:mfa/user"
If you need to assume roles from a certain AWS account you'll end up with a lot of simular entries. To make this simple the configuration can be defined hierarchical.
[[org]]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::{section}:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"
[[org.098765432101]]
[[org.567890123456]]
This would be the same as the following configuration:
[098765432101]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::098765432101:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"
[567890123456]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::567890123456:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"
With the above configuration aws-credential-process can be used like this in
~/.aws/config
:
[profile profile1]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --config-section=098765432101
[profile profile2]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --config-section=567890123456
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-credential-process-0.10.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8e8da289cc12266476ed6d0fe6bc29ab24008e4cdf6248c41ad2e11ada043daa |
|
MD5 | 1930d399712336dba8d9c8211f2a407f |
|
BLAKE2b-256 | 821d7cba63b1ca10bc089b941f5a0b9112f92e5f3987f468cc2a996ab1aab045 |
Hashes for aws_credential_process-0.10.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1ff5283eb211c20f9a49848ae883eb598ed7f8a2b25978b566f95d03851fa120 |
|
MD5 | 4e868c40ee91df902a4e889a37540c03 |
|
BLAKE2b-256 | 63df391d5b4d64ddf78db3b94813c4fb987c00deab20e3f2c8de5244177090d8 |