Skip to main content

AWS Credential Process

Project description

README

Description

Script to use as credential_process for the AWS CLI (including boto3), it caches your MFA session in a keyring and can use a Yubi key to authenticate.

This is useful if you are required to use MFA authenticated sessions or need an MFA authenticated session to assume a role.

Installing

You can install aws-credential-process using pip:

pip install aws_credential_process

I recommend to install aws-credential-process in a virtualenv:

virtualenv ~/venv/aws_credential_process
~/venv/aws_credential_process/bin/pip install aws_credential_process

After the above commands you should be able to run ~/venv/aws_credential_process/bin/aws-credential-process

Usage

You can use the following arguments to start aws-credential-process:

Usage: aws-credential-process [OPTIONS]

  Get output suitable for aws credential process

Options:
  --access-key-id TEXT
  --secret-access-key TEXT
  --mfa-oath-slot TEXT            how the MFA slot is named, check using ykman
                                  oath code

  --mfa-serial-number TEXT        MFA serial number, see IAM console
  --mfa-session-duration INTEGER  duration in seconds, use zero to assume role
                                  without session

  --assume-session-duration INTEGER
                                  duration in seconds
  --assume-role-arn TEXT          IAM Role to be assumed, optional
  --force-renew
  --credentials-section TEXT      Use this section from ~/.aws/credentials
  --pin-entry TEXT                pin-entry helper, should be compatible with
                                  Assuan protocol (GPG)

  --log-file TEXT
  --config-section TEXT           Use this section in config-file
  --config-file TEXT
  --help                          Show this message and exit.

aws-credential-process is meant to be used as credential_process in your .aws/config file. For example:

[profile yourprofile]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --mfa-oath-slot "Amazon Web Services:test@example.com" --mfa-serial-number arn:aws:iam::123456789012:mfa/john.doe --assume-role-arn arn:aws:iam::123456789012:role/YourRole

Configuration

aws-credential-process can also use a configuration file, the default location of this file is ~/.config/aws-credential-process/config.toml. This file contains defaults so you don't have to supply all of the arguments.

You can configure a default pin-entry program like:

pin_entry = /usr/local/bin/pin_entry

Or you can define multiple config-sections:

[123457890123]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::123457890123:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[098765432101]
mfa_oath_slot="Amazon Web Services:user@098765432101"
credentials_section="098765432101"
mfa_serial_number="arn:aws:iam::098765432101:mfa/user"

If you need to assume roles from a certain AWS account you'll end up with a lot of simular entries. To make this simple the configuration can be defined hierarchical.

[[org]]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::{section}:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[[org.098765432101]]
[[org.567890123456]]

This would be the same as the following configuration:

[098765432101]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::098765432101:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[567890123456]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::567890123456:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

With the above configuration aws-credential-process can be used like this in ~/.aws/config:

[profile profile1]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --config-section=098765432101

[profile profile2]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --config-section=567890123456

Optional arguments

If you've supplied the secret-access-key once you can omit it with the next call, it will be cached in your keyring.

When you don't supply the access-key-id it will be loaded from ~/.aws/credentials. You can use another section than "default" by using the credentials-section argument.

If you don't specify *-session-duration the default value from AWS will be used (3600 seconds). When --mfa-session-duration is set to 0 and you use --assume-role-arn a role will be assumed without using a session. Some API calls can't be made when the role is assumed using an MFA session.

You can also omit the --assume-role-arn, then you can use an MFA authenticated session using your permanent IAM credentials.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws-credential-process-0.11.0.tar.gz (19.4 kB view details)

Uploaded Source

Built Distribution

aws_credential_process-0.11.0-py3-none-any.whl (19.3 kB view details)

Uploaded Python 3

File details

Details for the file aws-credential-process-0.11.0.tar.gz.

File metadata

  • Download URL: aws-credential-process-0.11.0.tar.gz
  • Upload date:
  • Size: 19.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.4 CPython/3.9.2 Linux/5.10.23-200.fc33.x86_64

File hashes

Hashes for aws-credential-process-0.11.0.tar.gz
Algorithm Hash digest
SHA256 7ffeeef13bc9c414180e792a7f97579780847a1a60d88f072f14509a82703fbe
MD5 44473497a375576aee6a7aeae8ef5bf7
BLAKE2b-256 7121b5cf92bc094c02e9aaeb6e54ab722902c6fa8c0101e758ab4d3ff99937a8

See more details on using hashes here.

File details

Details for the file aws_credential_process-0.11.0-py3-none-any.whl.

File metadata

File hashes

Hashes for aws_credential_process-0.11.0-py3-none-any.whl
Algorithm Hash digest
SHA256 84e6fae032754538c40f3cd7432ffee75f4194c9b9bbb3d20db16066c02e1702
MD5 80930cdbb712f1b423460a51f38819e2
BLAKE2b-256 f77205d4e5c847a039639a4250534a0209cf76f4e5141aefee7a739988e59a4e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page