Skip to main content

AWS Credential Process

Project description

README

Description

Script to use as credential_process for the AWS CLI (including boto3), it caches your MFA session in a keyring and can use a Yubi key to authenticate.

This is useful if you are required to use MFA authenticated sessions or need an MFA authenticated session to assume a role.

Installing

Generic

You can install aws-credential-process using pip:

pip install aws_credential_process

I recommend to install aws-credential-process in a virtualenv:

virtualenv ~/venv/aws_credential_process
~/venv/aws_credential_process/bin/pip install aws_credential_process

After the above commands you should be able to run ~/venv/aws_credential_process/bin/aws-credential-process

MacOS (Homebrew)

brew install meeuw/aws-credential-process/aws-credential-process

Usage

You can use the following arguments to start aws-credential-process:

Usage: aws-credential-process [OPTIONS]

  Get output suitable for aws credential process

Options:
  --version                       Show the version and exit.
  --access-key-id TEXT
  --secret-access-key TEXT
  --mfa-oath-slot TEXT            how the MFA slot is named, check using ykman
                                  oath code
  --mfa-serial-number TEXT        MFA serial number, see IAM console
  --mfa-session-duration INTEGER  duration in seconds, use zero to assume role
                                  without session
  --assume-session-duration INTEGER
                                  duration in seconds
  --assume-role-arn TEXT          IAM Role to be assumed, optional
  --assume-role-policy-arns TEXT  Assume role with policy ARN, can be used
                                  multiple times
  --assume-role-policy TEXT       Assume role with this policy, you can use a
                                  filename if this value starts with @
  --assume-role-source-identity TEXT
                                  The source identity specified by the
                                  principal that is calling the AssumeRole
                                  operation.
  --assume-role-role-session-name TEXT
                                  An identifier for the assumed role session.
  --force-renew-session
  --force-renew-assume-role
  --credentials-section TEXT      Use this section from ~/.aws/credentials
  --pin-entry TEXT                pin-entry helper, should be compatible with
                                  Assuan protocol (GPG)
  --log-file TEXT
  --config-section TEXT           Use this section in config-file
  --config-file TEXT
  --output-format TEXT            Output format, json (default) or shell
  --help                          Show this message and exit.

aws-credential-process is meant to be used as credential_process in your .aws/config file. For example:

[profile yourprofile]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --mfa-oath-slot "Amazon Web Services:test@example.com" --mfa-serial-number arn:aws:iam::123456789012:mfa/john.doe --assume-role-arn arn:aws:iam::123456789012:role/YourRole

You can also use aws-credential-process to generate exports for your shell which is supported by many tools:

$ $(/home/user/venv/aws_credential_process/bin/aws-credential-process --mfa-oath-slot "Amazon Web Services:test@example.com" --mfa-serial-n  umber arn:aws:iam::123456789012:mfa/john.doe --assume-role-arn arn:aws:iam::123456789012:role/YourRole --output-format shell)

Configuration

aws-credential-process can also use a configuration file, the default location of this file is ~/.config/aws-credential-process/config.toml. This file contains defaults so you don't have to supply all of the arguments.

You can configure a default pin-entry program like:

pin_entry = /usr/local/bin/pin_entry

Or you can define multiple config-sections:

[123457890123]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::123457890123:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[098765432101]
mfa_oath_slot="Amazon Web Services:user@098765432101"
credentials_section="098765432101"
mfa_serial_number="arn:aws:iam::098765432101:mfa/user"

If you need to assume roles from a certain AWS account you'll end up with a lot of simular entries. To make this simple the configuration can be defined hierarchical.

[[org]]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::{section}:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[[org.098765432101]]
[[org.567890123456]]

This would be the same as the following configuration:

[098765432101]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::098765432101:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

[567890123456]
mfa_oath_slot="Amazon Web Services:user@123457890123"
assume_role_arn="arn:aws:iam::567890123456:role/Other/Role"
credentials_section="123457890123"
mfa_serial_number="arn:aws:iam::123457890123:mfa/user"

With the above configuration aws-credential-process can be used like this in ~/.aws/config:

[profile profile1]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --config-section=098765432101

[profile profile2]
credential_process = /home/user/venv/aws_credential_process/bin/aws-credential-process --config-section=567890123456

Optional arguments

If you've supplied the secret-access-key once you can omit it with the next call, it will be cached in your keyring.

When you don't supply the access-key-id it will be loaded from ~/.aws/credentials. You can use another section than "default" by using the credentials-section argument.

If you don't specify *-session-duration the default value from AWS will be used (3600 seconds). When --mfa-session-duration is set to 0 and you use --assume-role-arn a role will be assumed without using a session. Some API calls can't be made when the role is assumed using an MFA session.

You can also omit the --assume-role-arn, then you can use an MFA authenticated session using your permanent IAM credentials.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws-credential-process-0.20.0.tar.gz (20.6 kB view details)

Uploaded Source

Built Distribution

aws_credential_process-0.20.0-py3-none-any.whl (20.4 kB view details)

Uploaded Python 3

File details

Details for the file aws-credential-process-0.20.0.tar.gz.

File metadata

  • Download URL: aws-credential-process-0.20.0.tar.gz
  • Upload date:
  • Size: 20.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.2.0 CPython/3.10.8 Linux/6.0.8-300.fc37.x86_64

File hashes

Hashes for aws-credential-process-0.20.0.tar.gz
Algorithm Hash digest
SHA256 822d16af4bffbcf2d2db35c12ae50028f5786210c1c6a785294dfb3c45cc4e5d
MD5 78b7cab03c8582f6010bf091474afb7a
BLAKE2b-256 6e47c96cb5ad558c2bec061b1cfc869c31ae912ce8c4412ccaac1063fc6aed8b

See more details on using hashes here.

File details

Details for the file aws_credential_process-0.20.0-py3-none-any.whl.

File metadata

File hashes

Hashes for aws_credential_process-0.20.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2ddf2b319b4c0d422ccd20e944ff17e0b9f6a875eb1bdc775d4ded806114f4db
MD5 3ea8ef7e2669ae8accc4b53b6ef153e7
BLAKE2b-256 311592031b6e36143c78451c2dd319fb3e7c1feff0c77e55f9ba78f1b1a68f94

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page