Skip to main content

helps you run aws commands with sso-based credentials

Project description

AWS Helper

https://pypi.org/project/awshelper/
A utility that lets you use AWS SSO credentials when running tools that talk to AWS.

Rationale

AWS CLI v2 and AWS SSO use a completely new and different way to persist aws credentials. This is likely to break compatability with a lot of existing tools that use AWS apis such as terraform, awslogs and probably thousands more.

AWS Helper reads the "new and modern" credentials stored by aws cli v2, and extracts "old-school" environment variables from them. It then executes the specified command, within this environment.

Prereqs:

  • awshelper requires python 3.x (tested on 3.8) and pip
  • aws cli v2 installed (make sure you run a recent build)
  • your org is set up with AWS SSO so that you can run aws configure sso --profile myprofile (a named profile is needed) If all this works, you're good to go.

How to use awshelper

install it:
pip install awshelper or pip3 install awshelper depending on your setup. You should use a root/sudo user to install it globally

you can either use env vars to specify your profile: AWS_PROFILE=mytest awshelper <command> or
awshelper --profile mytest <command> or
awshelper --profile=mytest <command>.
In any case, a named profile IS required (at least for now)

In some cases, you may have an SSO session, but not a valid aws cli credentials cache file, since these are generated when you run the first aws cli command after refreshing sso credentials. awshelper tries to be smart about this, and run aws cli commands if needed, to refresh the cache. It attemps to print clearly what is happening and, in case of errors, what you need to do.

If you're a fan of awslogs you can now run it using awshelper:
AWS_PROFILE=mytest awshelper awslogs groups --aws-region eu-central-1
...or eksctl:
AWS_PROFILE=mytest awshelper eksctl create cluster -f eksfargate.yml

Other environment variables

If you run scripts that need to determine whether or not they're executed with awshelper, you can use the following environment variables to determine that: AWSHELPER_ENABLED will have a value of YES. AWSHELPER_PROFILE will be set to whatever profile got configured using AWS_PROFILE or the --profile parameter as described above.

Integration with External Process-based credentials

Some AWS tools such as the aws cli, supports "Sourcing Credentials with an External Process", described here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html. awshelper can function as the external process. In this mode, instead of injecting environment variables to a wrapped process, it will instead output the necessary json structure to std when called. To use this mode, run awshelper like this: AWS_PROFILE=mytest EXTERNAL_PROCESS_MODE=true awshelper The recommended way to use this, is to add the following to your /.aws/config file:

[profile myprofile]
region = eu-central-1
credential_process = /home/trond/bin/awshelper_prochelper.sh

and then that bash file could look something like this:

╰─ cat awshelper_prochelper.sh 
#!/usr/bin/env bash

EXTERNAL_PROCESS_MODE=true AWS_PROFILE=someprofile awshelper

I'm not quite sure how aws cli deals with the potential "circular dependency" of calling aws configure sso with a profile where a credential_process statement is added, so use this at your own peril! You might also have problems using this with various tools - I tested quickly with the serverless tools which are javascript-based and it seems to NOT work there. Your mileage may vary

Integration .env files

It can be hard to use a wrapper process such as awshelper when debugging things from an IDE etc. In order to support this type of workflow, awshelper can inject credentials into a .env file, which most modern IDE's can read and use as source of environment variables when it starts your project. In order to do this, simply run awshelper like this: AWS_PROFILE=mytest DOTENV_FILE_MODE=true awshelper. You need to run awshelper in the directory where the .env file exists (or should be created). Any existing values in the .env file will be retained, only the necessary AWS credentials values will be updated.

You can wrap this functionality in a bash script and use it with IntelliJ's "run external tool" or similar, to ensure your .env file always contains a valid set of credentials.

Limitations

  • an AWS profile name IS needed - either specified using environment variables or parameters. If both are specified, the parameter "wins".
  • it will only work with profiles configured with aws configure sso. If you point to a profile with regular access key/secret, it won't work.

Test using docker:

docker run -it -v ~/.aws:/root/.aws:ro ubuntu then run

apt-get update && apt-get install python3-pip
pip3 install awshelper 
AWS_PROFILE=mytest awshelper <my command>

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

awshelper-1.6-py3-none-any.whl (7.4 kB view details)

Uploaded Python 3

File details

Details for the file awshelper-1.6-py3-none-any.whl.

File metadata

  • Download URL: awshelper-1.6-py3-none-any.whl
  • Upload date:
  • Size: 7.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.10

File hashes

Hashes for awshelper-1.6-py3-none-any.whl
Algorithm Hash digest
SHA256 e55dc1343659cbe40a395dd04f2cef4b44af7ed2b9ed1e2e4e0b13f5c9637ad5
MD5 e5c13fac3e84a9d05e743478d4d16d9a
BLAKE2b-256 c0175e6da04221487cb96409604ee538a3a942f69e588b1f9ec16b9f08f51e31

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page