helps you run aws commands with sso-based credentials
Project description
AWS Helper
https://pypi.org/project/awshelper/
A utility that lets you use AWS SSO credentials when running tools that talk to AWS.
Rationale
AWS CLI v2 and AWS SSO use a completely new and different way to persist aws credentials. This is likely to break compatability with a lot of existing tools that use AWS apis such as terraform, awslogs and probably thousands more.
AWS Helper reads the "new and modern" credentials stored by aws cli v2, and extracts "old-school" environment variables from them. It then executes the specified command, within this environment.
Prereqs:
- awshelper requires python 3.x (tested on 3.8) and pip
- aws cli v2 installed (make sure you run a recent build)
- your org is set up with AWS SSO so that you can run
aws configure sso --profile myprofile
(a named profile is needed) If all this works, you're good to go.
How to use awshelper
install it:
pip install awshelper
or pip3 install awshelper
depending on your setup.
You should use a root/sudo user to install it globally
you can either use env vars to specify your profile:
AWS_PROFILE=mytest awshelper <command>
or
awshelper --profile mytest <command>
or
awshelper --profile=mytest <command>
.
In any case, a named profile IS required (at least for now)
In some cases, you may have an SSO session, but not a valid aws cli credentials cache file, since these are generated when you run the first aws cli command after refreshing sso credentials. awshelper tries to be smart about this, and run aws cli commands if needed, to refresh the cache. It attemps to print clearly what is happening and, in case of errors, what you need to do.
If you're a fan of awslogs
you can now run it using awshelper
:
AWS_PROFILE=mytest awshelper awslogs groups --aws-region eu-central-1
...or eksctl
:
AWS_PROFILE=mytest awshelper eksctl create cluster -f eksfargate.yml
Other environment variables
If you run scripts that need to determine whether or not they're executed with awshelper, you can use the following environment variables to determine that:
AWSHELPER_ENABLED
will have a value of YES
.
AWSHELPER_PROFILE
will be set to whatever profile got configured using AWS_PROFILE
or the --profile
parameter as described above.
Integration with External Process-based credentials
Some AWS tools such as the aws cli, supports "Sourcing Credentials with an External Process",
described here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html.
awshelper can function as the external process. In this mode, instead of injecting environment variables to a wrapped process,
it will instead output the necessary json structure to std when called. To use this mode, run awshelper like this:
AWS_PROFILE=mytest EXTERNAL_PROCESS_MODE=true awshelper
The recommended way to use this, is to add the following to your /.aws/config
file:
[profile myprofile]
region = eu-central-1
credential_process = /home/trond/bin/awshelper_prochelper.sh
and then that bash file could look something like this:
╰─ cat awshelper_prochelper.sh
#!/usr/bin/env bash
EXTERNAL_PROCESS_MODE=true AWS_PROFILE=someprofile awshelper
I'm not quite sure how aws cli deals with the potential "circular dependency" of
calling aws configure sso
with a profile where a credential_process
statement is added,
so use this at your own peril! You might also have problems using this with various tools -
I tested quickly with the serverless
tools which are javascript-based and it seems to NOT work there.
Your mileage may vary
Integration .env files
It can be hard to use a wrapper process such as awshelper
when debugging things from an IDE etc.
In order to support this type of workflow, awshelper can inject credentials into a .env
file, which most modern IDE's can read and use as source of environment variables when it starts your project.
In order to do this, simply run awshelper like this:
AWS_PROFILE=mytest DOTENV_FILE_MODE=true awshelper
. You need to run awshelper in the directory where the .env file exists (or should be created). Any existing values in the .env file will be retained, only the necessary AWS credentials values will be updated.
You can wrap this functionality in a bash script and use it with IntelliJ's "run external tool" or similar, to ensure your .env
file always contains a valid set of credentials.
Limitations
- an AWS profile name IS needed - either specified using environment variables or parameters. If both are specified, the parameter "wins".
- it will only work with profiles configured with
aws configure sso
. If you point to a profile with regular access key/secret, it won't work.
Test using docker:
docker run -it -v ~/.aws:/root/.aws:ro ubuntu
then run
apt-get update && apt-get install python3-pip
pip3 install awshelper
AWS_PROFILE=mytest awshelper <my command>
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file awshelper-1.6-py3-none-any.whl
.
File metadata
- Download URL: awshelper-1.6-py3-none-any.whl
- Upload date:
- Size: 7.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.10
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | e55dc1343659cbe40a395dd04f2cef4b44af7ed2b9ed1e2e4e0b13f5c9637ad5 |
|
MD5 | e5c13fac3e84a9d05e743478d4d16d9a |
|
BLAKE2b-256 | c0175e6da04221487cb96409604ee538a3a942f69e588b1f9ec16b9f08f51e31 |