A Python library for authenticating and accessing CONTACT resources in AWS.
Project description
csaccess
A Python library for authenticating and accessing CONTACT resources in AWS CodeArtifact and Elastic Container Registry (ECR) using OIDC.
Overview
csaccess simplifies access to CONTACT cloud resources by providing a streamlined authentication flow with support for both interactive user-based and automated service-based authentication methods.
Authentication Methods
Feature |
User OIDC |
Static OIDC (Client Credentials) |
|---|---|---|
Authentication |
Interactive user login via web browser |
Application authenticates itself using its secret |
Grant Type |
Authorization Code with PKCE |
Client Credentials |
User Context |
Represents a specific user |
Represents the application/service itself |
Security |
Relies on user credentials and browser |
Relies on the client secret’s security |
Use Cases |
Applications acting on behalf of a user |
Service accounts, background processes |
Token Audience |
Targeted to specific user and application |
Targeted to the application |
Security Warning: Be extremely careful when handling access tokens. Treat them like passwords:
Avoid logging them or storing them insecurely
Never paste sensitive tokens into untrusted online services
Use environment variables where possible to avoid exposing secrets
Installation
pip install csaccessSetup and Configuration
Configuration
The “relying party” local server requires port 29398 to be free and available
Set environment variables to avoid interactive prompts:
On Linux / macOS:
export CS_AWS_OIDC_CLIENT_SECRET="<OIDC-client-secret>"Windows CMD:
set CS_AWS_OIDC_CLIENT_SECRET="<OIDC-client-secret>"Windows PowerShell:
$env:CS_AWS_OIDC_CLIENT_SECRET = "<OIDC-client-secret>"Usage Examples
Important: unset AWS specific vars existing in local env as they will interfere with AWS STS functionality.
unset AWS_PROFILE
unset AWS_DEFAULT_PROFILEBasic Usage
Get PyPI URL with embedded auth token (default action):
import csaccess
ca_pypi_url = csaccess.get_ca_pypi_url_programmatic()You should amend the returned value with specific repo name and interface, for example /16.0/simple.
Get CodeArtifact or ECR tokens in Python:
ca_auth_token = csaccess.get_ca_auth_token_programmatic()
ecr_auth_token = csaccess.get_ecr_auth_token_programmatic()Command-Line Interface
Returns the CodeArtifact URL with an injected token (default):
python -m csaccessGet the CodeArtifact token:
python -m csaccess ca-auth-tokenGet the ECR token:
python -m csaccess ecr-auth-tokenIntegration Examples
Following are examples for Linux / macOS:
Using with pip
CA_PYPI_URL=$(python -m csaccess --quiet)
pip install -i "${CA_PYPI_URL}/16.0/simple" cs.platformUsing with Docker
ECR_TOKEN=$(python -m csaccess ecr-auth-token --quiet)
echo $ECR_TOKEN | docker login -u AWS --password-stdin <ECR-registry-url>
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file csaccess-0.1.0-py3-none-any.whl.
File metadata
- Download URL: csaccess-0.1.0-py3-none-any.whl
- Upload date:
- Size: 20.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.11.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6157fedf9f51d94acd352d059c3d72b599f2d1671bb7a1e183532e7444731445
|
|
| MD5 |
f9f47c70c2103d15c926d835b0e3c1d3
|
|
| BLAKE2b-256 |
38b8749f271ffe3b573cbd4fe91bc9ffaff8114a0fd3eb67661a64ed4feb4055
|
