Skip to main content

Plugin (fink.awsume) for fink

Project description

Documentation License GitHub issues

note: use with caution! this is untested code in an experimental stage!

Plugin for fink


This plugin makes it easy to manage your AWS SDK Security Credentials when Multi-Factor Authentication (MFA) is enforced on your AWS account. It automates the process of obtaining temporary credentials from the AWS Security Token Service and updating your AWS Credentials file (located at ~/.aws/credentials).

Features include:

  • create temporary credentials to access an AWS account
  • switch between accounts
  • allow fink to check remaining time until expired
  • renew credentials as part of the fink lifecycle

Installing the plugin

Add the following entry to the requirements_fink.txt file:


If you have not not activate the venv, please do so:

$ source ./venv/bin/activate

And the installation step itself:

$ pip install -r -U requirements_fink.txt

Initial setup

Set ENV variable AWS_DEFAULT_PROFILE or script will use “default” profile

$ export AWS_DEFAULT_PROFILE=<your_company>

Credentials File Setup

In a typical AWS credentials file (located at ~/.aws/credentials), credentials are stored in sections, denoted by a pair of brackets: []. The [default] section stores your default credentials. You can store multiple sets of credentials using different profile names. If no profile is specified, the [default] section is always used.

Long term credential sections are identified by the convention [-long-term]. Short term credentials are identified by the typical convention: []. The following illustrates how you would configure you credentials file using this script:

aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY

After running the awsume command, your credentials file would read:

aws_access_key_id = YOUR_LONGTERM_KEY_ID
aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY

aws_access_key_id = <POPULATED_BY_PLUGIN>
aws_secret_access_key = <POPULATED_BY_PLUGIN>
aws_security_token = <POPULATED_BY_PLUGIN>


    awsume renew
    awsume switch <account>
    awsume set <account> <arn> [--profile=<profile>] [--username=<username>]
    awsume list
    awsume clean
    awsume version

-h --help           show this

Usage example

If you don’t know the account and access what you need you can use:

$ awsume list

To create a configuration for another account:

$ awsume set infra-dev arn:aws:iam::420189626185:role/7f-managed/infra-dev-TeamisFullaccess-MZSLXQ718GX6

For first time users create a configuration for an account:

$ awsume set infra-dev arn:aws:iam::420189626185:role/7f-managed/infra-dev-TeamisFullaccess-MZSLXQ718GX6 --profile=finklabs --username=first.last

Or use switch to another account:

$ awsume switch infra-prod

Most of the time you just want to renew the last used session:

$ awsume renew

Also you can clean the cached account configurations:

$ awsume clean

Running tests

Please make sure to have good test coverage for your plugin so we can always make sure your plugin runs with the upcoming fink version.

Run tests like so:

$ python -m pytest -vv --cov-report term-missing tests/test_*


Copyright (c) 2017 finklabs and others. fink and plugins are released under the MIT License (see LICENSE).

Project details

Release history Release notifications

This version
History Node


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
fink.awsume-1.0.7.tar.gz (11.9 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page