Plugin (fink.awsume) for fink
note: use with caution! this is untested code in an experimental stage!
Plugin for fink
This plugin makes it easy to manage your AWS SDK Security Credentials when Multi-Factor Authentication (MFA) is enforced on your AWS account. It automates the process of obtaining temporary credentials from the AWS Security Token Service and updating your AWS Credentials file (located at ~/.aws/credentials).
- create temporary credentials to access an AWS account
- switch between accounts
- allow fink to check remaining time until expired
- renew credentials as part of the fink lifecycle
Installing the plugin
Add the following entry to the requirements_fink.txt file:
If you have not not activate the venv, please do so:
$ source ./venv/bin/activate
And the installation step itself:
$ pip install -r -U requirements_fink.txt
Set ENV variable AWS_DEFAULT_PROFILE or script will use “default” profile
$ export AWS_DEFAULT_PROFILE=<your_company>
Credentials File Setup
In a typical AWS credentials file (located at ~/.aws/credentials), credentials are stored in sections, denoted by a pair of brackets: . The [default] section stores your default credentials. You can store multiple sets of credentials using different profile names. If no profile is specified, the [default] section is always used.
Long term credential sections are identified by the convention [-long-term]. Short term credentials are identified by the typical convention: . The following illustrates how you would configure you credentials file using this script:
[<your_company>-long-term] aws_access_key_id = YOUR_LONGTERM_KEY_ID aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
After running the awsume command, your credentials file would read:
[<your_company>-long-term] aws_access_key_id = YOUR_LONGTERM_KEY_ID aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY [<your_company>] aws_access_key_id = <POPULATED_BY_PLUGIN> aws_secret_access_key = <POPULATED_BY_PLUGIN> aws_security_token = <POPULATED_BY_PLUGIN>
Usage: awsume awsume renew awsume switch <account> awsume set <account> <arn> [--profile=<profile>] [--username=<username>] awsume list awsume clean awsume version -h --help show this
If you don’t know the account and access what you need you can use:
$ awsume list
To create a configuration for another account:
$ awsume set infra-dev arn:aws:iam::420189626185:role/7f-managed/infra-dev-TeamisFullaccess-MZSLXQ718GX6
For first time users create a configuration for an account:
$ awsume set infra-dev arn:aws:iam::420189626185:role/7f-managed/infra-dev-TeamisFullaccess-MZSLXQ718GX6 --profile=finklabs --username=first.last
Or use switch to another account:
$ awsume switch infra-prod
Most of the time you just want to renew the last used session:
$ awsume renew
Also you can clean the cached account configurations:
$ awsume clean
Please make sure to have good test coverage for your plugin so we can always make sure your plugin runs with the upcoming fink version.
Run tests like so:
$ python -m pytest -vv --cov-report term-missing tests/test_*
Copyright (c) 2017 finklabs and others. fink and plugins are released under the MIT License (see LICENSE).