def get_sts_credentials(project_name, project_config, mfa_token, session_name):
try:
base_creds = config.get_base_credentials_for_project(project_name)
sts_client = boto3.client(
'sts',
aws_access_key_id=base_creds['key_id'],
aws_secret_access_key=base_creds['access_key']
)
response = sts_client.assume_role(
RoleArn=project_config['role_arn'],
RoleSessionName=session_name,
DurationSeconds=int(project_config['mfa_device_session_duration']),
SerialNumber=project_config['mfa_device_arn'],
TokenCode=mfa_token
)
util.debug_log(f"Response from STS service: {response}")
return response
except ClientError as e:
print(util.red_text("An error occured while calling "
"assume role: {}".format(e)))
sys.exit(1)
except ParamValidationError:
e = sys.exc_info()[1]
print(util.red_text("ERROR: " + e.args[0]))
sys.exit(1)
def get_base_aws_config():
config = configparser.RawConfigParser()
try:
config.read(AWS_CREDS_PATH)
except configparser.ParsingError:
e = sys.exc_info()[1]
print(
util.red_text("There was a problem reading or parsing "
"your credentials file: %s" % (e.args[0], )))
return config
def replace_config_section(file_name, section_name, section_value):
cfg_parser = configparser.ConfigParser()
try:
cfg_parser.read(file_name)
cfg_parser[section_name] = section_value
with open(file_name, 'w') as configfile:
cfg_parser.write(configfile)
except configparser.ParsingError:
e = sys.exc_info()[1]
print(
util.red_text("There was a problem reading or parsing "
"file: %s" % (e.args[0], )))
sys.exit(1)
def assume_role(self, project_name, environment, role):
project_config = self.all_projects_config[
f'{project_name}-{environment}']
util.info_log(
f"Attempting to assume role: \"{role}\" using ARN: \"{project_config['role_arn']}\" "
f"on project: {project_name}")
if project_config['mfa_required']:
session_name = f"session-{project_name}-{environment}"
mfa_token = config_collector.InputDialog(
f"MFA TOKEN for device {project_config['mfa_device_arn']}"
).get_answer()
session_creds = aws_client.get_sts_credentials(
project_name, project_config, mfa_token, session_name)
options = [
('aws_access_key_id', 'AccessKeyId'),
('aws_secret_access_key', 'SecretAccessKey'),
('aws_session_token', 'SessionToken'),
('aws_security_token', 'SessionToken'),
]
new_session = {
k: session_creds['Credentials'][v]
for k, v in options
}
new_session.update({
'expiration':
session_creds['Credentials']['Expiration'].strftime(
config.EXPIRATION_TIMESTAMP_FORMAT)
})
config_parser_util.replace_config_section(
config.AWS_ASSUME_CONFIG_PATH, session_name, new_session)
# replace the default profile in the AWS_CREDS file
config_parser_util.replace_config_section(config.AWS_CREDS_PATH,
'default', new_session)
print(util.green_text('- SUCCESS!'))
else:
print(
util.red_text(
'ALL PROJECT CONFIGS ARE EXPECTED TO HAVE MFA ENABLED, AS OF THIS VERSION. !'
))
sys.exit(1)