def assume_role(session: Session,
role_arn: str,
duration: int = 3600,
session_name: str = None) -> Session:
# noinspection PyTypeChecker
fetcher = AssumeRoleCredentialFetcher(session.create_client,
session.get_credentials(),
role_arn,
extra_args={
'DurationSeconds': duration,
'RoleSessionName': session_name
})
role_session = Session()
role_session.register_component(
'credential_provider',
CredentialResolver([AssumeRoleProvider(fetcher)]))
return role_session
def setup_aws_client(config):
role_arn = "arn:aws:iam::{}:role/{}".format(
config['account_id'].replace('-', ''), config['role_name'])
session = Session()
fetcher = AssumeRoleCredentialFetcher(session.create_client,
session.get_credentials(),
role_arn,
extra_args={
'DurationSeconds': 3600,
'RoleSessionName': 'TapS3CSV',
'ExternalId':
config['external_id']
},
cache=JSONFileCache())
refreshable_session = Session()
refreshable_session.register_component(
'credential_provider',
CredentialResolver([AssumeRoleProvider(fetcher)]))
LOGGER.info("Attempting to assume_role on RoleArn: %s", role_arn)
boto3.setup_default_session(botocore_session=refreshable_session)
def _get_boto3_session(region: str,
role_arn: str = None,
assume_duration: int = 3600) -> Session:
"""Creates a boto3 session, optionally assuming a role.
Args:
region: The AWS region for the session.
role_arn: The ARN to assume for the session.
assume_duration: The duration (in seconds) to assume the role.
Returns:
object: A boto3 Session.
"""
# By default return a basic session
if not role_arn:
return Session(region_name=region)
# The following assume role example was taken from
# https://github.com/boto/botocore/issues/761#issuecomment-426037853
# Create a session used to assume role
assume_session = BotocoreSession()
fetcher = AssumeRoleCredentialFetcher(
assume_session.create_client,
assume_session.get_credentials(),
role_arn,
extra_args={
"DurationSeconds": assume_duration,
},
cache=JSONFileCache(),
)
role_session = BotocoreSession()
role_session.register_component(
"credential_provider",
CredentialResolver([Boto3Manager.AssumeRoleProvider(fetcher)]),
)
return Session(region_name=region, botocore_session=role_session)
def setup_aws_client(config):
role_arn = "arn:aws:iam::{}:role/{}".format(
config["account_id"].replace("-", ""), config["role_name"])
session = Session()
fetcher = AssumeRoleCredentialFetcher(
session.create_client,
session.get_credentials(),
role_arn,
extra_args={
"DurationSeconds": 3600,
"RoleSessionName": "TapS3CSV",
"ExternalId": config["external_id"],
},
cache=JSONFileCache(),
)
refreshable_session = Session()
refreshable_session.register_component(
"credential_provider",
CredentialResolver([AssumeRoleProvider(fetcher)]))
LOGGER.info("Attempting to assume_role on RoleArn: %s", role_arn)
boto3.setup_default_session(botocore_session=refreshable_session)
def setup_aws_client(config):
if 'role_name' in config:
role_arn = "arn:aws:iam::{}:role/{}".format(
config['account_id'].replace('-', ''), config['role_name'])
session = Session()
fetcher = AssumeRoleCredentialFetcher(session.create_client,
session.get_credentials(),
role_arn,
extra_args={
'DurationSeconds':
3600,
'RoleSessionName':
'TapDynamodDB',
'ExternalId':
config['external_id']
},
cache=JSONFileCache())
refreshable_session = Session()
refreshable_session.register_component(
'credential_provider',
CredentialResolver([AssumeRoleProvider(fetcher)]))
LOGGER.info("Attempting to assume_role on RoleArn: %s", role_arn)
boto3.setup_default_session(botocore_session=refreshable_session)
elif 'aws_access_key_id' in config and 'aws_secret_access_key' in config:
LOGGER.info(
"Attempting to pass AWS credentials from 'aws_access_key_id' and 'aws_secret_access_key' config values"
)
boto3.setup_default_session(
aws_access_key_id=config['aws_access_key_id'],
aws_secret_access_key=config['aws_secret_access_key'],
aws_session_token=config.get('aws_session_token', None))
session = Session()
