def get_credentials(okta_profile,
profile,
account,
write_default,
verbose,
logger,
totp_token,
cache,
export,
reset,
force,
region,
debug=False):
""" Gets credentials from Okta """
okta_auth_config = OktaAuthConfig(logger, reset)
aws_auth = AwsAuth(
profile=profile,
okta_profile=okta_profile,
account=account,
verbose=verbose,
logger=logger,
region=region or okta_auth_config.region_for(okta_profile),
reset=reset,
debug=debug,
)
check_creds = okta_auth_config.get_check_valid_creds(okta_profile)
if not force and not export and check_creds and aws_auth.check_sts_token(
profile):
if write_default:
aws_auth.copy_to_default(profile)
print("Copying AWS profile creds to default")
exit(0)
okta = OktaAuth(okta_profile,
verbose,
logger,
totp_token,
okta_auth_config,
debug=debug)
_, assertion = okta.get_assertion()
role = aws_auth.choose_aws_role(assertion)
role_arn, principal_arn, alias = role
auto_write = okta_auth_config.get_auto_write_profile(okta_profile)
if auto_write == "True" and profile is None:
profile_name = "default" if alias == "unknown" else alias
else:
profile_name = profile
store_role = okta_auth_config.get_store_role(okta_profile)
if store_role == "True":
okta_auth_config.save_chosen_role_for_profile(okta_profile, role_arn)
duration = okta_auth_config.get_session_duration(okta_profile)
sts_token = aws_auth.get_sts_token(role_arn, principal_arn, assertion,
duration)
access_key_id = sts_token['AccessKeyId']
secret_access_key = sts_token['SecretAccessKey']
session_token = sts_token['SessionToken']
print("Credentials valid for %s hours" % round(duration / 3600, 1))
if (profile_name is None or export) and not write_default:
logger.info(
"Either profile name not given or export flag set, will output to console."
)
exports = console_output(access_key_id, secret_access_key,
session_token, verbose)
if cache:
cache = open(
"%s/.okta-credentials.cache" % (os.path.expanduser('~'), ),
'w')
cache.write(exports)
cache.close()
exit(0)
else:
# Check okta config again for region, but now with manually chosen account alias
default_region = okta_auth_config.region_for('default')
okta_region = okta_auth_config.region_for(okta_profile, default=None)
account_region = okta_auth_config.region_for(profile_name,
default=None)
if region:
logger.debug("Keeping CLI region: %s", region)
elif okta_region is not None and okta_region != default_region:
region = okta_region
logger.debug("Setting region=%s via okta-profile=%s", region,
okta_profile)
elif account_region is not None and account_region != default_region:
region = account_region
logger.debug("Setting region=%s via account profile=%s", region,
profile_name)
else:
region = default_region
logger.debug("Setting region=%s via defaults", region)
logger.info(
"Export flag not set, will write credentials to ~/.aws/credentials."
)
aws_auth.write_sts_token(
profile=profile_name,
access_key_id=access_key_id,
secret_access_key=secret_access_key,
session_token=session_token,
region=region,
)
if write_default:
print("Writing to default AWS profile")
aws_auth.write_sts_token(
profile='default',
access_key_id=access_key_id,
secret_access_key=secret_access_key,
session_token=session_token,
region=region,
)
# Only print usage message if account argument wasn't specified
elif account is None:
usage_msg = "".join([
"\nTo start using these temporary credentials, run:\n",
"\n export AWS_PROFILE=%s\n" % profile_name
])
print(usage_msg)
exit(0)