def add_profile(args):
if args.external_id and not args.role_to_assume:
_print_error("Error: Cannot use --external-id without --role.")
sys.exit(1)
keyring = Keyring()
if keyring.get_profile(args.profile):
_print_error(f"Error: Profile \"{args.profile}\" already exists. If you want to modify "
"the profile, remove the profile and add it again.")
sys.exit(1)
jumpcloud_url = args.url or input(f"Enter the JumpCloud SSO URL for \"{args.profile}\": ")
jumpcloud_url = jumpcloud_url.strip()
if not jumpcloud_url.startswith("https://sso.jumpcloud.com/saml2/"):
_print_error("Error: That's not a valid JumpCloud SSO URL. SSO URLs must "
"start with \"https://sso.jumpcloud.com/saml2/\".")
sys.exit(1)
if args.role_to_assume:
if is_arn(args.role_to_assume):
arn_parts = parse_arn(args.role_to_assume)
assumed_role = AssumedRole(aws_account_id=arn_parts.aws_account_id,
aws_role=arn_parts.aws_role,
external_id=args.external_id)
else:
assumed_role = AssumedRole(aws_account_id=None,
aws_role=args.role_to_assume,
external_id=args.external_id)
else:
assumed_role = None
profile = Profile(args.profile, jumpcloud_url, assumed_role)
keyring.store_profile(profile)
print(f"Profile \"{args.profile}\" added.")
def _remove_single_profile(args):
keyring = Keyring()
if not keyring.get_profile(args.profile):
print(f'Profile "{args.profile}" not found, nothing to do.')
return
has_session = not not keyring.get_session(args.profile)
keyring.delete_session(args.profile)
keyring.delete_profile(args.profile)
if has_session:
print(f'Profile "{args.profile}" and temporary IAM session removed.')
else:
print(f'Profile "{args.profile}" removed.')
def _get_aws_session(profile_name):
# Validates the profile parameter and returns the profile's AWS session,
# going through the single sign-on process if necessary. This is a wrapper
# around _login_to_jumpcloud() and _login_to_aws().
keyring = Keyring()
profile = keyring.get_profile(profile_name)
if not profile:
_print_error(f"Error: Profile \"{profile_name}\" not found; you must add it first.")
sys.exit(1)
session = keyring.get_session(profile_name)
if not session:
_login_to_aws(keyring, profile)
session = keyring.get_session(profile_name)
return session
def _rotate_single_session(args, profile_name=None):
if not profile_name:
profile_name = args.profile
assert(profile_name is not None)
keyring = Keyring()
profile = keyring.get_profile(profile_name)
if not profile:
sys.stderr.write(f"Error: Profile \"{profile_name}\" not found.\n")
sys.exit(1)
_login_to_jumpcloud(profile_name)
keyring.delete_session(profile_name)
print(f"Temporary IAM session for \"{profile_name}\" removed.")
_login_to_aws(keyring, profile)
session = keyring.get_session(profile_name)
expires_at = session.expires_at.strftime('%c %Z')
print(f"AWS temporary session rotated; new session valid until {expires_at}.\n")