def get_conn(self): """ Returns the boto S3Connection object. """ if self._default_to_boto: return S3Connection(profile_name=self.profile) a_key = s_key = None if self._creds_in_config_file: a_key, s_key = _parse_s3_config(self.s3_config_file, self.s3_config_format, self.profile) elif self._creds_in_conn: a_key = self._a_key s_key = self._s_key if self._sts_conn_required: sts_connection = STSConnection(aws_access_key_id=a_key, aws_secret_access_key=s_key, profile_name=self.profile) assumed_role_object = sts_connection.assume_role( role_arn=self.role_arn, role_session_name="Airflow_" + self.s3_conn_id) creds = assumed_role_object.credentials connection = S3Connection(aws_access_key_id=creds.access_key, aws_secret_access_key=creds.secret_key, security_token=creds.session_token) else: connection = S3Connection(aws_access_key_id=a_key, aws_secret_access_key=s_key, profile_name=self.profile) return connection
def get_sts_connection(self): token_url = urlparse(self.vars['TOKEN_URL']) STSConnection.DefaultRegionEndpoint = token_url.hostname port = token_url.port if token_url.port else 80 return STSConnection(is_secure=False, port=port, path=token_url.path, aws_access_key_id=self.get_env_var('AWS_ACCESS_KEY_ID'), aws_secret_access_key=self.get_env_var('AWS_SECRET_ACCESS_KEY'))
def conn_aws_arnrole_s3(aws_access_key, aws_access_secret, aws_arn_role, aws_arn_session_name, aws_arn_session_duration, aws_bucket): """ Makes connection to AWS S3 bucket with arn details. The connection details comes from extract_postgres.getawsarn(id) :return: Returns the bucket. If using boto3: sts_client = boto3.client('sts') assumedroleobject = sts_client.assume_role(RoleArn=aws_arn_role, RoleSessionName=aws_arn_session_name, DurationSeconds=aws_arn_session_duration) credentials = assumedroleobject['Credentials'] s3_resource = boto3.resource( 's3', aws_access_key_id=credentials['AccessKeyId'], aws_secret_access_key=credentials['SecretAccessKey'], aws_session_token=credentials['SessionToken']) return s3_resource.Bucket(aws_bucket) """ try: sts_connection = STSConnection(aws_access_key, aws_access_secret) tempCredentials = sts_connection.assume_role(role_arn=aws_arn_role, role_session_name=aws_arn_session_name, duration_seconds=aws_arn_session_duration) s3_connection = S3Connection(aws_access_key_id=tempCredentials.credentials.access_key, aws_secret_access_key=tempCredentials.credentials.secret_key, security_token=tempCredentials.credentials.session_token) return s3_connection.get_bucket(aws_bucket) except Exception as exn: print "The error is {} : {}".format(exn.__class__.__name__, exn)
def get_sts(duration): os.environ['AWS_ACCESS_KEY_ID'] = boto.config.get('long-term', 'aws_access_key_id') os.environ['AWS_SECRET_ACCESS_KEY'] = boto.config.get( 'long-term', 'aws_secret_access_key') boto.config.remove_option('Credentials', 'aws_security_token') try: del os.environ['AWS_SECURITY_TOKEN'] except: pass mfa_TOTP = raw_input("Enter AWS MFA code for user %s:" % mfa_device_name) try: sts_connection = STSConnection() tempCredentials = sts_connection.get_session_token( duration=duration, mfa_serial_number=mfa_serial, mfa_token=mfa_TOTP) boto.config.save_user_option('Credentials', 'aws_access_key_id', tempCredentials.access_key) boto.config.save_user_option('Credentials', 'aws_secret_access_key', tempCredentials.secret_key) boto.config.save_user_option('Credentials', 'aws_security_token', tempCredentials.session_token) boto.config.save_user_option('Credentials', 'expiration', tempCredentials.expiration) except boto.exception.BotoServerError as e: message = '%s - Please try again.' % (e.message) sys.exit(message)
def check_credentials(self): result = False if not self._role_arn: result = True else: try: if self._parameters.get('assumed_region_name', None): sts_connection = boto.sts.connect_to_region( self._parameters['assumed_region_name']) else: sts_connection = STSConnection() assumed_role_object = sts_connection.assume_role( role_arn=self._role_arn, role_session_name=self._role_session) self._parameters[ 'access_key'] = assumed_role_object.credentials.access_key self._parameters[ 'secret_key'] = assumed_role_object.credentials.secret_key self._parameters[ 'session_token'] = assumed_role_object.credentials.session_token result = True except: if self._log_file: log( "An error occured when creating connection, check the exception error message for more details", self._log_file) result = False raise return (result)
def decode_message(self, message): '''Decodes an any encrypted AWS Error message''' from boto.sts import STSConnection sts_connection = STSConnection() print("---------- Decoded message ----------") print((sts_connection.decode_authorization_message( message).decoded_message))
def main(options): sts_connection = STSConnection() # conn = dynamodb.connect_to_region(options.region) assumedRoleObject = sts_connection.assume_role() conn = dynamodb.layer2.Layer2(region=options.region, aws_access_key_id=assumedRoleObject.credentials.access_key, aws_secret_access_key=assumedRoleObject.credentials.secret_key, security_token=assumedRoleObject.credentials.session_token) def create_table(name): table_schema = conn.create_schema( hash_key_name='Key', hash_key_proto_value=str ) table = conn.create_table( name=name, schema=table_schema, read_units=2, write_units=1 ) return table try: create_table(CONFIGURATION_TABLE_NAME) time.sleep(5) except: pass table = conn.get_table(CONFIGURATION_TABLE_NAME) availability_zones = ",".join([zone.name for zone in ec2.connect_to_region(options.region).get_all_zones()]) account_id = iam.connect_to_region(options.region).get_user().arn.split(':')[4] items = { 'account_name': options.account_name, 'account_environment': options.account_environment, 'availability_zones': availability_zones, 'account_id': account_id, 'output_path': options.output_path, 'output_path': options.output_path } if options.accounts: items['accounts'] = options.accounts if options.okta_credential: okta_config = json.load(open(options.okta_credential)) items['okta_credential'] = json.dumps(okta_config) for key, value in items.iteritems(): print key attrs = {'Key': key, 'Value': value} time.sleep(1) my_item = table.new_item(attrs=attrs) print my_item.put()
def create_user(user, mfa): from boto.s3.connection import S3Connection from boto.sts import STSConnection import yaml sts_connection = STSConnection() # Use the appropriate device ID (serial number for hardware device or ARN for virtual device). # Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values. tempCredentials = sts_connection.get_session_token( duration=3600, mfa_serial_number="arn:aws:iam::231871078230:mfa/ec2-dev", mfa_token=mfa) # Use the temporary credentials to list the contents of an S3 bucket s3_connection = S3Connection( aws_access_key_id=tempCredentials.access_key, aws_secret_access_key=tempCredentials.secret_key, security_token=tempCredentials.session_token) try: f = open('users.yaml') except IOError as err: click.echo("Error: %s" % err) else: with f: config = yaml.load(f) if config[user]: policy = config[user]['policies'] access = config[user]['programmatic'] console = config[user]['console'] mfa = config[user]['mfa'] try: response = iam.create_user(UserName=user) except botocore.exceptions.ClientError as e: logging.error(e.response['Error']['Code']) click.echo("Exception Caught: %s" % e) else: print(json.dumps(response, indent=4, default=str)) attach_policy(user, policy) # dispatch dictionary dispatch_dict = { 'programmatic': programmatic_access, 'console': console_access, 'mfa': configure_mfa } for k, v in config[user].items(): if k in ('programmatic', 'console', 'mfa') and v is True: handler = dispatch_dict[k] handler(user) else: click.echo("User configuraton does not exist in %s" % f) sys.exit(1)
def _create_s3_connection_assuming_role(self): """Creates S3 connection by assuming the role necessary to read from the S3 bucket that contains the logs. """ JsonLogger.log_event('assuming_role', assumed_role_arn=self.role_arn) sts_connection = STSConnection() assumed_role = sts_connection.assume_role( role_arn=self.role_arn, role_session_name="AssumeRoleS3BucketRead") self.s3_connection = S3Connection( aws_access_key_id=assumed_role.credentials.access_key, aws_secret_access_key=assumed_role.credentials.secret_key, security_token=assumed_role.credentials.session_token)
def _add_assumed_role(self, config): c = {} c['region_name'] = config['region_name'] assumedRoleObject = STSConnection().assume_role( role_arn=config["assumed_role_arn"], role_session_name="assumeRole_" + uuid.uuid4().urn[-12:]) c["aws_access_key_id"] = assumedRoleObject.credentials.access_key c["aws_secret_access_key"] = assumedRoleObject.credentials.secret_key c["security_token"] = assumedRoleObject.credentials.session_token return c
def connect_sts(aws_access_key_id=None, aws_secret_access_key=None, **kwargs): """ :type aws_access_key_id: string :param aws_access_key_id: Your AWS Access Key ID :type aws_secret_access_key: string :param aws_secret_access_key: Your AWS Secret Access Key :rtype: :class:`boto.sts.STSConnection` :return: A connection to Amazon's STS """ from boto.sts import STSConnection return STSConnection(aws_access_key_id, aws_secret_access_key, **kwargs)
def openConsole(): """ Get STS token and open AWS console. """ # Create an ARN out of the information provided by the user. role_arn = "arn:aws:iam::" + accountId() + ":role/" + getArgs().role_name # Connect to AWS STS and then call AssumeRole. # Returns temporary security credentials. sts_connection = STSConnection() assumed_role_object = sts_connection.assume_role( role_arn=role_arn, role_session_name="AssumeRoleSession") # Format resulting credentials into a JSON block. tmp_creds = { "sessionId": assumed_role_object.credentials.access_key, "sessionKey": assumed_role_object.credentials.secret_key, "sessionToken": assumed_role_object.credentials.session_token, } json_temp_credentials = json.dumps(tmp_creds) # Make a request to the AWS federation endpoint to get a sign-in # token, passing parameters in the query string. params = { "Action": "getSigninToken", "Session": json_temp_credentials, } request_url = "https://signin.aws.amazon.com/federation" r = requests.get(request_url, params=params) # The return value from the federation endpoint, the token. sign_in_token = json.loads(r.text)["SigninToken"] # Token is good for 15 minutes. # Create the URL to the console with token. params = { "Action": "login", "Issuer": "", "Destination": "https://console.aws.amazon.com/", "SigninToken": sign_in_token, } request_url = "https://signin.aws.amazon.com/federation?" request_url += urlencode(params) # Use the default browser to sign in to the console using the # generated URL. browser = webbrowser.get() if getArgs().incognito: webbrowser.Chromium.raise_opts = ["", "--incognito"] webbrowser.Chrome.raise_opts = ["", "--incognito"] webbrowser.Mozilla.remote_args = ['--private-window', '%s'] browser.open(request_url, new=1)
def get_session_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project_name, environment_name, role_name, token_expiration, session_token_expiration): try: if not args.nomfa: mfa_token = input("Enter the MFA code: ") sts_session = sts_connection.get_session_token( duration=session_token_expiration, mfa_serial_number=mfa_serial_number, mfa_token=mfa_token ) session_sts_connection = STSConnection(aws_access_key_id=sts_session.access_key, aws_secret_access_key=sts_session.secret_key, security_token=sts_session.session_token) assumed_role_object = session_sts_connection.assume_role( role_arn=role_arn, role_session_name=role_session_name, duration_seconds=token_expiration, ) else: colormsg("When using get_session you must use MFA", "error") exit(1) except Exception as e: colormsg("There was an error assuming role", "error") verbose(e) exit(1) colormsg("Assumed the role successfully", "ok") access_key = sts_session.access_key session_key = sts_session.secret_key session_token = sts_session.session_token expiration = sts_session.expiration login_to_fedaccount(access_key, session_key, session_token, role_session_name) credential_profile = 'default' save_credentials(access_key, session_key, session_token, role_session_name, 'corp', 'session', credential_profile, region) save_cli_credentials(access_key, session_key, session_token, '-'.join(['corp', 'session', credential_profile]), region) return {'access_key': access_key, 'session_key': session_key, 'session_token': session_token, 'role_session_name': role_session_name}
def __init__(self): """ Virtually private constructor. """ if AssumeRole.__instance: raise Exception("This is a singleton class!") sts = STSConnection(settings.AWS_ACCESS_KEY_ID, settings.AWS_SECRET_ACCESS_KEY) self.credentials = sts.assume_role( role_arn=settings.ROLE_ARN, role_session_name='vem', duration_seconds=3600, mfa_serial_number=settings.MFA_SERIAL_NUMBER, mfa_token=settings.MFA_TOKEN).credentials.to_dict() AssumeRole.__instance = self
def get_conn(self): """ Returns the boto S3Connection object. """ if self._default_to_boto: return S3Connection(profile_name=self.profile, host=self.s3_host) a_key = s_key = None if self._creds_in_config_file: a_key, s_key, calling_format = _parse_s3_config(self.s3_config_file, self.s3_config_format, self.profile) elif self._creds_in_conn: a_key = self._a_key s_key = self._s_key calling_format = self.calling_format s3_host = self.s3_host if calling_format is None: calling_format = 'boto.s3.connection.SubdomainCallingFormat' if s3_host is None: s3_host = NoHostProvided if self._sts_conn_required: sts_connection = STSConnection(aws_access_key_id=a_key, aws_secret_access_key=s_key, profile_name=self.profile) assumed_role_object = sts_connection.assume_role( role_arn=self.role_arn, role_session_name="Airflow_" + self.s3_conn_id ) creds = assumed_role_object.credentials connection = S3Connection( aws_access_key_id=creds.access_key, aws_secret_access_key=creds.secret_key, calling_format=calling_format, security_token=creds.session_token ) else: connection = S3Connection(aws_access_key_id=a_key, aws_secret_access_key=s_key, calling_format=calling_format, host=s3_host, profile_name=self.profile) return connection
def get_sts_creds(profile, duration, device_id, mfa_code): """ Get STS creds from AWS. :param profile: AWS creds profile name :param duration: Token lifetime :param device_id: MFA device ARN :param mfa_code: MFA TOTP code :return: """ sts_connection = STSConnection(profile_name=profile) sts_creds = sts_connection.get_session_token( duration=duration, mfa_serial_number="{device_id}".format(device_id=device_id), mfa_token=mfa_code) return sts_creds
def connect_sts(aws_access_key_id=None, aws_secret_access_key=None, **kwargs): """ :type aws_access_key_id: string :param aws_access_key_id: Your AWS Access Key ID :type aws_secret_access_key: string :param aws_secret_access_key: Your AWS Secret Access Key :rtype: :class:`boto.sts.STSConnection` :return: A connection to Amazon's STS """ access_key, secret_key = get_govcloud_creds(aws_access_key_id, aws_secret_access_key) from boto.sts import STSConnection region = RegionInfo(name='govcloud', endpoint='ec2.us-gov-west-1.amazonaws.com') return STSConnection(access_key, secret_key, region=region, **kwargs)
def get_connection(self): ret = None if self._cross_account_number and self._cross_account_role: from boto.sts import STSConnection import boto try: role_arn = 'arn:aws:iam::%s:role/%s' % ( self._cross_account_number, self._cross_account_role) sts = STSConnection() assumed_role = sts.assume_role( role_arn=role_arn, role_session_name='AssumeRoleSession') ret = ec2.connect_to_region( self._region, aws_access_key_id=assumed_role.credentials.access_key, aws_secret_access_key=assumed_role.credentials.secret_key, security_token=assumed_role.credentials.session_token) except Exception, e: print e raise BackupMonkeyException( 'Cannot complete cross account access')
def assumed_role(debug, OTP, mfa_serial, sts_duration, roleArn, SessionName): try: sts_connection = STSConnection() # Use the appropriate device ID (serial number for hardware device or ARN for virtual device). # Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values. #OTP = input("Enter OTP: ") #debug is used if you want assume-role print credentials tempCredentials = sts_connection.get_session_token( duration=sts_duration, mfa_serial_number= mfa_serial, #"arn:aws:iam::101549811061:mfa/SecurityAuditUser", mfa_token=OTP) STSsession = boto3.client( 'sts', aws_access_key_id=tempCredentials.access_key, aws_secret_access_key=tempCredentials.secret_key, aws_session_token=tempCredentials.session_token) assumed_role_object = STSsession.assume_role( RoleArn=roleArn, #"arn:aws:iam::072979390894:role/read", RoleSessionName=SessionName #"SecurityAuditSession" ) credentials = assumed_role_object['Credentials'] except (ValueError, IOError) as e: raise ("Error Processing your information for Assuming a role") credentials = "" if (debug): print(credentials['AccessKeyId']) print(credentials['SecretAccessKey']) print(credentials['SessionToken']) return credentials
def get_session_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project_name, environment_name, role_name, token_expiration, session_token_expiration): try: if not args.nomfa: mfa_token = raw_input("Enter the MFA code: ") sts_session = sts_connection.get_session_token( duration=session_token_expiration, mfa_serial_number=mfa_serial_number, mfa_token=mfa_token) session_sts_connection = STSConnection( aws_access_key_id=sts_session.access_key, aws_secret_access_key=sts_session.secret_key, security_token=sts_session.session_token) if args.externalid: assumed_role_object = session_sts_connection.assume_role( role_arn=role_arn, role_session_name=role_session_name, duration_seconds=token_expiration, external_id=externalid) else: assumed_role_object = session_sts_connection.assume_role( role_arn=role_arn, role_session_name=role_session_name, duration_seconds=token_expiration, ) else: colormsg("When using get_session you must use MFA", "error") exit(1) except Exception, e: colormsg("There was an error assuming role", "error") verbose(e) exit(1)
def make_aws_credentials(config, role_arn=None, role_name=None): if role_arn: try: sts_connection = STSConnection() assumedRoleObject = sts_connection.assume_role( role_arn=role_arn, role_session_name=role_name) except: out("Oops! something went wrong trying to assume the specified role" ) else: # create credentials for switching roles aws = AwsCredentials( assumedRoleObject.credentials.access_key, assumedRoleObject.credentials.secret_key, assumedRoleObject.credentials.session_token, get(config, 'aws.region', os.environ.get('AWS_DEFAULT_REGION')), get(config, 'aws.bucket', os.environ.get('AWS_BEANSTALK_BUCKET_NAME')), get(config, 'aws.bucket_path', os.environ.get('AWS_BEANSTALK_BUCKET_NAME_PATH'))) out("Using Role: " + role_name) else: # create credentials aws = AwsCredentials( get(config, 'aws.access_key', os.environ.get('AWS_ACCESS_KEY_ID')), get(config, 'aws.secret_key', os.environ.get('AWS_SECRET_ACCESS_KEY')), get(config, 'aws.secret_token', os.environ.get('AWS_SECRET_TOKEN')), get(config, 'aws.region', os.environ.get('AWS_DEFAULT_REGION')), get(config, 'aws.bucket', os.environ.get('AWS_BEANSTALK_BUCKET_NAME')), get(config, 'aws.bucket_path', os.environ.get('AWS_BEANSTALK_BUCKET_NAME_PATH'))) return aws
def get_aws_credentials(self, account_alias, role): """Get temporary credentials from AWS""" self.check_user_permissions(account_alias, role) try: account_id = self.account_config[account_alias]['id'] except Exception: message = "No Configuration for account '{account}'." raise ConfigurationError(message.format(account=account_alias)) arn = "arn:aws:iam::{account_id}:role/{role}".format( account_id=account_id, role=role) key_id = self.application_config['aws']['access_key'] secret_key = self.application_config['aws']['secret_key'] try: sts_connection = STSConnection(aws_access_key_id=key_id, aws_secret_access_key=secret_key) assumed_role_object = sts_connection.assume_role( role_arn=arn, role_session_name=self.user) except Exception as error: if getattr(error, 'status', None) == 403: raise PermissionError(str(error)) self.logger.exception( "AWS STS failed with: {exc_vars}".format(exc_vars=vars(error))) raise AWSError(str(error)) return assumed_role_object.credentials
mfa_serial_number = mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices[ 0].serial_number else: colormsg("You don't have MFA devices associated with our user", "error") exit(1) else: mfa_serial_number = "arn:aws:iam::" + account_id + ":mfa/" + role_session_name # Create an ARN out of the information provided by the user. role_arn = "arn:aws:iam::" + account_id_from_user + ":role/" role_arn += role_name_from_user # Connect to AWS STS and then call AssumeRole. This returns temporary security credentials. if args.profile: sts_connection = STSConnection(profile_name=args.profile) else: sts_connection = STSConnection() # Assume the role if not args.nomfa: verbose("Assuming role " + role_arn + " using MFA device " + mfa_serial_number + "...") if args.project: colormsg( "Assuming role " + role + " from project " + project + " using MFA device from user " + role_session_name + "...", "normal") elif args.iam_delegated_role: colormsg( "Assuming role " + role + " using MFA device from user " +
def get_sts(duration, mfa_serial, mfa_device_name, long_term, short_term, assume_role_arn=None): if boto.config.get(long_term, 'aws_access_key_id') is None: logger.error('aws_access_key_id is missing from section %s' 'or config file is missing.' % (long_term, )) sys.exit(1) else: long_term_id = boto.config.get(long_term, 'aws_access_key_id') if boto.config.get(long_term, 'aws_secret_access_key') is None: logger.error('aws_secret_access_key is missing from section ' 'or config file is missing.' % (long_term, )) sys.exit(1) else: long_term_secret = boto.config.get(long_term, 'aws_secret_access_key') if boto.config.has_section(short_term): boto.config.remove_option(short_term, 'aws_security_token') mfa_TOTP = raw_input('Enter AWS MFA code for user %s ' '(renewing for %s seconds):' % (mfa_device_name, duration)) try: sts_connection = STSConnection(aws_access_key_id=long_term_id, aws_secret_access_key=long_term_secret) if assume_role_arn is None: tempCredentials = sts_connection.get_session_token( duration=duration, mfa_serial_number=mfa_serial, mfa_token=mfa_TOTP) assumed_role = 'False' else: role_session_name = assume_role_arn.split('/')[-1] assumedRole = sts_connection.assume_role( assume_role_arn, role_session_name, duration_seconds=duration, mfa_serial_number=mfa_serial, mfa_token=mfa_TOTP) tempCredentials = assumedRole.credentials assumed_role = 'True' default_options = [ ('aws_access_key_id', tempCredentials.access_key), ('aws_secret_access_key', tempCredentials.secret_key), ('aws_security_token', tempCredentials.session_token), ('expiration', tempCredentials.expiration), ('assumed_role', assumed_role) ] for option, value in default_options: boto.config.save_user_option(short_term, option, value) except boto.exception.BotoServerError as e: message = '%s - Please try again.' % (e.message) logger.error(message) sys.exit(1)
def token(self): global region global role global access_key global session_key global session_token # Welcome if args.verbose: print() print("Awsauth Amazon Account Access " + version) print() else: print() print("Awsauth Amazon Account Access " + version) print() # Set values from parser if args.role: role = args.role else: role = 'developer' if args.region: region = args.region else: region = 'eu-west-1' if args.project: project = args.project project = project.lower() verbose("Project: " + project) if args.env: env = args.env env = env.lower() verbose("Environment: " + env) token_expiration = 3600 iam_connection = IAMConnection() # role_session_name=iam_connection.get_user()['get_user_response']['get_user_result']['user']['user_name'] try: role_session_name = iam_connection.get_user().get_user_response.get_user_result.user.user_name except Exception as e: colormsg("There was an error retrieving your session_name. Check your credentials", "error") verbose(e) exit(1) # account_id=iam_connection.get_user()['get_user_response']['get_user_result']['user']['arn'].split(':')[4] try: account_id = iam_connection.get_user().get_user_response.get_user_result.user.arn.split(':')[4] except Exception as e: colormsg("There was an error retrieving your account id. Check your credentials", "error") verbose(e) exit(1) # Regexp for groups and policies. Set the policy name used by your organization if args.project and args.env: group_name = 'corp-' + project + '-master-' + role policy_name = 'Delegated_Roles' role_filter = env + '-' + project + '-delegated-' + role # Step 1: Prompt user for target account ID and name of role to assume # IAM groups verbose("Getting IAM group info:") delegated_policy = [] group_policy = [] delegated_arn = [] try: policy = iam_connection.get_group_policy(group_name, policy_name) except Exception as e: colormsg( "There was an error retrieving your group policy. Check your credentials, group_name and policy_name", "error") verbose(e) exit(1) policy = policy.get_group_policy_response.get_group_policy_result.policy_document policy = unquote(policy) group_policy.append(config_line_policy("iam:grouppolicy", group_name, policy_name, policy)) output_lines(group_policy) # Format policy and search by role_filter policy = re.split('"', policy) for i in policy: result_filter = re.search(role_filter, i) if result_filter: delegated_arn.append(i) if len(delegated_arn) == 0: if args.role and args.project: colormsg("Sorry, you are not authorized to use the role " + role + " for project " + project, "error") exit(1) else: colormsg("Sorry, you are not authorized to use the role " + role_filter, "error") exit(1) elif len(delegated_arn) == 1: account_id_from_user = delegated_arn[0].split(':')[4] role_name_from_user = delegated_arn[0].split('/')[1] else: colormsg("There are two or more policies matching your input", "error") exit(1) colormsg("You are authenticated as " + role_session_name, "ok") # MFA if not args.nomfa: mfa_devices_r = iam_connection.get_all_mfa_devices(role_session_name) if mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices: mfa_serial_number = mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices[ 0].serial_number else: colormsg("You don't have MFA devices associated with our user", "error") exit(1) else: mfa_serial_number = "arn:aws:iam::" + account_id + ":mfa/" + role_session_name # Create an ARN out of the information provided by the user. role_arn = "arn:aws:iam::" + account_id_from_user + ":role/" role_arn += role_name_from_user # Connect to AWS STS and then call AssumeRole. This returns temporary security credentials. sts_connection = STSConnection() # Assume the role if not args.nomfa: verbose("Assuming role " + role_arn + " using MFA device " + mfa_serial_number + "...") if args.project: colormsg( "Assuming role " + role + " from project " + project + " using MFA device from user " + role_session_name + "...", "normal") elif args.iam_delegated_role: colormsg("Assuming role " + role + " using MFA device from user " + role_session_name + "...", "normal") else: verbose("Assuming role " + role_arn + "...") if args.project: colormsg( "Assuming role " + role + " from project " + project + " from user " + role_session_name + "...", "normal") elif args.iam_delegated_role: colormsg("Assuming role " + role + " from user " + role_session_name + "...", "normal") if os.path.isfile(os.path.expanduser('~/.awsauth')): with open(os.path.expanduser('~/.awsauth')) as json_file: root_json_data = json.load(json_file) json_file.close() if project in root_json_data and env in root_json_data[project] and role in root_json_data[project][ env]: json_data = root_json_data[project][env][role] awsauth_last_timestamp = json_data["awsauth_last_timestamp"] # check if the token has expired if int(time.time()) - int(awsauth_last_timestamp) > token_expiration or args.refresh: verbose("token has expired") sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project, env, role, token_expiration) else: verbose("token has not expired, trying to login...") login_to_fedaccount(json_data["access_key"], json_data["session_key"], json_data["session_token"], json_data["role_session_name"]) sts_token = {'access_key': json_data["access_key"], 'session_key': json_data["session_key"], 'session_token': json_data["session_token"], 'role_session_name': json_data["role_session_name"]} else: sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project, env, role, token_expiration) else: verbose("role is " + role) sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project, env, role, token_expiration) return sts_token
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): try: args = {} if complex_args: args.update(complex_args) args.update(parse_kv(module_args)) access_policies = {} role_name = args["role_name"] print "Role Name: ", role_name assume_role_trust_policy = json.dumps(args["trust_policy"]) access_policies = args["access_policies"] envdict = {} if self.runner.environment: env = template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True) env = utils.safe_eval(env) sts_connection = STSConnection( aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) c = boto.connect_iam( aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) #Look for the role try: role = c.get_role(role_name) #Make sure the trust policy exists try: temp_trust_policy = urllib.unquote( role["get_role_response"]["get_role_result"]["role"] ["assume_role_policy_document"]) #Reorganize the json dict so it is in the same order of the yaml policy temp_trust_policy = json.dumps( json.loads(temp_trust_policy)) #Trust policy does not match, update it if not assume_role_trust_policy == temp_trust_policy: if not assume_role_trust_policy == "\"\"": c.update_assume_role_policy( role_name, assume_role_trust_policy) #Make sure each new policy exists for policies in access_policies: try: temp_policy = urllib.unquote( c.get_role_policy(role_name, policies["policy_name"]) ["get_role_policy_response"] ["get_role_policy_result"]["policy_document"]) #Policy has same name but does not match, update it if not temp_policy == json.dumps( policies["policy_document"]): if not policies["policy_document"] == "\"\"": c.delete_role_policy( role_name, policies["policy_name"]) c.put_role_policy( role_name, policies["policy_name"], json.dumps( policies["policy_document"])) #Can't find policy, add it except Exception, e: try: c.put_role_policy( role_name, policies["policy_name"], json.dumps(policies["policy_document"])) except Exception, e: # deal with failure gracefully result = dict(failed=True, msg=type(e).__name__ + ": " + str(e)) return ReturnData(conn=conn, comm_ok=False, result=result) #Returns true if the policy name exists def checkIfPolicyExists(access_policies, temp_name): for policy_name in access_policies: if policy_name["policy_name"] == temp_name: return True return False #Delete any policies that are not in the yaml temp_policy_names = c.list_role_policies(role_name) for temp_name in temp_policy_names[ "list_role_policies_response"][ "list_role_policies_result"]["policy_names"]: exists = checkIfPolicyExists(access_policies, temp_name) if not exists: c.delete_role_policy(role_name, temp_name) #Can't find trust policy, add it except Exception, e: try: c.update_assume_role_policy(role_name, assume_role_trust_policy) except Exception, e: # deal with failure gracefully result = dict(failed=True, msg=type(e).__name__ + ": " + str(e)) return ReturnData(conn=conn, comm_ok=False, result=result)
secret_access_key = raw_input("Enter your AWS Secret Access Key: ") config.set(profile, AWS_SECRET_ACCESS_KEY, secret_access_key) write_config = True if config.has_option(profile, AWS_MFA_DEVICE) == False: mfa_device = raw_input("Enter your username: "******"arn:aws:iam::973692506099:mfa/" + mfa_device # use the passed in code if any mfa_TOTP = args.code if args.code is None: mfa_TOTP = raw_input("Enter your MFA code: ") # Get temp credentials tempCredentials = sts_connection.get_session_token( duration=28800, mfa_serial_number=serial_number, mfa_token=mfa_TOTP
def main(): import logging from boto.s3.connection import S3Connection from boto.sts import STSConnection # Prompt for token code mfa = raw_input("Enter the mfa authcode for ec2-dev: ") # sts_connection = STSConnection() # Use the appropriate device ID (serial number for hardware device or ARN for virtual device). # Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values. tempCredentials = sts_connection.get_session_token( duration=3600, mfa_serial_number="arn:aws:iam::231871078230:mfa/ec2-dev", mfa_token=mfa ) # Use the temporary credentials to list the contents of an S3 bucket s3_connection = S3Connection( aws_access_key_id=tempCredentials.access_key, aws_secret_access_key=tempCredentials.secret_key, security_token=tempCredentials.session_token ) # Set up logging logging.basicConfig(filename='ec2-termination.log', format='%(asctime)s = %(levelname)s: %(message)s', level=logging.DEBUG) # List comprehension for regions ec2_regions = [region['RegionName'] for region in client.describe_regions()['Regions']] # tag values to ignore tag_value = ['openshift-node','openshift-master'] for region in ec2_regions: #sets current working region print("Currently process instances in %s" % region) region_id = boto3.resource('ec2',region_name=region) # Gets a list of EC2 instances which are running instances = region_id.instances.filter( Filters=[{'Name': 'instance-state-name', 'Values': ['running','stopped']}]) flag = True for instance in instances: for tag in instance.tags: if tag['Key'] == 'Name': name = tag['Value'] if name in tag_value: flag = False try: logging.info("Deleting instance %s "% instance.id) if flag: #disableAPIProtection(instance.id) #response = instance.terminate() print("Instance %s termination" % instance.id) else: pass #print("Instance %s termination" % name) except botocore.exceptions.ClientError as e: logging.error(e.response['Error']['Code'])
def connect_to_sts_region(aws_access_key, aws_secret_key): try: return STSConnection(aws_access_key, aws_secret_key) except: raise
import json import boto import boto3 import os import commands import boto.ec2 from boto import ec2 from boto.sts import STSConnection import sys arn=str(sys.argv[1]) print arn sts_connection = STSConnection() assumed_role_object = sts_connection.assume_role( role_arn=arn, role_session_name="run-script" ) os.environ["AWS_ACCESS_KEY_ID"] =assumed_role_object.credentials.access_key os.environ["AWS_SECRET_ACCESS_KEY"] = assumed_role_object.credentials.secret_key os.environ["AWS_SESSION_TOKEN"] = assumed_role_object.credentials.session_token ############ Get Account name & ID ############################################# accountname=commands.getoutput("aws iam list-account-aliases | awk {'print $2'}") accountid=(boto3.client('sts').get_caller_identity()['Account']) print accountname f1=open('/tmp/email_output.html', 'a') f1.write("<h2 style='color:#0066cc;'>"+accountname+" ["+accountid+"]</h2><hr>\n<h4>Security Group Ports Summary for EC2 Instances</h4>\n<table style=\'width:100%\', border=\'1\'>\n<thead><th>Instance Name</th><th>Instance Type</th><th>VPC</th><th>Security Group</th><th>Ports Opened</th></thead>\n<tbody>\n") ############# EC2 instance INFo with attached security group name/ID ########### def get_name(instance): if instance.tags: