def get_sts(duration, mfa_serial, mfa_device_name,
long_term, short_term, assume_role_arn=None):
if boto.config.get(long_term, 'aws_access_key_id') is None:
logger.error('aws_access_key_id is missing from section %s'
'or config file is missing.' % (long_term,))
sys.exit(1)
else:
long_term_id = boto.config.get(long_term, 'aws_access_key_id')
if boto.config.get(long_term, 'aws_secret_access_key') is None:
logger.error('aws_secret_access_key is missing from section '
'or config file is missing.' % (long_term,))
sys.exit(1)
else:
long_term_secret = boto.config.get(long_term, 'aws_secret_access_key')
if boto.config.has_section(short_term):
boto.config.remove_option(short_term, 'aws_security_token')
mfa_TOTP = raw_input('Enter AWS MFA code for user %s '
'(renewing for %s seconds):' %
(mfa_device_name, duration))
try:
sts_connection = STSConnection(aws_access_key_id=long_term_id,
aws_secret_access_key=long_term_secret)
if assume_role_arn is None:
tempCredentials = sts_connection.get_session_token(
duration=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
assumed_role = 'False'
else:
role_session_name = assume_role_arn.split('/')[-1]
assumedRole = sts_connection.assume_role(
assume_role_arn, role_session_name,
duration_seconds=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
tempCredentials = assumedRole.credentials
assumed_role = 'True'
default_options = [
('aws_access_key_id', tempCredentials.access_key),
('aws_secret_access_key', tempCredentials.secret_key),
('aws_security_token', tempCredentials.session_token),
('expiration', tempCredentials.expiration),
('assumed_role', assumed_role)
]
for option, value in default_options:
boto.config.save_user_option(
short_term,
option,
value
)
except boto.exception.BotoServerError as e:
message = '%s - Please try again.' % (e.message)
logger.error(message)
sys.exit(1)
def get_sts(duration):
os.environ['AWS_ACCESS_KEY_ID'] = boto.config.get('long-term',
'aws_access_key_id')
os.environ['AWS_SECRET_ACCESS_KEY'] = boto.config.get(
'long-term', 'aws_secret_access_key')
boto.config.remove_option('Credentials', 'aws_security_token')
try:
del os.environ['AWS_SECURITY_TOKEN']
except:
pass
mfa_TOTP = raw_input("Enter AWS MFA code for user %s:" % mfa_device_name)
try:
sts_connection = STSConnection()
tempCredentials = sts_connection.get_session_token(
duration=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
boto.config.save_user_option('Credentials', 'aws_access_key_id',
tempCredentials.access_key)
boto.config.save_user_option('Credentials', 'aws_secret_access_key',
tempCredentials.secret_key)
boto.config.save_user_option('Credentials', 'aws_security_token',
tempCredentials.session_token)
boto.config.save_user_option('Credentials', 'expiration',
tempCredentials.expiration)
except boto.exception.BotoServerError as e:
message = '%s - Please try again.' % (e.message)
sys.exit(message)
def create_user(user, mfa):
from boto.s3.connection import S3Connection
from boto.sts import STSConnection
import yaml
sts_connection = STSConnection()
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="arn:aws:iam::231871078230:mfa/ec2-dev",
mfa_token=mfa)
# Use the temporary credentials to list the contents of an S3 bucket
s3_connection = S3Connection(
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
security_token=tempCredentials.session_token)
try:
f = open('users.yaml')
except IOError as err:
click.echo("Error: %s" % err)
else:
with f:
config = yaml.load(f)
if config[user]:
policy = config[user]['policies']
access = config[user]['programmatic']
console = config[user]['console']
mfa = config[user]['mfa']
try:
response = iam.create_user(UserName=user)
except botocore.exceptions.ClientError as e:
logging.error(e.response['Error']['Code'])
click.echo("Exception Caught: %s" % e)
else:
print(json.dumps(response, indent=4, default=str))
attach_policy(user, policy)
# dispatch dictionary
dispatch_dict = {
'programmatic': programmatic_access,
'console': console_access,
'mfa': configure_mfa
}
for k, v in config[user].items():
if k in ('programmatic', 'console',
'mfa') and v is True:
handler = dispatch_dict[k]
handler(user)
else:
click.echo("User configuraton does not exist in %s" % f)
sys.exit(1)
def get_sts_creds(profile, duration, device_id, mfa_code):
"""
Get STS creds from AWS.
:param profile: AWS creds profile name
:param duration: Token lifetime
:param device_id: MFA device ARN
:param mfa_code: MFA TOTP code
:return:
"""
sts_connection = STSConnection(profile_name=profile)
sts_creds = sts_connection.get_session_token(
duration=duration,
mfa_serial_number="{device_id}".format(device_id=device_id),
mfa_token=mfa_code)
return sts_creds
def sync(name=None):
if not name:
name = get_default_name()
credentials = get_credentials(name)
if not credentials.mfa_serial:
# Nothing to do here.
return
# Have temporary credentials and they aren't expired yet, so no need to
# get new ones.
if (credentials.temporary_credentials and
credentials.temporary_credentials.time_until_expiration() > 0):
return
import boto
from boto.sts import STSConnection
mfa_TOTP = getpass("Enter the MFA code: ")
sts_connection = STSConnection(
aws_access_key_id=credentials.access_key_id,
aws_secret_access_key=credentials.secret_access_key
)
temporary_credentials = sts_connection.get_session_token(
duration=SESSION_DURATION,
mfa_serial_number=credentials.mfa_serial,
mfa_token=mfa_TOTP,
)
details = TemporaryCredentials(
temporary_access_key=temporary_credentials.access_key,
temporary_secret_key=temporary_credentials.secret_key,
session_token=temporary_credentials.session_token,
expiration=temporary_credentials.expiration
)
keyring.set_password('aws-keyring-temporary-credentials', name, str(details))
def assumed_role(debug, OTP, mfa_serial, sts_duration, roleArn, SessionName):
try:
sts_connection = STSConnection()
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
#OTP = input("Enter OTP: ")
#debug is used if you want assume-role print credentials
tempCredentials = sts_connection.get_session_token(
duration=sts_duration,
mfa_serial_number=
mfa_serial, #"arn:aws:iam::101549811061:mfa/SecurityAuditUser",
mfa_token=OTP)
STSsession = boto3.client(
'sts',
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
aws_session_token=tempCredentials.session_token)
assumed_role_object = STSsession.assume_role(
RoleArn=roleArn, #"arn:aws:iam::072979390894:role/read",
RoleSessionName=SessionName #"SecurityAuditSession"
)
credentials = assumed_role_object['Credentials']
except (ValueError, IOError) as e:
raise ("Error Processing your information for Assuming a role")
credentials = ""
if (debug):
print(credentials['AccessKeyId'])
print(credentials['SecretAccessKey'])
print(credentials['SessionToken'])
return credentials
def get_sts(duration):
os.environ['AWS_ACCESS_KEY_ID'] = boto.config.get(
'long-term',
'aws_access_key_id')
os.environ['AWS_SECRET_ACCESS_KEY'] = boto.config.get(
'long-term',
'aws_secret_access_key')
boto.config.remove_option('Credentials', 'aws_security_token')
try:
del os.environ['AWS_SECURITY_TOKEN']
except:
pass
mfa_TOTP = raw_input("Enter AWS MFA code for user %s:" % mfa_device_name)
try:
sts_connection = STSConnection()
tempCredentials = sts_connection.get_session_token(
duration=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
boto.config.save_user_option(
'Credentials',
'aws_access_key_id',
tempCredentials.access_key)
boto.config.save_user_option(
'Credentials',
'aws_secret_access_key',
tempCredentials.secret_key)
boto.config.save_user_option(
'Credentials',
'aws_security_token',
tempCredentials.session_token)
boto.config.save_user_option(
'Credentials',
'expiration',
tempCredentials.expiration)
except boto.exception.BotoServerError as e:
message = '%s - Please try again.' % (e.message)
sys.exit(message)
def get_sts_keys(default_keys):
from boto.sts import STSConnection
baseline_keys = load_keys(args.profile + ".credentials")
conn = STSConnection(default_keys["aws_access_key_id"], default_keys["aws_secret_access_key"])
mfaArn = "arn:aws:iam::{0}:mfa/{1}".format(args.accountId, args.userName)
log("mfa device = %s" % mfaArn)
try:
creds = conn.get_session_token(args.duration, args.force_new, mfaArn, args.mfaToken)
log("Session will expire at %s" % creds.expiration)
return {
"aws_access_key_id": creds.access_key,
"aws_secret_access_key": creds.secret_key,
"aws_session_token": creds.session_token,
}
except boto.exception.BotoServerError, e:
if "MultiFactorAuthentication failed" in str(e):
log("Invalid MFA token, resetting default keys")
return default_keys
elif "InvalidClientTokenId" in str(e):
log("Invalid default credentials")
return None
else:
raise e
def get_sts(duration,
mfa_serial,
mfa_device_name,
long_term,
short_term,
assume_role_arn=None):
if boto.config.get(long_term, 'aws_access_key_id') is None:
logger.error('aws_access_key_id is missing from section %s'
'or config file is missing.' % (long_term, ))
sys.exit(1)
else:
long_term_id = boto.config.get(long_term, 'aws_access_key_id')
if boto.config.get(long_term, 'aws_secret_access_key') is None:
logger.error('aws_secret_access_key is missing from section '
'or config file is missing.' % (long_term, ))
sys.exit(1)
else:
long_term_secret = boto.config.get(long_term, 'aws_secret_access_key')
if boto.config.has_section(short_term):
boto.config.remove_option(short_term, 'aws_security_token')
mfa_TOTP = raw_input('Enter AWS MFA code for user %s '
'(renewing for %s seconds):' %
(mfa_device_name, duration))
try:
sts_connection = STSConnection(aws_access_key_id=long_term_id,
aws_secret_access_key=long_term_secret)
if assume_role_arn is None:
tempCredentials = sts_connection.get_session_token(
duration=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
assumed_role = 'False'
else:
role_session_name = assume_role_arn.split('/')[-1]
assumedRole = sts_connection.assume_role(
assume_role_arn,
role_session_name,
duration_seconds=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
tempCredentials = assumedRole.credentials
assumed_role = 'True'
default_options = [
('aws_access_key_id', tempCredentials.access_key),
('aws_secret_access_key', tempCredentials.secret_key),
('aws_security_token', tempCredentials.session_token),
('expiration', tempCredentials.expiration),
('assumed_role', assumed_role)
]
for option, value in default_options:
boto.config.save_user_option(short_term, option, value)
except boto.exception.BotoServerError as e:
message = '%s - Please try again.' % (e.message)
logger.error(message)
sys.exit(1)
def main():
import logging
from boto.s3.connection import S3Connection
from boto.sts import STSConnection
# Prompt for token code
mfa = raw_input("Enter the mfa authcode for ec2-dev: ")
#
sts_connection = STSConnection()
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="arn:aws:iam::231871078230:mfa/ec2-dev",
mfa_token=mfa
)
# Use the temporary credentials to list the contents of an S3 bucket
s3_connection = S3Connection(
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
security_token=tempCredentials.session_token
)
# Set up logging
logging.basicConfig(filename='ec2-termination.log',
format='%(asctime)s = %(levelname)s: %(message)s',
level=logging.DEBUG)
# List comprehension for regions
ec2_regions = [region['RegionName'] for region in client.describe_regions()['Regions']]
# tag values to ignore
tag_value = ['openshift-node','openshift-master']
for region in ec2_regions:
#sets current working region
print("Currently process instances in %s" % region)
region_id = boto3.resource('ec2',region_name=region)
# Gets a list of EC2 instances which are running
instances = region_id.instances.filter(
Filters=[{'Name': 'instance-state-name', 'Values': ['running','stopped']}])
flag = True
for instance in instances:
for tag in instance.tags:
if tag['Key'] == 'Name':
name = tag['Value']
if name in tag_value:
flag = False
try:
logging.info("Deleting instance %s "% instance.id)
if flag:
#disableAPIProtection(instance.id)
#response = instance.terminate()
print("Instance %s termination" % instance.id)
else:
pass
#print("Instance %s termination" % name)
except botocore.exceptions.ClientError as e:
logging.error(e.response['Error']['Code'])
with open(config_file_path, 'w') as config_file:
config.write(config_file)
# Open the connection, specifying the profile to use
sts_connection = STSConnection(profile_name=profile)
# Prompt for MFA device and time-based one-time password (TOTP)
mfa_device = config.get(profile, AWS_MFA_DEVICE)
serial_number = "arn:aws:iam::973692506099:mfa/" + mfa_device
# use the passed in code if any
mfa_TOTP = args.code
if args.code is None:
mfa_TOTP = raw_input("Enter your MFA code: ")
# Get temp credentials
tempCredentials = sts_connection.get_session_token(
duration=28800,
mfa_serial_number=serial_number,
mfa_token=mfa_TOTP
)
config.set(ConfigParser.DEFAULTSECT, AWS_ACCESS_KEY_ID, tempCredentials.access_key)
config.set(ConfigParser.DEFAULTSECT, AWS_SECRET_ACCESS_KEY, tempCredentials.secret_key)
config.set(ConfigParser.DEFAULTSECT, AWS_SESSION_TOKEN, tempCredentials.session_token)
# Write out the config
with open(config_file_path, 'w') as configfile:
config.write(configfile)
print("\nAll set! You can now use AWS CLI commands.")
mfa_TOTP = raw_input("Enter the MFA code: ")
# The calls to AWS STS GetSessionToken must be signed with the access key ID and secret
# access key of an IAM user. The credentials can be in environment variables or in
# a configuration file and will be discovered automatically
# by the STSConnection() function. For more information, see the Python SDK
# documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection()
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="®ion-arn;iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID",
mfa_token=mfa_TOTP
)
# Use the temporary credentials to list the contents of an S3 bucket
s3_connection = S3Connection(
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
security_token=tempCredentials.session_token
)
# Replace BUCKET-NAME with an appropriate value.
bucket = s3_connection.get_bucket(bucket_name="BUCKET-NAME")
objectlist = bucket.list()
for obj in objectlist:
print(obj.name)
# The calls to AWS STS GetSessionToken must be signed with the access key ID and secret
# access key of an IAM user. The credentials can be in environment variables or in
# a configuration file and will be discovered automatically
# by the STSConnection() function. For more information, see the Python SDK
# documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection(
aws_access_key_id="AKIAJEGDPRSEOJMV46ZA",
aws_secret_access_key="RHrGRGJrpb8mWAq6zRXTwmX1TmvjfQZTOevPatg9")
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
tempCredentials = sts_connection.get_session_token(
duration=2800,
mfa_serial_number="arn:aws:iam::186502235371:mfa/sthathamsetty",
mfa_token=mfa_TOTP)
print(tempCredentials.access_key)
print(tempCredentials.secret_key)
print("\n" + tempCredentials.session_token)
sts_connection1 = STSConnection(
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
security_token=tempCredentials.session_token)
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumedRoleObject = sts_connection1.assume_role(
role_arn=
