def mk_boto_session(
profile: Optional[str] = None,
creds: Optional[ReadOnlyCredentials] = None,
region_name: Optional[str] = None,
) -> Session:
"""Get botocore session with correct `region` configured
:param profile: profile name to lookup
:param creds: Override credentials with supplied data
:param region_name: default region_name to use if not configured for a given profile
"""
session = botocore.session.Session(profile=profile)
if creds is not None:
session.set_credentials(creds.access_key, creds.secret_key, creds.token)
_region = session.get_config_variable("region")
if _region is None:
if region_name is None or region_name == "auto":
_region = auto_find_region(session, default="us-west-2")
else:
_region = region_name
session.set_config_variable("region", _region)
return session
def _create_session_with_assume_role(
self, session_kwargs: Dict[str, Any]) -> boto3.session.Session:
if self.conn.assume_role_method == 'assume_role_with_web_identity':
# Deferred credentials have no initial credentials
credential_fetcher = self._get_web_identity_credential_fetcher()
credentials = botocore.credentials.DeferredRefreshableCredentials(
method='assume-role-with-web-identity',
refresh_using=credential_fetcher.fetch_credentials,
time_fetcher=lambda: datetime.datetime.now(tz=tzlocal()),
)
else:
# Refreshable credentials do have initial credentials
credentials = botocore.credentials.RefreshableCredentials.create_from_metadata(
metadata=self._refresh_credentials(),
refresh_using=self._refresh_credentials,
method="sts-assume-role",
)
session = botocore.session.get_session()
session._credentials = credentials
region_name = self.basic_session.region_name
session.set_config_variable("region", region_name)
return boto3.session.Session(botocore_session=session,
**session_kwargs)
def _get_botocore_session(profile_name=None, region=None):
"""
Generates a botocore session with Managed SSH CLI set as the user agent
:param profile_name: The name of a profile to use. If not given, then the \
default profile is used.
:type profile_name: string
:param region: An AWS region name to set as the default for the Botocore session
:type region: string
:return: A Botocore session object
:rtype: botocore.session.Session
"""
session = botocore.session.get_session()
botocore_info = 'Botocore/{0}'.format(session.user_agent_version)
if session.user_agent_extra:
session.user_agent_extra += ' ' + botocore_info
else:
session.user_agent_extra = botocore_info
session.user_agent_name = 'aws-ec2-instance-connect-cli'
session.user_agent_version = CLI_VERSION
"""
# Credential precedence:
# 1. set user passed profile.
# 2. set user passed region.
# 3. let botocore handle the rest.
"""
if profile_name:
session.set_config_variable('profile', profile_name)
if region is not None:
session.set_config_variable('region', region)
return session
def _create_session_with_assume_role(
self, session_kwargs: Dict[str, Any]) -> boto3.session.Session:
assume_role_method = self.extra_config.get('assume_role_method',
'assume_role')
self.log.info("assume_role_method=%s", assume_role_method)
supported_methods = [
'assume_role', 'assume_role_with_saml',
'assume_role_with_web_identity'
]
if assume_role_method not in supported_methods:
raise NotImplementedError(
f'assume_role_method={assume_role_method} in Connection {self.conn.conn_id} Extra.'
f'Currently {supported_methods} are supported.'
'(Exclude this setting will default to "assume_role").')
if assume_role_method == 'assume_role_with_web_identity':
# Deferred credentials have no initial credentials
credential_fetcher = self._get_web_identity_credential_fetcher()
credentials = botocore.credentials.DeferredRefreshableCredentials(
method='assume-role-with-web-identity',
refresh_using=credential_fetcher.fetch_credentials,
time_fetcher=lambda: datetime.datetime.now(tz=tzlocal()),
)
else:
# Refreshable credentials do have initial credentials
credentials = botocore.credentials.RefreshableCredentials.create_from_metadata(
metadata=self._refresh_credentials(),
refresh_using=self._refresh_credentials,
method="sts-assume-role",
)
session = botocore.session.get_session()
session._credentials = credentials # pylint: disable=protected-access
region_name = self.basic_session.region_name
session.set_config_variable("region", region_name)
return boto3.session.Session(botocore_session=session,
**session_kwargs)
def get_client(region=None, profile=None):
try:
print("get_client(): starting...")
session = botocore.session.get_session()
region = region or discover_region()
if not region:
raise ValueError('Region was not provided and could not be determined')
session.set_config_variable('region', region)
if profile:
session.set_config_variable('profile', profile)
print("create_client() will be called...")
try:
return session.create_client('kms', region_name=region)
except Exception as e:
print("\nget_client() failed calling session.create_client()")
print(" ERROR:{}\n".format(e))
sys.exit(1)
print("client created")
except Exception as e:
print("get_client() failed:{}".format(e))
sys.exit(1)
print("get_client() finished")
def __init__(self,
s3_staging_dir=None,
access_key=None,
secret_key=None,
region_name=None,
schema_name='default',
profile_name=None,
credential_file=None,
jvm_path=None,
jvm_options=None,
converter=None,
formatter=None,
driver_path=None,
**driver_kwargs):
if s3_staging_dir:
self.s3_staging_dir = s3_staging_dir
else:
self.s3_staging_dir = os.getenv(self._ENV_S3_STAGING_DIR, None)
assert self.s3_staging_dir, 'Required argument `s3_staging_dir` not found.'
assert schema_name, 'Required argument `schema_name` not found.'
self.schema_name = schema_name
if credential_file:
self.access_key = None
self.secret_key = None
self.token = None
self.credential_file = credential_file
assert self.credential_file, 'Required argument `credential_file` not found.'
self.region_name = region_name
assert self.region_name, 'Required argument `region_name` not found.'
else:
import botocore.session
session = botocore.session.get_session()
if access_key and secret_key:
session.set_credentials(access_key, secret_key)
if profile_name:
session.set_config_variable('profile', profile_name)
if region_name:
session.set_config_variable('region', region_name)
credentials = session.get_credentials()
self.access_key = credentials.access_key
assert self.access_key, 'Required argument `access_key` not found.'
self.secret_key = credentials.secret_key
assert self.secret_key, 'Required argument `secret_key` not found.'
self.token = credentials.token
self.credential_file = None
self.region_name = session.get_config_variable('region')
assert self.region_name, 'Required argument `region_name` not found.'
self._start_jvm(jvm_path, jvm_options, driver_path)
props = self._build_driver_args(**driver_kwargs)
jpype.JClass(ATHENA_DRIVER_CLASS_NAME)
self._jdbc_conn = jpype.java.sql.DriverManager.getConnection(
ATHENA_CONNECTION_STRING.format(region=self.region_name,
schema=schema_name), props)
self._converter = converter if converter else JDBCTypeConverter()
self._formatter = formatter if formatter else ParameterFormatter()
def _create_client(self):
session = botocore.session.get_session()
if aws_creds:
session.set_credentials(**aws_creds)
else:
session.set_config_variable('profile', self.profile)
return session.create_client(
self.service_name, region_name=self.region_name)
def create_session(**kwargs):
# Create a Session object. By default,
# the _LOADER object is used as the loader
# so that we reused the same models across tests.
session = botocore.session.Session(**kwargs)
session.register_component('data_loader', _LOADER)
session.set_config_variable('credentials_file', 'noexist/foo/botocore')
return session
def create_session(**kwargs):
# Create a Session object. By default,
# the _LOADER object is used as the loader
# so that we reused the same models across tests.
session = botocore.session.Session(**kwargs)
session.register_component('data_loader', _LOADER)
session.set_config_variable('credentials_file', 'noexist/foo/botocore')
return session
def get_client(region=None, profile=None):
session = botocore.session.get_session()
region = region or discover_region()
if not region:
raise ValueError('Region was not provided and could not be determined')
session.set_config_variable('region', region)
if profile:
session.set_config_variable('profile', profile)
return session.create_client('kms', region_name=region)
def test_config_loader_delegation(self):
session = create_session(profile='credfile-profile')
with temporary_file('w') as f:
f.write('[credfile-profile]\naws_access_key_id=a\n')
f.write('aws_secret_access_key=b\n')
f.flush()
session.set_config_variable('credentials_file', f.name)
# Now trying to retrieve the scoped config should pull in
# values from the shared credentials file.
self.assertEqual(session.get_scoped_config(),
{'aws_access_key_id': 'a',
'aws_secret_access_key': 'b'})
def test_config_loader_delegation(self):
session = create_session(profile='credfile-profile')
with temporary_file('w') as f:
f.write('[credfile-profile]\naws_access_key_id=a\n')
f.write('aws_secret_access_key=b\n')
f.flush()
session.set_config_variable('credentials_file', f.name)
# Now trying to retrieve the scoped config should pull in
# values from the shared credentials file.
self.assertEqual(session.get_scoped_config(),
{'aws_access_key_id': 'a',
'aws_secret_access_key': 'b'})
def _get_botocore_session():
if _get_botocore_session.botocore_session is None:
LOG.debug('Creating new Botocore Session')
LOG.debug('Botocore version: {0}'.format(botocore.__version__))
session = botocore.session.get_session({
'profile': (None, _profile_env_var, _profile, None),
})
session.set_config_variable('region', _region_name)
session.register_component('data_loader', _get_data_loader())
_set_user_agent_for_session(session)
_get_botocore_session.botocore_session = session
if _debug:
session.set_debug_logger()
return _get_botocore_session.botocore_session
def _get_botocore_session():
if _get_botocore_session.botocore_session is None:
LOG.debug('Creating new Botocore Session')
LOG.debug('Botocore version: {0}'.format(botocore.__version__))
session = botocore.session.get_session({
'profile': (None, _profile_env_var, _profile, None),
})
session.set_config_variable('region', _region_name)
session.register_component('data_loader', _get_data_loader())
_set_user_agent_for_session(session)
_get_botocore_session.botocore_session = session
if _debug:
session.set_debug_logger()
return _get_botocore_session.botocore_session
def get_session(self, region_name, role_arn):
"""
Assumes the given role and returns a session object assuming said role.
"""
session = botocore.session.get_session()
if region_name is not None:
session.set_config_variable('region', region_name)
if role_arn is not None:
sts = session.create_client(AUTH_SERVICE, region_name=region_name)
credentials_dict = sts.assume_role(
RoleArn=role_arn,
RoleSessionName='EKSGetTokenAuth')['Credentials']
session.set_credentials(credentials_dict['AccessKeyId'],
credentials_dict['SecretAccessKey'],
credentials_dict['SessionToken'])
return session
else:
return session
def get_session(self, region_name, role_arn):
"""
Assumes the given role and returns a session object assuming said role.
"""
session = botocore.session.get_session()
if region_name is not None:
session.set_config_variable('region', region_name)
if role_arn is not None:
sts = session.create_client(AUTH_SERVICE, region_name=region_name)
credentials_dict = sts.assume_role(
RoleArn=role_arn,
RoleSessionName='EKSGetTokenAuth'
)['Credentials']
session.set_credentials(credentials_dict['AccessKeyId'],
credentials_dict['SecretAccessKey'],
credentials_dict['SessionToken'])
return session
else:
return session
def boto3_session(profile_name=None,
config_file=None,
credentials_file=None,
existing_creds=None):
"""
returns a boto3 session using cached credentials
Allows for sharing credentials from cli commands with boto sessions
"""
# Construct botocore session with cache
session = botocore.session.get_session()
if profile_name is not None:
session.set_config_variable("profile", profile_name)
if config_file is not None:
session.set_config_variable("config_file", config_file)
if credentials_file is not None:
session.set_config_variable("credentials_file", credentials_file)
if existing_creds is not None:
session.set_credentials(
access_key=existing_creds["aws_access_key_id"],
secret_key=existing_creds["aws_secret_access_key"],
token=existing_creds["aws_session_token"],
)
session.get_component("credential_provider").get_provider(
"assume-role").cache = credentials.JSONFileCache(cli_cache)
return boto3.Session(botocore_session=session)
def get_boto_session(region_name=None,
profile=None,
creds=None,
cache=None):
""" Get botocore.session with correct region_name configured
"""
if cache is not None:
sessions = getattr(cache, 'sessions', None)
if sessions is None:
sessions = {}
setattr(cache, 'sessions', sessions)
session = sessions.get(region_name)
else:
sessions, session = {}, None
if session is not None:
return session
session = botocore.session.Session(profile=profile)
_region = session.get_config_variable("region")
if creds is not None:
session.set_credentials(creds.access_key,
creds.secret_key,
creds.token)
if _region is None:
if region_name is None or region_name == "auto":
_region = auto_find_region(session)
else:
_region = region_name
session.set_config_variable("region", _region)
sessions[_region] = session
return session
def login(profile, region, ssl_verification, adfs_ca_bundle, adfs_host,
output_format, provider_id, s3_signature_version, env, stdin,
authfile, stdout, printenv, role_arn, session_duration, assertfile,
sspi, u2f_trigger_default, username, password):
"""
Authenticates an user with active directory credentials
"""
config = prepare.get_prepared_config(
profile,
region,
ssl_verification,
adfs_ca_bundle,
adfs_host,
output_format,
provider_id,
s3_signature_version,
session_duration,
sspi,
u2f_trigger_default,
)
_verification_checks(config)
# Try re-authenticating using an existing ADFS session
if username != None and password != None:
#print(username)
#print(password)
#exit(0)
principal_roles, assertion, aws_session_duration = authenticator.authenticate(
config,
username=username,
password=password,
assertfile=assertfile)
else:
principal_roles, assertion, aws_session_duration = authenticator.authenticate(
config, assertfile=assertfile)
#principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, assertfile=assertfile)
# If we fail to get an assertion, prompt for credentials and try again
if assertion is None:
password = None
if stdin:
config.adfs_user, password = _stdin_user_credentials()
elif env:
config.adfs_user, password = _env_user_credentials()
elif authfile:
config.adfs_user, password = _file_user_credentials(
config.profile, authfile)
if not config.adfs_user:
config.adfs_user = click.prompt(text='Username',
type=str,
default=config.adfs_user)
if not password:
password = click.prompt('Password', type=str, hide_input=True)
principal_roles, assertion, aws_session_duration = authenticator.authenticate(
config, config.adfs_user, password)
password = '******'
del password
if (role_arn is not None):
config.role_arn = role_arn
principal_arn, config.role_arn = role_chooser.choose_role_to_assume(
config, principal_roles)
if principal_arn is None or config.role_arn is None:
click.echo('This account does not have access to any roles', err=True)
exit(-1)
# Use the assertion to get an AWS STS token using Assume Role with SAML
# according to the documentation:
# http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html
# This element contains one AttributeValue element that specifies the maximum time that the user
# can access the AWS Management Console before having to request new temporary credentials.
# The value is an integer representing the number of seconds, and can be
# a maximum of 43200 seconds (12 hours). If this attribute is not present,
# then the maximum session duration defaults to one hour
# (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API).
# To use this attribute, you must configure the SAML provider to provide single sign-on access
# to the AWS Management Console through the console sign-in web endpoint at
# https://signin.aws.amazon.com/saml.
# Note that this attribute extends sessions only to the AWS Management Console.
# It cannot extend the lifetime of other credentials.
# However, if it is present in an AssumeRoleWithSAML API call,
# it can be used to shorten the lifetime of the credentials returned by the call to less than
# the default of 60 minutes.
#
# Note, too, that if a SessionNotOnOrAfter attribute is also defined,
# then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter,
# establishes the maximum duration of the console session.
try:
session = botocore.session.get_session()
session.set_config_variable('profile', config.profile)
conn = session.create_client(
'sts', config=client.Config(signature_version=botocore.UNSIGNED))
except botocore.exceptions.ProfileNotFound:
logging.debug('Profile {} does not exist yet'.format(config.profile))
session = botocore.session.get_session()
conn = session.create_client(
'sts', config=client.Config(signature_version=botocore.UNSIGNED))
aws_session_token = conn.assume_role_with_saml(
RoleArn=config.role_arn,
PrincipalArn=principal_arn,
SAMLAssertion=assertion,
DurationSeconds=int(config.session_duration),
)
if stdout:
_emit_json(aws_session_token)
elif printenv:
_emit_summary(config, aws_session_duration)
_print_environment_variables(aws_session_token, config)
else:
_store(config, aws_session_token)
_emit_summary(config, aws_session_duration)
