def assume_role_worker(batch, roles, saml_xml):
account_name = batch['name']
account_alias = batch['alias']
saml_role = batch['role']
cred_name = '{}/{}'.format(account_alias, saml_role)
matching_roles = [(parn, rarn, aname)
for parn, rarn, aname in roles if aname == account_alias and rarn.endswith(saml_role)]
if not matching_roles:
error('[{}] No matching role found for account {}/{}. Try profile from ~/.aws/credentials'
.format(account_alias, account_alias, saml_role))
for profile_name in (account_alias, account_name):
try:
if get_boto3_session(None, None, profile=profile_name):
return {cred_name: {'profile_name': profile_name}}
except botocore.exceptions.ProfileNotFound as e:
error('[{}] {}'
.format(account_alias, e))
else:
role = matching_roles[0]
with ActionOnExit('[{}] Assuming role {}..'.format(account_alias, role)):
key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])
# boto3.utils not pickalble, save keys and create the Session after
# multiprocessing.Pool().map()...
# credentials[batch_entry] = get_boto3_session(key_id, secret, session_token)
return {cred_name: {
'aws_access_key_id': key_id,
'aws_secret_access_key': secret,
'aws_session_token': session_token
}}
def configure(file, account_name_pattern, saml_user, saml_password, dry_run):
'''Configure one or more AWS account(s) matching the provided pattern'''
config = yaml.safe_load(file)
accounts = config.get('accounts', {})
account_names = sorted(fnmatch.filter(accounts.keys(), account_name_pattern))
if not account_names:
error('No configuration found for account {}'.format(account_name_pattern))
return
trusted_addresses = None
global_cfg = config.get('global', {})
for account_name in account_names:
cfg = accounts.get(account_name) or {}
for key, val in global_cfg.items():
if key not in cfg:
cfg[key] = val
saml_url = cfg.get('saml_identity_provider_url')
saml_role = cfg.get('saml_admin_login_role')
if saml_user and saml_url and saml_role:
if not saml_password:
saml_password = keyring.get_password('sevenseconds', saml_user)
if not saml_password:
saml_password = click.prompt('Please enter your SAML password', hide_input=True)
with Action('Authenticating against {}..'.format(saml_url)):
saml_xml, roles = authenticate(saml_url, saml_user, saml_password)
keyring.set_password('sevenseconds', saml_user, saml_password)
account_alias = cfg.get('alias', account_name).format(account_name=account_name)
matching_roles = [(parn, rarn, aname)
for parn, rarn, aname in roles if aname == account_alias and rarn.endswith(saml_role)]
if not matching_roles:
error('No matching role found for account {}: {}'.format(account_name, roles))
warning('Skipping account configuration of {} due to missing credentials'.format(account_name))
continue
role = matching_roles[0]
with Action('Assuming role {}..'.format(role)):
key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])
write_aws_credentials('default', key_id, secret, session_token)
if not trusted_addresses:
trusted_addresses = get_trusted_addresses(config)
try:
configure_account(account_name, cfg, trusted_addresses, dry_run)
except Exception:
error('Error while configuring {}: {}'.format(account_name, traceback.format_exc()))
def get_aws_credentials(saml_user, saml_password, saml_url, saml_role, account_alias, credential_name):
if not saml_password:
saml_password = keyring.get_password('sevenseconds', saml_user)
if not saml_password:
saml_password = click.prompt('Please enter your SAML password', hide_input=True)
with Action('[{}] Authenticating against {}..'.format(credential_name, saml_url)):
saml_xml, roles = authenticate(saml_url, saml_user, saml_password)
keyring.set_password('sevenseconds', saml_user, saml_password)
matching_roles = [(parn, rarn, aname)
for parn, rarn, aname in roles if aname == account_alias and rarn.endswith(saml_role)]
if not matching_roles:
error('[{}] No matching role found for account {}'.format(credential_name, account_alias))
return False
else:
role = matching_roles[0]
with Action('[{}] Assuming role {}..'.format(credential_name, role)):
key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])
write_aws_credentials(credential_name, key_id, secret, session_token)
return True
def login_with_profile(obj, profile, config, awsprofile):
url = config.get('saml_identity_provider_url')
user = config.get('saml_user')
role = config.get('saml_role')
if not url:
raise click.UsageError('Missing identity provider URL')
if not user:
raise click.UsageError('Missing SAML username')
saml_xml, roles = saml_login(user, url)
with Action('Assuming role {role}..', role=get_role_label(role)):
key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])
with Action('Writing temporary AWS credentials..'):
write_aws_credentials(awsprofile, key_id, secret, session_token)
with open(obj['last-update-filename'], 'w') as fd:
yaml.safe_dump({'timestamp': time.time(), 'profile': profile}, fd)
def login_with_profile(obj, profile, config, awsprofile):
url = config.get("saml_identity_provider_url")
user = config.get("saml_user")
role = config.get("saml_role")
if not url:
raise click.UsageError("Missing identity provider URL")
if not user:
raise click.UsageError("Missing SAML username")
saml_xml, roles = saml_login(user, url)
with Action("Assuming role {role}..", role=get_role_label(role)):
key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])
with Action("Writing temporary AWS credentials.."):
write_aws_credentials(awsprofile, key_id, secret, session_token)
with open(obj["last-update-filename"], "w") as fd:
yaml.safe_dump({"timestamp": time.time(), "profile": profile}, fd)
