def get_token(aws_account, ops_idp_host):
""" Generate temporary SSO access credentials.
Requires the config file containing the IDP hostname.
Returns:
A temporary boto3 client created with a session token provided by the IDP host.
"""
ssh_args = None
# if running in a container (like the monitoring container)
# use alternate ssh key and known host file
if 'CONTAINER' in os.environ:
ssh_args =\
['-i', '/secrets/ssh-id-rsa', '-o', 'UserKnownHostsFile=/configdata/ssh_known_hosts']
try:
creds = saml_aws_creds.get_temp_credentials(
metadata_id='urn:amazon:webservices:%s' % aws_account,
idp_host=ops_idp_host,
ssh_args=ssh_args)
client = boto3.client(
'iam',
aws_access_key_id=creds['AccessKeyId'],
aws_secret_access_key=creds['SecretAccessKey'],
aws_session_token=creds['SessionToken'])
return client
except ValueError as client_exception:
if 'Error retrieving SAML token' in client_exception.message and \
'Metadata not found' in client_exception.message:
print('Metadata for %s missing or misconfigured, skipping' %
aws_account)
def get_token(aws_account):
""" Generate temporary SSO access credentials.
Requires the config file containing the IDP hostname.
Returns:
A temporary boto3 client created with a session token provided by the IDP host.
Raises:
A ValueError if the config path can not be found.
"""
sso_config_path = '/etc/openshift_tools/sso-config.yaml'
if os.path.isfile(sso_config_path):
with open(sso_config_path, 'r') as sso_config:
yaml_config = yaml.load(sso_config)
if yaml_config["idp_host"]:
ops_idp_host = yaml_config["idp_host"]
creds = saml_aws_creds.get_temp_credentials(
metadata_id='urn:amazon:webservices:%s' % aws_account,
idp_host=ops_idp_host)
client = boto3.client(
'iam',
aws_access_key_id=creds['AccessKeyId'],
aws_secret_access_key=creds['SecretAccessKey'],
aws_session_token=creds['SessionToken'])
return client
else:
raise ValueError(sso_config_path + 'does not exist.')
def get_token(aws_account):
""" Generate temporary SSO access credentials.
Requires the config file containing the IDP hostname.
Returns:
A temporary boto3 client created with a session token provided by the IDP host.
Raises:
A ValueError if the config path can not be found.
"""
sso_config_path = '/etc/openshift_tools/sso-config.yaml'
if os.path.isfile(sso_config_path):
with open(sso_config_path, 'r') as sso_config:
yaml_config = yaml.load(sso_config)
if yaml_config["idp_host"]:
ops_idp_host = yaml_config["idp_host"]
try:
creds = saml_aws_creds.get_temp_credentials(
metadata_id='urn:amazon:webservices:%s' % aws_account,
idp_host=ops_idp_host)
client = boto3.client(
'iam',
aws_access_key_id=creds['AccessKeyId'],
aws_secret_access_key=creds['SecretAccessKey'],
aws_session_token=creds['SessionToken'])
return client
except botocore.exceptions.ClientError as client_exception:
print(client_exception)
print('Skipping account %s' % aws_account)
except ValueError as client_exception:
if 'Error retrieving SAML token' in client_exception.message and \
'Metadata not found' in client_exception.message:
print(client_exception)
print(
'Metadata for %s missing or misconfigured, skipping'
% aws_account)
else:
raise
else:
raise ValueError(sso_config_path + 'does not exist.')
