def test_profile_role_arn_cached_session(): """ A profile with a role arn but a valid cached session will not (re)assume any role. """ with custom_config(profile=PROFILE, role_arn=ROLE_ARN): aws_profile = AWSProfile( profile=PROFILE, cached_session=CACHED_SESSION, session_duration=DEFAULT_SESSION_DURATION, ) assert_that(aws_profile.role_arn, is_(equal_to(ROLE_ARN))) assert_that(aws_profile.cached_session, is_(equal_to(CACHED_SESSION))) with patch.object(aws_profile, "assume_role") as assume_role: # we do not expect a role to be assumed aws_profile.update_credentials() assert_that(assume_role.call_count, is_(equal_to(0))) assert_that(aws_profile.cached_session, is_(equal_to(CACHED_SESSION))) # session variables are set assert_that( aws_profile.to_envvars().get("AWS_SESSION_TOKEN"), is_(equal_to(CACHED_SESSION.token)), ) assert_that( aws_profile.to_envvars().get("AWS_SESSION_NAME"), is_(equal_to(CACHED_SESSION.name)), )
def test_profile_no_role_arn(): """ A profile with no role arn defined will not assume any role. """ with custom_config(profile=PROFILE): aws_profile = AWSProfile( profile=PROFILE, session_duration=DEFAULT_SESSION_DURATION, cached_session=None, ) assert_that(aws_profile.role_arn, is_(none())) assert_that(aws_profile.cached_session, is_(none())) with patch.object(aws_profile, "assume_role") as assume_role: # we do not expect a role to be assumed aws_profile.update_credentials() assert_that(assume_role.call_count, is_(equal_to(0))) assert_that(aws_profile.cached_session, is_(none())) # session variables are NOT set assert_that(aws_profile.to_envvars().get("AWS_SESSION_TOKEN"), is_(none())) assert_that(aws_profile.to_envvars().get("AWS_SESSION_NAME"), is_(none()))
def get_profile(profile=None, session_duration=DEFAULT_SESSION_DURATION, assume_role=True, refresh=False, account_id=None): """ Construct an AWS Profile. :param profile: the name of the profile to use; resolves via environment variables if not set :param session_duration: the session duration (in seconds), defafults to one hour, which is also the maximum :param assume_role: control whether the given profile's role will be assumed; if not, the default profile's credentials will be used """ # choose the profile name if necessary if profile is None: profile = get_profile_name() # look for a cached session in the environment cached_session = CachedSession.from_environment( session_duration=session_duration, ) if assume_role and not refresh else None # then load the profile, updating credentials based on the cached session and/or assumed role aws_profile = AWSProfile( profile=profile, session_duration=session_duration, cached_session=cached_session, account_id=account_id, ) if assume_role: aws_profile.update_credentials() return aws_profile
def test_profile_with_role_arn(): """ A profile with a role arn and no cached session will assume the role. """ with custom_config(profile=PROFILE, role_arn=ROLE_ARN): aws_profile = AWSProfile( profile=PROFILE, session_duration=DEFAULT_SESSION_DURATION, cached_session=None, ) assert_that(aws_profile.role_arn, is_(equal_to(ROLE_ARN))) assert_that(aws_profile.cached_session, is_(none())) with patch.object(aws_profile, "assume_role") as assume_role: # we do expect a role to be assumed def create_cached_session(): aws_profile.cached_session = CACHED_SESSION return "access_key", "secret_key" assume_role.side_effect = create_cached_session aws_profile.update_credentials() assert_that(assume_role.call_count, is_(equal_to(1))) # session variables are set assert_that( aws_profile.to_envvars().get("AWS_SESSION_TOKEN"), is_(equal_to(CACHED_SESSION.token)), ) assert_that( aws_profile.to_envvars().get("AWS_SESSION_NAME"), is_(equal_to(CACHED_SESSION.name)), )
def test_profile_region_from_envvar(): """ Use AWS_REGION environment variable for region if set. """ with custom_config(profile=PROFILE, role_arn=ROLE_ARN): region = 'us-east-2' environ['AWS_REGION'] = region aws_profile = AWSProfile( profile=PROFILE, session_duration=DEFAULT_SESSION_DURATION, cached_session=None, ) assert_that(aws_profile.region_name, is_(equal_to(region)))