Esempio n. 1
0
def mk_boto_session(
    profile: Optional[str] = None,
    creds: Optional[ReadOnlyCredentials] = None,
    region_name: Optional[str] = None,
) -> Session:
    """Get botocore session with correct `region` configured

    :param profile: profile name to lookup
    :param creds: Override credentials with supplied data
    :param region_name: default region_name to use if not configured for a given profile
    """
    session = botocore.session.Session(profile=profile)

    if creds is not None:
        session.set_credentials(creds.access_key, creds.secret_key, creds.token)

    _region = session.get_config_variable("region")
    if _region is None:
        if region_name is None or region_name == "auto":
            _region = auto_find_region(session, default="us-west-2")
        else:
            _region = region_name
        session.set_config_variable("region", _region)

    return session
Esempio n. 2
0
    def _create_session_with_assume_role(
            self, session_kwargs: Dict[str, Any]) -> boto3.session.Session:
        if self.conn.assume_role_method == 'assume_role_with_web_identity':
            # Deferred credentials have no initial credentials
            credential_fetcher = self._get_web_identity_credential_fetcher()
            credentials = botocore.credentials.DeferredRefreshableCredentials(
                method='assume-role-with-web-identity',
                refresh_using=credential_fetcher.fetch_credentials,
                time_fetcher=lambda: datetime.datetime.now(tz=tzlocal()),
            )
        else:
            # Refreshable credentials do have initial credentials
            credentials = botocore.credentials.RefreshableCredentials.create_from_metadata(
                metadata=self._refresh_credentials(),
                refresh_using=self._refresh_credentials,
                method="sts-assume-role",
            )

        session = botocore.session.get_session()
        session._credentials = credentials
        region_name = self.basic_session.region_name
        session.set_config_variable("region", region_name)

        return boto3.session.Session(botocore_session=session,
                                     **session_kwargs)
    def _get_botocore_session(profile_name=None, region=None):
        """
        Generates a botocore session with Managed SSH CLI set as the user agent

        :param profile_name: The name of a profile to use.  If not given, then the \
            default profile is used.
        :type profile_name: string
        :param region: An AWS region name to set as the default for the Botocore session
        :type region: string
        :return: A Botocore session object
        :rtype: botocore.session.Session
        """
        session = botocore.session.get_session()
        botocore_info = 'Botocore/{0}'.format(session.user_agent_version)
        if session.user_agent_extra:
            session.user_agent_extra += ' ' + botocore_info
        else:
            session.user_agent_extra = botocore_info
        session.user_agent_name = 'aws-ec2-instance-connect-cli'
        session.user_agent_version = CLI_VERSION
        """
        # Credential precedence:
        # 1. set user passed profile.
        # 2. set user passed region.
        # 3. let botocore handle the rest.
        """

        if profile_name:
            session.set_config_variable('profile', profile_name)
        if region is not None:
            session.set_config_variable('region', region)

        return session
Esempio n. 4
0
 def _create_session_with_assume_role(
         self, session_kwargs: Dict[str, Any]) -> boto3.session.Session:
     assume_role_method = self.extra_config.get('assume_role_method',
                                                'assume_role')
     self.log.info("assume_role_method=%s", assume_role_method)
     supported_methods = [
         'assume_role', 'assume_role_with_saml',
         'assume_role_with_web_identity'
     ]
     if assume_role_method not in supported_methods:
         raise NotImplementedError(
             f'assume_role_method={assume_role_method} in Connection {self.conn.conn_id} Extra.'
             f'Currently {supported_methods} are supported.'
             '(Exclude this setting will default to "assume_role").')
     if assume_role_method == 'assume_role_with_web_identity':
         # Deferred credentials have no initial credentials
         credential_fetcher = self._get_web_identity_credential_fetcher()
         credentials = botocore.credentials.DeferredRefreshableCredentials(
             method='assume-role-with-web-identity',
             refresh_using=credential_fetcher.fetch_credentials,
             time_fetcher=lambda: datetime.datetime.now(tz=tzlocal()),
         )
     else:
         # Refreshable credentials do have initial credentials
         credentials = botocore.credentials.RefreshableCredentials.create_from_metadata(
             metadata=self._refresh_credentials(),
             refresh_using=self._refresh_credentials,
             method="sts-assume-role",
         )
     session = botocore.session.get_session()
     session._credentials = credentials  # pylint: disable=protected-access
     region_name = self.basic_session.region_name
     session.set_config_variable("region", region_name)
     return boto3.session.Session(botocore_session=session,
                                  **session_kwargs)
Esempio n. 5
0
def get_client(region=None, profile=None):
    try:
        print("get_client(): starting...")
        session = botocore.session.get_session()
        region = region or discover_region()

        if not region:
            raise ValueError('Region was not provided and could not be determined')

        session.set_config_variable('region', region)
        if profile:
            session.set_config_variable('profile', profile)

        print("create_client() will be called...")
        try:
            return session.create_client('kms', region_name=region)
        except Exception as e:
            print("\nget_client() failed calling session.create_client()")
            print("     ERROR:{}\n".format(e))
            sys.exit(1) 

        print("client created")
    
    except Exception as e:
        print("get_client() failed:{}".format(e))
        sys.exit(1)
    print("get_client() finished")
Esempio n. 6
0
    def __init__(self,
                 s3_staging_dir=None,
                 access_key=None,
                 secret_key=None,
                 region_name=None,
                 schema_name='default',
                 profile_name=None,
                 credential_file=None,
                 jvm_path=None,
                 jvm_options=None,
                 converter=None,
                 formatter=None,
                 driver_path=None,
                 **driver_kwargs):
        if s3_staging_dir:
            self.s3_staging_dir = s3_staging_dir
        else:
            self.s3_staging_dir = os.getenv(self._ENV_S3_STAGING_DIR, None)
        assert self.s3_staging_dir, 'Required argument `s3_staging_dir` not found.'
        assert schema_name, 'Required argument `schema_name` not found.'
        self.schema_name = schema_name

        if credential_file:
            self.access_key = None
            self.secret_key = None
            self.token = None
            self.credential_file = credential_file
            assert self.credential_file, 'Required argument `credential_file` not found.'
            self.region_name = region_name
            assert self.region_name, 'Required argument `region_name` not found.'
        else:
            import botocore.session
            session = botocore.session.get_session()
            if access_key and secret_key:
                session.set_credentials(access_key, secret_key)
            if profile_name:
                session.set_config_variable('profile', profile_name)
            if region_name:
                session.set_config_variable('region', region_name)
            credentials = session.get_credentials()
            self.access_key = credentials.access_key
            assert self.access_key, 'Required argument `access_key` not found.'
            self.secret_key = credentials.secret_key
            assert self.secret_key, 'Required argument `secret_key` not found.'
            self.token = credentials.token
            self.credential_file = None
            self.region_name = session.get_config_variable('region')
            assert self.region_name, 'Required argument `region_name` not found.'

        self._start_jvm(jvm_path, jvm_options, driver_path)

        props = self._build_driver_args(**driver_kwargs)
        jpype.JClass(ATHENA_DRIVER_CLASS_NAME)
        self._jdbc_conn = jpype.java.sql.DriverManager.getConnection(
            ATHENA_CONNECTION_STRING.format(region=self.region_name,
                                            schema=schema_name), props)

        self._converter = converter if converter else JDBCTypeConverter()
        self._formatter = formatter if formatter else ParameterFormatter()
Esempio n. 7
0
 def _create_client(self):
     session = botocore.session.get_session()
     if aws_creds:
         session.set_credentials(**aws_creds)
     else:
         session.set_config_variable('profile', self.profile)
     return session.create_client(
         self.service_name, region_name=self.region_name)
Esempio n. 8
0
def create_session(**kwargs):
    # Create a Session object.  By default,
    # the _LOADER object is used as the loader
    # so that we reused the same models across tests.
    session = botocore.session.Session(**kwargs)
    session.register_component('data_loader', _LOADER)
    session.set_config_variable('credentials_file', 'noexist/foo/botocore')
    return session
Esempio n. 9
0
def create_session(**kwargs):
    # Create a Session object.  By default,
    # the _LOADER object is used as the loader
    # so that we reused the same models across tests.
    session = botocore.session.Session(**kwargs)
    session.register_component('data_loader', _LOADER)
    session.set_config_variable('credentials_file', 'noexist/foo/botocore')
    return session
Esempio n. 10
0
def get_client(region=None, profile=None):
    session = botocore.session.get_session()
    region = region or discover_region()

    if not region:
        raise ValueError('Region was not provided and could not be determined')

    session.set_config_variable('region', region)
    if profile:
        session.set_config_variable('profile', profile)

    return session.create_client('kms', region_name=region)
Esempio n. 11
0
 def test_config_loader_delegation(self):
     session = create_session(profile='credfile-profile')
     with temporary_file('w') as f:
         f.write('[credfile-profile]\naws_access_key_id=a\n')
         f.write('aws_secret_access_key=b\n')
         f.flush()
         session.set_config_variable('credentials_file', f.name)
         # Now trying to retrieve the scoped config should pull in
         # values from the shared credentials file.
         self.assertEqual(session.get_scoped_config(),
                          {'aws_access_key_id': 'a',
                           'aws_secret_access_key': 'b'})
Esempio n. 12
0
 def test_config_loader_delegation(self):
     session = create_session(profile='credfile-profile')
     with temporary_file('w') as f:
         f.write('[credfile-profile]\naws_access_key_id=a\n')
         f.write('aws_secret_access_key=b\n')
         f.flush()
         session.set_config_variable('credentials_file', f.name)
         # Now trying to retrieve the scoped config should pull in
         # values from the shared credentials file.
         self.assertEqual(session.get_scoped_config(),
                          {'aws_access_key_id': 'a',
                           'aws_secret_access_key': 'b'})
Esempio n. 13
0
def _get_botocore_session():
    if _get_botocore_session.botocore_session is None:
        LOG.debug('Creating new Botocore Session')
        LOG.debug('Botocore version: {0}'.format(botocore.__version__))
        session = botocore.session.get_session({
            'profile': (None, _profile_env_var, _profile, None),
        })
        session.set_config_variable('region', _region_name)
        session.register_component('data_loader', _get_data_loader())
        _set_user_agent_for_session(session)
        _get_botocore_session.botocore_session = session
        if _debug:
            session.set_debug_logger()

    return _get_botocore_session.botocore_session
Esempio n. 14
0
def _get_botocore_session():
    if _get_botocore_session.botocore_session is None:
        LOG.debug('Creating new Botocore Session')
        LOG.debug('Botocore version: {0}'.format(botocore.__version__))
        session = botocore.session.get_session({
            'profile': (None, _profile_env_var, _profile, None),
        })
        session.set_config_variable('region', _region_name)
        session.register_component('data_loader', _get_data_loader())
        _set_user_agent_for_session(session)
        _get_botocore_session.botocore_session = session
        if _debug:
            session.set_debug_logger()

    return _get_botocore_session.botocore_session
Esempio n. 15
0
    def get_session(self, region_name, role_arn):
        """
        Assumes the given role and returns a session object assuming said role.
        """
        session = botocore.session.get_session()
        if region_name is not None:
            session.set_config_variable('region', region_name)

        if role_arn is not None:
            sts = session.create_client(AUTH_SERVICE, region_name=region_name)
            credentials_dict = sts.assume_role(
                RoleArn=role_arn,
                RoleSessionName='EKSGetTokenAuth')['Credentials']

            session.set_credentials(credentials_dict['AccessKeyId'],
                                    credentials_dict['SecretAccessKey'],
                                    credentials_dict['SessionToken'])
            return session
        else:
            return session
Esempio n. 16
0
    def get_session(self, region_name, role_arn):
        """
        Assumes the given role and returns a session object assuming said role.
        """
        session = botocore.session.get_session()
        if region_name is not None:
            session.set_config_variable('region', region_name)

        if role_arn is not None:
            sts = session.create_client(AUTH_SERVICE, region_name=region_name)
            credentials_dict = sts.assume_role(
                RoleArn=role_arn,
                RoleSessionName='EKSGetTokenAuth'
            )['Credentials']

            session.set_credentials(credentials_dict['AccessKeyId'],
                                    credentials_dict['SecretAccessKey'],
                                    credentials_dict['SessionToken'])
            return session
        else:
            return session
Esempio n. 17
0
def boto3_session(profile_name=None,
                  config_file=None,
                  credentials_file=None,
                  existing_creds=None):
    """
    returns a boto3 session using cached credentials
    Allows for sharing credentials from cli commands with boto sessions
    """
    # Construct botocore session with cache
    session = botocore.session.get_session()

    if profile_name is not None:
        session.set_config_variable("profile", profile_name)

    if config_file is not None:
        session.set_config_variable("config_file", config_file)

    if credentials_file is not None:
        session.set_config_variable("credentials_file", credentials_file)

    if existing_creds is not None:
        session.set_credentials(
            access_key=existing_creds["aws_access_key_id"],
            secret_key=existing_creds["aws_secret_access_key"],
            token=existing_creds["aws_session_token"],
        )

    session.get_component("credential_provider").get_provider(
        "assume-role").cache = credentials.JSONFileCache(cli_cache)

    return boto3.Session(botocore_session=session)
Esempio n. 18
0
def get_boto_session(region_name=None,
                     profile=None,
                     creds=None,
                     cache=None):
    """ Get botocore.session with correct region_name configured
    """
    if cache is not None:
        sessions = getattr(cache, 'sessions', None)
        if sessions is None:
            sessions = {}
            setattr(cache, 'sessions', sessions)

        session = sessions.get(region_name)
    else:
        sessions, session = {}, None

    if session is not None:
        return session

    session = botocore.session.Session(profile=profile)
    _region = session.get_config_variable("region")

    if creds is not None:
        session.set_credentials(creds.access_key,
                                creds.secret_key,
                                creds.token)

    if _region is None:
        if region_name is None or region_name == "auto":
            _region = auto_find_region(session)
        else:
            _region = region_name
        session.set_config_variable("region", _region)

    sessions[_region] = session

    return session
Esempio n. 19
0
def login(profile, region, ssl_verification, adfs_ca_bundle, adfs_host,
          output_format, provider_id, s3_signature_version, env, stdin,
          authfile, stdout, printenv, role_arn, session_duration, assertfile,
          sspi, u2f_trigger_default, username, password):
    """
    Authenticates an user with active directory credentials
    """
    config = prepare.get_prepared_config(
        profile,
        region,
        ssl_verification,
        adfs_ca_bundle,
        adfs_host,
        output_format,
        provider_id,
        s3_signature_version,
        session_duration,
        sspi,
        u2f_trigger_default,
    )

    _verification_checks(config)

    # Try re-authenticating using an existing ADFS session
    if username != None and password != None:
        #print(username)
        #print(password)
        #exit(0)
        principal_roles, assertion, aws_session_duration = authenticator.authenticate(
            config,
            username=username,
            password=password,
            assertfile=assertfile)
    else:
        principal_roles, assertion, aws_session_duration = authenticator.authenticate(
            config, assertfile=assertfile)

    #principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, assertfile=assertfile)

    # If we fail to get an assertion, prompt for credentials and try again
    if assertion is None:
        password = None

        if stdin:
            config.adfs_user, password = _stdin_user_credentials()
        elif env:
            config.adfs_user, password = _env_user_credentials()
        elif authfile:
            config.adfs_user, password = _file_user_credentials(
                config.profile, authfile)

        if not config.adfs_user:
            config.adfs_user = click.prompt(text='Username',
                                            type=str,
                                            default=config.adfs_user)

        if not password:
            password = click.prompt('Password', type=str, hide_input=True)

        principal_roles, assertion, aws_session_duration = authenticator.authenticate(
            config, config.adfs_user, password)

        password = '******'
        del password

    if (role_arn is not None):
        config.role_arn = role_arn
    principal_arn, config.role_arn = role_chooser.choose_role_to_assume(
        config, principal_roles)
    if principal_arn is None or config.role_arn is None:
        click.echo('This account does not have access to any roles', err=True)
        exit(-1)

    # Use the assertion to get an AWS STS token using Assume Role with SAML
    # according to the documentation:
    #   http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html
    # This element contains one AttributeValue element that specifies the maximum time that the user
    # can access the AWS Management Console before having to request new temporary credentials.
    # The value is an integer representing the number of seconds, and can be
    # a maximum of 43200 seconds (12 hours). If this attribute is not present,
    # then the maximum session duration defaults to one hour
    # (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API).
    # To use this attribute, you must configure the SAML provider to provide single sign-on access
    # to the AWS Management Console through the console sign-in web endpoint at
    # https://signin.aws.amazon.com/saml.
    # Note that this attribute extends sessions only to the AWS Management Console.
    # It cannot extend the lifetime of other credentials.
    # However, if it is present in an AssumeRoleWithSAML API call,
    # it can be used to shorten the lifetime of the credentials returned by the call to less than
    # the default of 60 minutes.
    #
    # Note, too, that if a SessionNotOnOrAfter attribute is also defined,
    # then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter,
    # establishes the maximum duration of the console session.
    try:
        session = botocore.session.get_session()
        session.set_config_variable('profile', config.profile)
        conn = session.create_client(
            'sts', config=client.Config(signature_version=botocore.UNSIGNED))
    except botocore.exceptions.ProfileNotFound:
        logging.debug('Profile {} does not exist yet'.format(config.profile))
        session = botocore.session.get_session()
        conn = session.create_client(
            'sts', config=client.Config(signature_version=botocore.UNSIGNED))

    aws_session_token = conn.assume_role_with_saml(
        RoleArn=config.role_arn,
        PrincipalArn=principal_arn,
        SAMLAssertion=assertion,
        DurationSeconds=int(config.session_duration),
    )

    if stdout:
        _emit_json(aws_session_token)
    elif printenv:
        _emit_summary(config, aws_session_duration)
        _print_environment_variables(aws_session_token, config)
    else:
        _store(config, aws_session_token)
        _emit_summary(config, aws_session_duration)