def get_profile(profile=None,
session_duration=DEFAULT_SESSION_DURATION,
assume_role=True,
refresh=False,
account_id=None):
"""
Construct an AWS Profile.
:param profile: the name of the profile to use; resolves via environment
variables if not set
:param session_duration: the session duration (in seconds), defafults to
one hour, which is also the maximum
:param assume_role: control whether the given profile's role will be assumed;
if not, the default profile's credentials will be used
"""
# choose the profile name if necessary
if profile is None:
profile = get_profile_name()
# look for a cached session in the environment
cached_session = CachedSession.from_environment(
session_duration=session_duration,
) if assume_role and not refresh else None
# then load the profile, updating credentials based on the cached session and/or assumed role
aws_profile = AWSProfile(
profile=profile,
session_duration=session_duration,
cached_session=cached_session,
account_id=account_id,
)
if assume_role:
aws_profile.update_credentials()
return aws_profile
def test_profile_role_arn_cached_session():
"""
A profile with a role arn but a valid cached session will not (re)assume any role.
"""
with custom_config(profile=PROFILE, role_arn=ROLE_ARN):
aws_profile = AWSProfile(
profile=PROFILE,
cached_session=CACHED_SESSION,
session_duration=DEFAULT_SESSION_DURATION,
)
assert_that(aws_profile.role_arn, is_(equal_to(ROLE_ARN)))
assert_that(aws_profile.cached_session, is_(equal_to(CACHED_SESSION)))
with patch.object(aws_profile, "assume_role") as assume_role:
# we do not expect a role to be assumed
aws_profile.update_credentials()
assert_that(assume_role.call_count, is_(equal_to(0)))
assert_that(aws_profile.cached_session,
is_(equal_to(CACHED_SESSION)))
# session variables are set
assert_that(
aws_profile.to_envvars().get("AWS_SESSION_TOKEN"),
is_(equal_to(CACHED_SESSION.token)),
)
assert_that(
aws_profile.to_envvars().get("AWS_SESSION_NAME"),
is_(equal_to(CACHED_SESSION.name)),
)
def test_profile_no_role_arn():
"""
A profile with no role arn defined will not assume any role.
"""
with custom_config(profile=PROFILE):
aws_profile = AWSProfile(
profile=PROFILE,
session_duration=DEFAULT_SESSION_DURATION,
cached_session=None,
)
assert_that(aws_profile.role_arn, is_(none()))
assert_that(aws_profile.cached_session, is_(none()))
with patch.object(aws_profile, "assume_role") as assume_role:
# we do not expect a role to be assumed
aws_profile.update_credentials()
assert_that(assume_role.call_count, is_(equal_to(0)))
assert_that(aws_profile.cached_session, is_(none()))
# session variables are NOT set
assert_that(aws_profile.to_envvars().get("AWS_SESSION_TOKEN"),
is_(none()))
assert_that(aws_profile.to_envvars().get("AWS_SESSION_NAME"),
is_(none()))
def test_profile_with_role_arn():
"""
A profile with a role arn and no cached session will assume the role.
"""
with custom_config(profile=PROFILE, role_arn=ROLE_ARN):
aws_profile = AWSProfile(
profile=PROFILE,
session_duration=DEFAULT_SESSION_DURATION,
cached_session=None,
)
assert_that(aws_profile.role_arn, is_(equal_to(ROLE_ARN)))
assert_that(aws_profile.cached_session, is_(none()))
with patch.object(aws_profile, "assume_role") as assume_role:
# we do expect a role to be assumed
def create_cached_session():
aws_profile.cached_session = CACHED_SESSION
return "access_key", "secret_key"
assume_role.side_effect = create_cached_session
aws_profile.update_credentials()
assert_that(assume_role.call_count, is_(equal_to(1)))
# session variables are set
assert_that(
aws_profile.to_envvars().get("AWS_SESSION_TOKEN"),
is_(equal_to(CACHED_SESSION.token)),
)
assert_that(
aws_profile.to_envvars().get("AWS_SESSION_NAME"),
is_(equal_to(CACHED_SESSION.name)),
)
def test_profile_region_from_envvar():
"""
Use AWS_REGION environment variable for region if set.
"""
with custom_config(profile=PROFILE, role_arn=ROLE_ARN):
region = 'us-east-2'
environ['AWS_REGION'] = region
aws_profile = AWSProfile(
profile=PROFILE,
session_duration=DEFAULT_SESSION_DURATION,
cached_session=None,
)
assert_that(aws_profile.region_name, is_(equal_to(region)))