def setup_sts_connection(self, endpoint=None, region=None, aws_access_key_id=None, aws_secret_access_key=None, path="/",port=443, is_secure=True, boto_debug=0): sts_region = RegionInfo() if region: self.debug("Check region: " + str(region)) try: if not endpoint: sts_region.endpoint = EC2RegionData[region] else: sts_region.endpoint = endpoint except KeyError: raise Exception( 'Unknown region: %s' % region) else: sts_region.name = 'eucalyptus' if endpoint: sts_region.endpoint = endpoint else: sts_region.endpoint = self.get_ec2_ip() try: sts_connection_args = { 'aws_access_key_id' : aws_access_key_id, 'aws_secret_access_key': aws_secret_access_key, 'is_secure': is_secure, 'debug':boto_debug, 'port' : port, 'path' : path, 'region' : sts_region} self.debug("Attempting to create STS connection to " + self.get_ec2_ip() + str(port) + path) self.tokens = boto.connect_sts(**sts_connection_args) except Exception, e: self.critical("Was unable to create STS connection because of exception: " + str(e))
def test_assume_role(): conn = boto.connect_sts() policy = json.dumps({ "Statement": [ { "Sid": "Stmt13690092345534", "Action": ["S3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::foobar-tester"] }, ] }) s3_role = "arn:aws:iam::123456789012:role/test-role" role = conn.assume_role(s3_role, "session-name", policy, duration_seconds=123) credentials = role.credentials credentials.expiration.should.equal('2012-01-01T12:02:03.000Z') credentials.session_token.should.have.length_of(356) assert credentials.session_token.startswith("FQoGZXIvYXdzE") credentials.access_key.should.have.length_of(20) assert credentials.access_key.startswith("ASIA") credentials.secret_key.should.have.length_of(40) role.user.arn.should.equal("arn:aws:iam::123456789012:role/test-role") role.user.assume_role_id.should.contain("session-name")
def test_assume_role_with_web_identity(): conn = boto.connect_sts() policy = json.dumps({ "Statement": [{ "Sid": "Stmt13690092345534", "Action": ["S3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::foobar-tester"], }] }) role_name = "test-role" s3_role = "arn:aws:iam::{account_id}:role/{role_name}".format( account_id=ACCOUNT_ID, role_name=role_name) session_name = "session-name" role = conn.assume_role_with_web_identity(s3_role, session_name, policy, duration_seconds=123) credentials = role.credentials credentials.expiration.should.equal("2012-01-01T12:02:03.000Z") credentials.session_token.should.have.length_of(356) assert credentials.session_token.startswith("FQoGZXIvYXdzE") credentials.access_key.should.have.length_of(20) assert credentials.access_key.startswith("ASIA") credentials.secret_key.should.have.length_of(40) role.user.arn.should.equal( "arn:aws:sts::{account_id}:assumed-role/{role_name}/{session_name}". format(account_id=ACCOUNT_ID, role_name=role_name, session_name=session_name)) role.user.assume_role_id.should.contain("session-name")
def connection(): ACCOUNT_ID = IDENTITY_POOL_ID = ROLE_ARN = # Use cognito to get an identity. cognito = boto.connect_cognito_identity() cognito_id = cognito.get_id(ACCOUNT_ID, IDENTITY_POOL_ID) oidc = cognito.get_open_id_token(cognito_id['IdentityId']) # Further setup your STS using the code below sts = boto.connect_sts() assumedRoleObject = sts.assume_role_with_web_identity(ROLE_ARN, "XX", oidc['Token']) # Prepare DynamoDB client # Prepare DynamoDB client client_dynamo = boto.dynamodb2.connect_to_region( 'us-east-1', aws_access_key_id=assumedRoleObject.credentials.access_key, aws_secret_access_key=assumedRoleObject.credentials.secret_key, security_token=assumedRoleObject.credentials.session_token) tables = client_dynamo.list_tables() dataTable = table_creation(tables, client_dynamo) return dataTable
def test_assume_role(): conn = boto.connect_sts() policy = json.dumps({ "Statement": [ { "Sid": "Stmt13690092345534", "Action": [ "S3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::foobar-tester" ] }, ] }) s3_role = "arn:aws:iam::123456789012:role/test-role" role = conn.assume_role(s3_role, "session-name", policy, duration_seconds=123) credentials = role.credentials credentials.expiration.should.equal('2012-01-01T12:02:03Z') credentials.session_token.should.equal("BQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE") credentials.access_key.should.equal("AKIAIOSFODNN7EXAMPLE") credentials.secret_key.should.equal("aJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY") role.user.arn.should.equal("arn:aws:iam::123456789012:role/test-role") role.user.assume_role_id.should.contain("session-name")
def __init__(self, args, init_conn=True): super(MesserAWSCommand, self).__init__(args, config=MesserAWSConfig(args.config)) # set up STS if needed if init_conn: self.sts = None if self.config.role_arn: if self.config.aws_profile: self.sts_conn = boto.connect_sts(profile_name=self.config.aws_profile) else: self.sts_conn = boto.connect_sts() response = self.sts_conn.assume_role(self.config.role_arn, self.config.role_session_name) self.sts = response.credentials.to_dict() # get S3 & KMS connections self._connect_kms() self._connect_s3()
def assume_service(account_number, service, region='us-east-1'): conn = boto.connect_sts() role = conn.assume_role( 'arn:aws:iam::{0}:role/{1}'.format( account_number, current_app.config.get('LEMUR_INSTANCE_PROFILE', 'Lemur')), 'blah') if service in 'iam': return boto.connect_iam( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 'elb': return boto.ec2.elb.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 'vpc': return boto.connect_vpc( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 's3': return boto.s3.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)
def updateTokens(self, goldenFile): print "Updating tokens..." mfaSerials = self.__getMfaSerial__(goldenFile) default = None print self.sections() for x in self.sections(): vals = x.split() if x == vals[0]: print "%s: %s" % (x, vals[0]) default = self.listSections() else: section = vals[1] credentials = mfaSerials[section] timeout = self.token_timeout * 60 * 60 msg = "Updating token for %s" % section if default == section: msg += " and for default" mfa = raw_input("MFA for %s: " % section) sts = connect_sts(aws_access_key_id = credentials['aws_access_key_id'], aws_secret_access_key = credentials['aws_secret_access_key']) token = sts.get_session_token(duration = timeout, force_new = True, mfa_serial_number = credentials['mfa_serial_number'], mfa_token = mfa) self.set(x, 'aws_access_key_id', token.access_key) self.set(x, 'aws_secret_access_key', token.secret_key) self.set(x, 'aws_session_token', token.session_token) self.set(x, 'region', credentials['region']) if default: self.__setDefault__(default) with open(self.awsConfig, 'wb') as configfile: self.write(configfile)
def setup_sts_connection(self, endpoint=None, region=None, aws_access_key_id=None, aws_secret_access_key=None, path="/",port=443, is_secure=True, boto_debug=0): sts_region = RegionInfo() if region: self.debug("Check region: " + str(region)) try: if not endpoint: sts_region.endpoint = EC2RegionData[region] else: sts_region.endpoint = endpoint except KeyError: raise Exception( 'Unknown region: %s' % region) else: sts_region.name = 'eucalyptus' if endpoint: sts_region.endpoint = endpoint else: sts_region.endpoint = self.get_ec2_ip() try: sts_connection_args = { 'aws_access_key_id' : aws_access_key_id, 'aws_secret_access_key': aws_secret_access_key, 'is_secure': is_secure, 'debug':boto_debug, 'port' : port, 'path' : path, 'region' : sts_region} self.debug("Attempting to create STS connection to " + self.get_ec2_ip() + ':' + str(port) + path) self.tokens = boto.connect_sts(**sts_connection_args) except Exception, e: self.critical("Was unable to create STS connection because of exception: " + str(e))
def external_creds(bucket, key, name, profile_name=None): policy = { 'Version': '2012-10-17', 'Statement': [ { 'Effect': 'Allow', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::{bucket}/{key}'.format(bucket=bucket, key=key), } ] } conn = boto.connect_sts(profile_name=profile_name) token = conn.get_federation_token(name, policy=json.dumps(policy)) # 'access_key' 'secret_key' 'expiration' 'session_token' credentials = token.credentials.to_dict() credentials.update({ 'upload_url': 's3://{bucket}/{key}'.format(bucket=bucket, key=key), 'federated_user_arn': token.federated_user_arn, 'federated_user_id': token.federated_user_id, 'request_id': token.request_id, }) return { 'service': 's3', 'bucket': bucket, 'key': key, 'upload_credentials': credentials, }
def external_creds(bucket, key, name, profile_name=None): policy = { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::{bucket}/{key}'.format(bucket=bucket, key=key), }] } conn = boto.connect_sts(profile_name=profile_name) token = conn.get_federation_token(name, policy=json.dumps(policy)) # 'access_key' 'secret_key' 'expiration' 'session_token' credentials = token.credentials.to_dict() credentials.update({ 'upload_url': 's3://{bucket}/{key}'.format(bucket=bucket, key=key), 'federated_user_arn': token.federated_user_arn, 'federated_user_id': token.federated_user_id, 'request_id': token.request_id, }) return { 'service': 's3', 'bucket': bucket, 'key': key, 'upload_credentials': credentials, }
def assume_service(account_number, service, region='us-east-1'): conn = boto.connect_sts() role = conn.assume_role('arn:aws:iam::{0}:role/{1}'.format( account_number, current_app.config.get('LEMUR_INSTANCE_PROFILE', 'Lemur')), 'blah') if service in 'iam': return boto.connect_iam( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 'elb': return boto.ec2.elb.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 'vpc': return boto.connect_vpc( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token) elif service in 's3': return boto.s3.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)
def test_get_session_token(): conn = boto.connect_sts() token = conn.get_session_token(duration=123) token.expiration.should.equal('2012-01-01T12:02:03Z') token.session_token.should.equal("AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE") token.access_key.should.equal("AKIAIOSFODNN7EXAMPLE") token.secret_key.should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY")
def aws_connection(connection_type, region, account_id): sts = boto.connect_sts() role = sts.assume_role('arn:aws:iam::' + account_id + ':role/BaseRole', 'baserole') if connection_type == 'ec2': return boto.ec2.connect_to_region(region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)
def test_get_federation_token(): conn = boto.connect_sts() token = conn.get_federation_token(duration=123, name="Bob") token.credentials.expiration.should.equal('2012-01-01T12:02:03Z') token.credentials.session_token.should.equal("AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==") token.credentials.access_key.should.equal("AKIAIOSFODNN7EXAMPLE") token.credentials.secret_key.should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY") token.federated_user_arn.should.equal("arn:aws:sts::123456789012:federated-user/Bob") token.federated_user_id.should.equal("123456789012:Bob")
def test_get_federation_token(): conn = boto.connect_sts() token = conn.get_federation_token(duration=123, name="Bob") token.credentials.expiration.should.equal('2012-01-01T12:02:03.000Z') token.credentials.session_token.should.equal("AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==") token.credentials.access_key.should.equal("AKIAIOSFODNN7EXAMPLE") token.credentials.secret_key.should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY") token.federated_user_arn.should.equal("arn:aws:sts::123456789012:federated-user/Bob") token.federated_user_id.should.equal("123456789012:Bob")
def _get_session_token(self): if self._need_session_token: boto.log.debug('Creating new Session Token') sts = boto.connect_sts(self._passed_access_key, self._passed_secret_key) token = sts.get_session_token() self.provider = Provider(self._provider_type, token.access_key, token.secret_key, token.session_token) else: self.provider = Provider(self._provider_type) self._auth_handler.update_provider(self.provider)
def fetch_sts_credentials(key_id, secret, mfa_serial, mfa_code): if not mfa_serial or len(mfa_serial) < 1: print 'Error, you need to provide your MFA device\'s serial number.' return None, None, None if not mfa_code or len(mfa_code) < 1: print 'Error, you need to provide the code displayed by your MFA device.' return None, None, None sts_connection = boto.connect_sts(key_id, secret) # For now, don't set the duration and use default 12hours sts_response = sts_connection.get_session_token(mfa_serial_number = mfa_serial[0], mfa_token = mfa_code[0]) return sts_response.access_key, sts_response.secret_key, sts_response.session_token
def fetch_sts_credentials(key_id, secret, mfa_serial, mfa_code): if not mfa_serial or len(mfa_serial) < 1: print 'Error, you need to provide your MFA device\'s serial number.' return None, None, None if not mfa_code or len(mfa_code) < 1: print 'Error, you need to provide the code displayed by your MFA device.' return None, None, None sts_connection = boto.connect_sts(key_id, secret) # For now, don't set the duration and use default 12hours sts_response = sts_connection.get_session_token(mfa_serial_number = mfa_serial, mfa_token = mfa_code[0]) return sts_response.access_key, sts_response.secret_key, sts_response.session_token
def init_sts_session(key_id, secret, mfa_serial = None, mfa_code = None): if not mfa_serial: # Prompt for MFA serial mfa_serial = prompt_4_mfa_serial() save_no_mfa_credentials = True if not mfa_code: # Prompt for MFA code mfa_code = prompt_4_mfa_code() # Fetch session token and set the duration to 8 hours sts_connection = boto.connect_sts(key_id, secret) sts_response = sts_connection.get_session_token(mfa_serial_number = mfa_serial, mfa_token = mfa_code, duration = 28800) return sts_response.access_key, sts_response.secret_key, sts_response.session_token
def connect_s3(self): sts = boto.connect_sts() assumed_role = sts.assume_role(self.role_arn, self.session_name) print assumed_role temp_creds = assumed_role.credentials access = temp_creds.access_key secret = temp_creds.secret_key token = temp_creds.session_token # create connection to S3 return boto.connect_s3(aws_access_key_id=access, aws_secret_access_key=secret, security_token=token)
def __init__(self, aws_access_key_id=None, aws_secret_access_key=None, is_secure=True, port=None, proxy=None, proxy_port=None, host=None, debug=0, session_token=None): if not host: host = self.DefaultHost if not session_token: self.sts = boto.connect_sts(aws_access_key_id, aws_secret_access_key) session_token = self.sts.get_session_token() self.creds = session_token AWSAuthConnection.__init__(self, host, self.creds.access_key, self.creds.secret_key, is_secure, port, proxy, proxy_port, debug=debug, security_token=self.creds.session_token)
def main(args): import logging from sys import argv log = logging.getLogger(argv[0]) logging.basicConfig() if args['--verbose']: log.setLevel(logging.DEBUG) import boto role_arn = args['--role'] sts = boto.connect_sts() session_name = args['--session'] or "roleRun" log.debug("using session name {}".format(session_name)) role_creds = sts.assume_role(role_arn, "roleRun") # just print environment variables if args['--env']: log.debug("Creating environment args to take into the current shell") print("AWS_ACCESS_KEY_ID={} AWS_SECRET_ACCESS_KEY={} AWS_SECURITY_TOKEN={}" .format(role_creds.credentials.access_key, role_creds.credentials.secret_key, role_creds.credentials.session_token)) # run a command else: from subprocess import call from sys import exit from os import environ log.debug("Adding credentials to the local environment") environ['AWS_ACCESS_KEY_ID']=role_creds.credentials.access_key environ['AWS_SECRET_ACCESS_KEY']=role_creds.credentials.secret_key environ['AWS_SECURITY_TOKEN']=role_creds.credentials.session_token command = args['<command>'] log.debug("executing command '{}'".format( ' '.join(command))) exit(call( command ))
def setup_sts_connection( self, endpoint=None, region=None, aws_access_key_id=None, aws_secret_access_key=None, path="/", port=443, is_secure=True, boto_debug=0, ): sts_region = RegionInfo() if region: self.debug("Check region: " + str(region)) try: if not endpoint: sts_region.endpoint = EC2RegionData[region] else: sts_region.endpoint = endpoint except KeyError: raise Exception("Unknown region: %s" % region) else: sts_region.name = "eucalyptus" if endpoint: sts_region.endpoint = endpoint else: sts_region.endpoint = self.get_sts_ip() try: sts_connection_args = { "aws_access_key_id": aws_access_key_id, "aws_secret_access_key": aws_secret_access_key, "is_secure": is_secure, "debug": boto_debug, "port": port, "path": path, "region": sts_region, } self.debug("Attempting to create STS connection to " + sts_region.endpoint + ":" + str(port) + path) self.tokens = boto.connect_sts(**sts_connection_args) except Exception, e: self.critical("Was unable to create STS connection because of exception: " + str(e))
def get_creds(aws_access_key_id, aws_secret_access_key, aws_role_arn): """Helper method that returns a new AWS config with temp credentials Args: aws_access_key_id (str): AWS access key id (public) aws_secret_access_key (str): AWS secret key (private) """ aws_config = {'aws_access_key_id': aws_access_key_id, "aws_secret_access_key": aws_secret_access_key} iam_conn = boto.connect_iam(**aws_config) sts_conn = boto.connect_sts(**aws_config) username = input('Please provide AWS username: '******'list_mfa_devices_response'] ['list_mfa_devices_result'] ['mfa_devices']) if len(mfa_devices) > 1: raise AuthException('Unable to handle a user with multiple MFA devices') if len(mfa_devices) == 0: raise AuthException('Must have MFA device to get temporary credentials') mfa_serial_number = mfa_devices[0]['serial_number'] mfa_token = input('Please enter your 6 digit MFA token: ') assumed_role = sts_conn.assume_role( role_arn=aws_role_arn, role_session_name='AssumeRoleSessionWithMFA', mfa_serial_number=mfa_serial_number, mfa_token=mfa_token ) return dict(aws_access_key_id=assumed_role.credentials.access_key, aws_secret_access_key=assumed_role.credentials.secret_key, aws_security_token=assumed_role.credentials.session_token)
def get_creds(aws_access_key_id, aws_secret_access_key, aws_role_arn): """Helper method that returns a new AWS config with temp credentials Args: aws_access_key_id (str): AWS access key id (public) aws_secret_access_key (str): AWS secret key (private) """ aws_config = {'aws_access_key_id': aws_access_key_id, "aws_secret_access_key": aws_secret_access_key} iam_conn = boto.connect_iam(**aws_config) sts_conn = boto.connect_sts(**aws_config) username = raw_input('Please provide AWS username: '******'list_mfa_devices_response'] ['list_mfa_devices_result'] ['mfa_devices']) if len(mfa_devices) > 1: raise AuthException('Unable to handle a user with multiple MFA devices') if len(mfa_devices) == 0: raise AuthException('Must have MFA device to get temporary credentials') mfa_serial_number = mfa_devices[0]['serial_number'] mfa_token = raw_input('Please enter your 6 digit MFA token: ') assumed_role = sts_conn.assume_role( role_arn=aws_role_arn, role_session_name='AssumeRoleSessionWithMFA', mfa_serial_number=mfa_serial_number, mfa_token=mfa_token ) return dict(aws_access_key_id=assumed_role.credentials.access_key, aws_secret_access_key=assumed_role.credentials.secret_key, aws_security_token=assumed_role.credentials.session_token)
def get_session_credentials(dataset_name): if dataset_name == '': return {} context = {'model': model, 'session': model.Session, 'user': c.user or c.author, 'auth_user_obj': c.userobj, 'save': 'save' in request.params} try: logic.check_access('package_create', context) logic.check_access('package_update', context, {'id': dataset_name}) sts = boto.connect_sts(); policy=_get_policy(dataset_name) # tok = sts.get_session_token(duration=3600) tok = sts.assume_role(config.get('ckanext.s3multipart.s3_role', ''), (c.user+"@"+config.get('ckan.site_id', ''))[:32], policy=policy ).credentials return tok.to_dict() except boto.exception.NoAuthHandlerFound, e: log.error("Amazon AWS credentials not set up for boto. " "Please refer to https://boto.readthedocs.org/en/latest/boto_config_tut.html") h.flash_error("Amazon AWS credentials not set up for boto. " "Please refer to https://boto.readthedocs.org/en/latest/boto_config_tut.html") return {}
DYNAMO_TABLE_NAME = 'YOUR_TABLE_NAME' KINESIS_STREAM_NAME = 'YOUR_KINESIS_STREAM_NAME' ACCOUNT_ID = 'YOUR_ACCOUNT_ID' IDENTITY_POOL_ID = 'YOUR_IDENTITY_POOL_ID' ROLE_ARN = 'YOUR_ROLE_ARN' ################################################# # Instantiate cognito and obtain security token # ################################################# # Use cognito to get an identity. cognito = boto.connect_cognito_identity() cognito_id = cognito.get_id(ACCOUNT_ID, IDENTITY_POOL_ID) oidc = cognito.get_open_id_token(cognito_id['IdentityId']) # Further setup your STS using the code below sts = boto.connect_sts() assumedRoleObject = sts.assume_role_with_web_identity(ROLE_ARN, "XX", oidc['Token']) # Connect to dynamoDB and kinesis client_dynamo = boto.dynamodb2.connect_to_region( 'us-east-1', aws_access_key_id=assumedRoleObject.credentials.access_key, aws_secret_access_key=assumedRoleObject.credentials.secret_key, security_token=assumedRoleObject.credentials.session_token) client_kinesis = boto.connect_kinesis( aws_access_key_id=assumedRoleObject.credentials.access_key, aws_secret_access_key=assumedRoleObject.credentials.secret_key, security_token=assumedRoleObject.credentials.session_token) from boto.dynamodb2.table import Table
def _get_session_token(self): boto.log.debug('Creating new Session Token') sts = boto.connect_sts(self._passed_access_key, self._passed_secret_key) return sts.get_session_token()
self.debug("Attempting to create IAM connection to " + self.get_ec2_ip()) self.euare = boto.connect_iam(**euare_connection_args) except Exception, e: self.critical( "Was unable to create IAM connection because of exception: " + str(e)) try: sts_connection_args = copy.copy(connection_args) sts_connection_args['path'] = "/services/Tokens" sts_connection_args['region'] = self.region ec2_connection_args['api_version'] = APIVersion self.debug("Attempting to create STS connection to " + self.get_ec2_ip()) self.tokens = boto.connect_sts(**sts_connection_args) except Exception, e: self.critical( "Was unable to create STS connection because of exception: " + str(e)) def get_access_key(self): """Parse the eucarc for the EC2_ACCESS_KEY""" return self.parse_eucarc("EC2_ACCESS_KEY") def get_secret_key(self): """Parse the eucarc for the EC2_SECRET_KEY""" return self.parse_eucarc("EC2_SECRET_KEY") def get_account_id(self): """Parse the eucarc for the EC2_ACCOUNT_NUMBER"""
import boto try: from secret import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY TOKEN = None except: try: sts = boto.connect_sts() ar = sts.assume_role(role_arn="arn:aws:iam::710599580852:role/remote", role_session_name="rymurr") AWS_ACCESS_KEY_ID = ar.credentials.access_key AWS_SECRET_ACCESS_KEY = ar.credentials.secret_key TOKEN = ar.credentials.session_token except: TOKEN = None AWS_ACCESS_KEY_ID = None AWS_SECRET_ACCESS_KEY = None conn = boto.connect_s3(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) bucket = conn.get_bucket('0NK38GF20CCT6VYTBG02'.lower() + '-server') bucket.get_key('server.key').get_contents_to_filename('server.key') bucket.get_key('server.crt').get_contents_to_filename('server.crt') bucket.get_key('myca.crt').get_contents_to_filename('myca.crt')
def connect(account_name, connection_type, **args): """ Examples of use: ec2 = sts_connect.connect(environment, 'ec2', region=region, validate_certs=False) ec2 = sts_connect.connect(environment, 'ec2', validate_certs=False, debug=1000) ec2 = sts_connect.connect(environment, 'ec2') where environment is ( test, prod, dev ) s3 = sts_connect.connect(environment, 's3') ses = sts_connect.connect(environment, 'ses') :param account: Account to connect with (i.e. test, prod, dev) :raises Exception: RDS Region not valid AWS Tech not supported. :returns: STS Connection Object for given tech :note: To use this method a SecurityMonkey role must be created in the target account with full read only privledges. """ account = Account.query.filter(Account.name == account_name).first() sts = boto.connect_sts() role = sts.assume_role('arn:aws:iam::' + account.number + ':role/SecurityMonkey', 'secmonkey') if connection_type == 'ec2': return boto.connect_ec2( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'elb': if 'region' in args: region = args['region'] del args['region'] else: region = 'us-east-1' return boto.ec2.elb.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 's3': if 'region' in args: region = args['region'] # drop region key-val pair from args or you'll get an exception del args['region'] return boto.s3.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_s3( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'ses': return boto.connect_ses( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'iam': if 'region' in args: region = args['region'] # drop region key-val pair from args or you'll get an exception del args['region'] return boto.iam.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_iam( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'route53': return boto.connect_route53( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'sns': if 'region' in args: region = args['region'] del args['region'] return boto.sns.connect_to_region( region.name, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_sns( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'sqs': if 'region' in args: region = args['region'] del args['region'] return boto.sqs.connect_to_region( region.name, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_sqs( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'vpc': return boto.connect_vpc( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'rds': if 'region' in args: reg = args['region'] rds_region = None for boto_region in boto.rds.regions(): if reg.name == boto_region.name: rds_region = boto_region if rds_region is None: raise Exception('The supplied region {0} is not in boto.rds.regions. {1}'.format(reg, boto.rds.regions())) return boto.connect_rds( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) err_msg = 'The connection_type supplied (%s) is not implemented.' % connection_type raise Exception(err_msg)
import hashlib import argparse parser = argparse.ArgumentParser(description="outputs security configuration of an AWS account") parser.add_argument("-a", "--access_key_id", required=True, help="access key id") parser.add_argument("-k", "--secret_access_key", required=True, help="secret access key") parser.add_argument("-t", "--security_token", help="security token (for use with temporary security credentials)") parser.add_argument("-r", "--role", help="role to assume") parser.add_argument("-v", "--verbose", action="store_true", help="enable verbose mode") parser.add_argument("-d", "--debug", action="store_true", help="enable debug mode") args = parser.parse_args() access_key_id = args.access_key_id secret_access_key = args.secret_access_key security_token = args.security_token sts = boto.connect_sts(access_key_id, secret_access_key) if args.role: assumed_role = sts.assume_role(args.role, "SecAudit") access_key_id = assumed_role.credentials.access_key secret_access_key = assumed_role.credentials.secret_key security_token = assumed_role.credentials.session_token def debug(str): if args.debug: print str def verbose(str): if args.verbose or args.debug:
help='security token (for use with temporary security credentials)') parser.add_argument('-r', '--role', help='role to assume') parser.add_argument('-v', '--verbose', action="store_true", help='enable verbose mode') parser.add_argument('-d', '--debug', action="store_true", help='enable debug mode') args = parser.parse_args() access_key_id = args.access_key_id secret_access_key = args.secret_access_key security_token = args.security_token sts = boto.connect_sts(access_key_id, secret_access_key) if args.role: assumed_role = sts.assume_role(args.role, "SecAudit") access_key_id = assumed_role.credentials.access_key secret_access_key = assumed_role.credentials.secret_key security_token = assumed_role.credentials.session_token def debug(str): if args.debug: print str def verbose(str): if args.verbose or args.debug:
import boto from boto.s3.connection import S3Connection from boto.sts import STSConnection import getopt, sys if (len(sys.argv) <> 6): print 'Usage ' + sys.argv[0] + ' access_key secret_key mfa_serial_number mfa_token duration' exit(1) access_key = sys.argv[1] secret_key = sys.argv[2] mfa_serial_number = sys.argv[3] mfa_token = sys.argv[4] duration = sys.argv[5] sts = boto.connect_sts(access_key, secret_key) token = sts.get_session_token(duration = 3600, force_new = True, mfa_serial_number = mfa_serial_number, mfa_token = mfa_token) print('export AWS_ACCESS_KEY_ID=' + token.access_key ) print('export AWS_SECRET_ACCESS_KEY=' + token.secret_key ) print('export AWS_SECURITY_TOKEN=' + token.session_token )
def connect(account_name, connection_type, **args): """ Examples of use: ec2 = sts_connect.connect(environment, 'ec2', region=region, validate_certs=False) ec2 = sts_connect.connect(environment, 'ec2', validate_certs=False, debug=1000) ec2 = sts_connect.connect(environment, 'ec2') where environment is ( test, prod, dev ) s3 = sts_connect.connect(environment, 's3') ses = sts_connect.connect(environment, 'ses') :param account: Account to connect with (i.e. test, prod, dev) :raises Exception: RDS Region not valid AWS Tech not supported. :returns: STS Connection Object for given tech :note: To use this method a SecurityMonkey role must be created in the target account with full read only privledges. """ account = Account.query.filter(Account.name == account_name).first() sts = boto.connect_sts() role = sts.assume_role( 'arn:aws:iam::' + account.number + ':role/SecurityMonkey', 'secmonkey') if connection_type == 'ec2': return boto.connect_ec2(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'elb': if 'region' in args: region = args['region'] del args['region'] else: region = 'us-east-1' return boto.ec2.elb.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 's3': if 'region' in args: region = args['region'] # drop region key-val pair from args or you'll get an exception del args['region'] return boto.s3.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_s3(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'ses': return boto.connect_ses(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'iam': if 'region' in args: region = args['region'] # drop region key-val pair from args or you'll get an exception del args['region'] return boto.iam.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_iam(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'route53': return boto.connect_route53( role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'sns': if 'region' in args: region = args['region'] del args['region'] return boto.sns.connect_to_region( region.name, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_sns(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'sqs': if 'region' in args: region = args['region'] del args['region'] return boto.sqs.connect_to_region( region.name, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token, **args) return boto.connect_sqs(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'vpc': return boto.connect_vpc(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) if connection_type == 'rds': if 'region' in args: reg = args['region'] rds_region = None for boto_region in boto.rds.regions(): if reg.name == boto_region.name: rds_region = boto_region if rds_region is None: raise Exception( 'The supplied region {0} is not in boto.rds.regions. {1}'. format(reg, boto.rds.regions())) return boto.connect_rds(role.credentials.access_key, role.credentials.secret_key, security_token=role.credentials.session_token, **args) err_msg = 'The connection_type supplied (%s) is not implemented.' % connection_type raise Exception(err_msg)
aws_secret_access_key=aws_secret_access_key, is_secure=False, host=self.get_ec2_ip(), port=8773, path="/services/Euare", debug=self.boto_debug) except Exception, e: self.critical( "Was unable to create IAM connection because of exception: " + str(e)) try: self.tokens = boto.connect_sts( aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region=self.region, port=8773, path="/services/Tokens", is_secure=False, debug=self.boto_debug) except Exception, e: self.critical( "Was unable to create STS connection because of exception: " + str(e)) def get_access_key(self): """Parse the eucarc for the EC2_ACCESS_KEY""" return self.parse_eucarc("EC2_ACCESS_KEY") def get_secret_key(self): """Parse the eucarc for the EC2_SECRET_KEY"""
aws_secret_access_key=aws_secret_access_key, is_secure=False, host=self.get_ec2_ip(), port=8773, path="/services/Euare", debug=self.boto_debug, ) except Exception, e: self.critical("Was unable to create IAM connection because of exception: " + str(e)) try: self.tokens = boto.connect_sts( aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region=self.region, port=8773, path="/services/Tokens", is_secure=False, debug=self.boto_debug, ) except Exception, e: self.critical("Was unable to create STS connection because of exception: " + str(e)) def get_access_key(self): """Parse the eucarc for the EC2_ACCESS_KEY""" return self.parse_eucarc("EC2_ACCESS_KEY") def get_secret_key(self): """Parse the eucarc for the EC2_SECRET_KEY""" return self.parse_eucarc("EC2_SECRET_KEY")
try: euare_connection_args = copy.copy(connection_args) euare_connection_args['path'] = "/services/Euare" euare_connection_args['host'] = self.get_ec2_ip() self.debug("Attempting to create IAM connection to " + self.get_ec2_ip()) self.euare = boto.connect_iam(**euare_connection_args) except Exception, e: self.critical("Was unable to create IAM connection because of exception: " + str(e)) try: sts_connection_args = copy.copy(connection_args) sts_connection_args['path'] = "/services/Tokens" sts_connection_args['region'] = self.region ec2_connection_args['api_version'] = APIVersion self.debug("Attempting to create STS connection to " + self.get_ec2_ip()) self.tokens = boto.connect_sts(**sts_connection_args) except Exception, e: self.critical("Was unable to create STS connection because of exception: " + str(e)) def get_access_key(self): """Parse the eucarc for the EC2_ACCESS_KEY""" return self.parse_eucarc("EC2_ACCESS_KEY") def get_secret_key(self): """Parse the eucarc for the EC2_SECRET_KEY""" return self.parse_eucarc("EC2_SECRET_KEY") def get_account_id(self): """Parse the eucarc for the EC2_ACCOUNT_NUMBER""" return self.parse_eucarc("EC2_ACCOUNT_NUMBER")
def connect(account_name, connection_type, **args): """ Examples of use: ec2 = sts_connect.connect(environment, 'ec2', region=region, validate_certs=False) ec2 = sts_connect.connect(environment, 'ec2', validate_certs=False, debug=1000) ec2 = sts_connect.connect(environment, 'ec2') where environment is ( test, prod, dev ) s3 = sts_connect.connect(environment, 's3') ses = sts_connect.connect(environment, 'ses') :param account: Account to connect with (i.e. test, prod, dev) :raises Exception: RDS Region not valid AWS Tech not supported. :returns: STS Connection Object for given tech :note: To use this method a SecurityMonkey role must be created in the target account with full read only privileges. """ account = Account.query.filter(Account.name == account_name).first() sts = boto.connect_sts() role_name = 'SecurityMonkey' if account.role_name and account.role_name != '': role_name = account.role_name role = sts.assume_role( 'arn:aws:iam::' + account.number + ':role/' + role_name, 'secmonkey') if connection_type == 'botocore': botocore_session = botocore.session.get_session() botocore_session.set_credentials(role.credentials.access_key, role.credentials.secret_key, token=role.credentials.session_token) return botocore_session region = 'us-east-1' if 'region' in args: region = args.pop('region') if hasattr(region, 'name'): region = region.name if 'boto3' in connection_type: # Should be called in this format: boto3.iam.client _, tech, api = connection_type.split('.') session = boto3.Session( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, aws_session_token=role.credentials.session_token, region_name=region) if api == 'resource': return session.resource(tech) return session.client(tech) module = __import__("boto.{}".format(connection_type)) for subm in connection_type.split('.'): module = getattr(module, subm) return module.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token)
class dynamoMethods: def __init__(self, dbName): self.table_dynamo = None #################################################################### # YOUR CODE HERE try: #1. create new table self.table_dynamo = #HINT: Table.create; #HINT 2: Use CUID as your hashkey print "New Table Created" except Exception as e: #2.table already exists, so get the table self.table_dynamo = #HINT: Remember to use "connection=client.dynamo" print "Table Already Exists" #################################################################### def dynamoAdd(self, cuid, name, password): #################################################################### # YOUR CODE HERE #1. Check table for entries that have the same CUID, if so, UPDATE (Don't delete) #2. Otherwise, create a new entry print "New entry created.\n" #################################################################### def dynamoDelete(self, cuid): #################################################################### # YOUR CODE HERE #1. Check table for entries that have the same CUID, if so, DELETE #################################################################### def dynamoViewAll(self): #################################################################### string_db = "CUID: NAME\n" print string_db #1. Get all entries in the table #2. Print the CUID: NAME for each entry #################################################################### #################################################################### # DON'T MODIFY BELOW HERE -----------------------------------------# #################################################################### cognito = boto.connect_cognito_identity() cognito_id = cognito.get_id(ACCOUNT_ID, IDENTITY_POOL_ID) oidc = cognito.get_open_id_token(cognito_id['IdentityId']) sts = boto.connect_sts() assumedRoleObject = sts.assume_role_with_web_identity(ROLE_ARN, "XX", oidc['Token']) client_dynamo = boto.dynamodb2.connect_to_region( 'us-east-1', aws_access_key_id=assumedRoleObject.credentials.access_key, aws_secret_access_key=assumedRoleObject.credentials.secret_key, security_token=assumedRoleObject.credentials.session_token) DB = dynamoMethods(DYNAMO_TABLE_NAME) state = 0 input_cuid = None input_name = None input_password = None def get_prompt(state_var): if state_var == 0: return "Choose an option.\n1. Add to DB\n2. Delete from DB\n3. ViewDB\n" elif state_var == 1: return "Enter CUID to add: " elif state_var == 2: return "Enter name to add: " elif state_var == 3: return "Enter password: "******"Enter CUID to delete: " else: return "Bad command..." try: while True: prompt = get_prompt(state) ans = raw_input(prompt) if state == 0: if ans == "1": state = 1 elif ans == "2": state = 4 elif ans == "3": state = 0 DB.dynamoViewAll() else: print "Unsupported command.\n" elif state == 1: state = 2 input_cuid = ans elif state == 2: state = 3 input_name = ans elif state == 3: state = 0 input_password = ans DB.dynamoAdd(input_cuid, input_name, input_password) elif state == 4: state = 0 input_cuid = ans DB.dynamoDelete(input_cuid) else: state = 0 print "Something is wrong." except KeyboardInterrupt: exit
def connect(account_name, connection_type, **args): """ Examples of use: ec2 = sts_connect.connect(environment, 'ec2', region=region, validate_certs=False) ec2 = sts_connect.connect(environment, 'ec2', validate_certs=False, debug=1000) ec2 = sts_connect.connect(environment, 'ec2') where environment is ( test, prod, dev ) s3 = sts_connect.connect(environment, 's3') ses = sts_connect.connect(environment, 'ses') :param account: Account to connect with (i.e. test, prod, dev) :raises Exception: RDS Region not valid AWS Tech not supported. :returns: STS Connection Object for given tech :note: To use this method a SecurityMonkey role must be created in the target account with full read only privileges. """ account = Account.query.filter(Account.name == account_name).first() sts = boto.connect_sts() role_name = 'SecurityMonkey' if account.role_name and account.role_name != '': role_name = account.role_name role = sts.assume_role('arn:aws:iam::' + account.number + ':role/' + role_name, 'secmonkey') if connection_type == 'botocore': botocore_session = botocore.session.get_session() botocore_session.set_credentials( role.credentials.access_key, role.credentials.secret_key, token=role.credentials.session_token ) return botocore_session if connection_type == 'iam_boto3': session = boto3.Session( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, aws_session_token=role.credentials.session_token ) return session.resource('iam') region = 'us-east-1' if args.has_key('region'): region = args.pop('region') if hasattr(region, 'name'): region = region.name # ElasticSearch Service: if connection_type == 'es': session = boto3.Session( aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, aws_session_token=role.credentials.session_token, region_name=region ) return session.client('es') module = __import__("boto.{}".format(connection_type)) for subm in connection_type.split('.'): module = getattr(module, subm) return module.connect_to_region( region, aws_access_key_id=role.credentials.access_key, aws_secret_access_key=role.credentials.secret_key, security_token=role.credentials.session_token )
#!/usr/bin/python2.7 """ - Author : Nag m - Hack : Use STS to connect to a different AWS Account and delete objects - Info : Use STS to connect to a different AWS Account and delete objects * 101-s3-aws """ import boto from boto.s3.connection import OrdinaryCallingFormat def del(name): bucket = s3conn.get_bucket(name) for obj in bucket.list(): print " Deleting ... ", obj.name, obj.delete() if __name__ == "__main__": account = "1222222222222" role = 'arn:aws:iam::' + account + ':role/Role1' stsconn = boto.connect_sts() c = stsconn.assume_role(role, 'rolename') s3conn = boto.connect_s3(c.credentials.access_key, c.credentials.secret_key, security_token=c.credentials.session_token,calling_format=OrdinaryCallingFormat(),host='s3-us-west-2.amazonaws.com') bucketname = "us-west-2.test.test" del(bucketname)
import urllib, json import requests # 'pip install requests' import boto import boto3 import time # Step 1: Authenticate user in your own identity system. aws_root_iam = boto.connect_iam(aws_access_key_id=AWS_ROOT_CREDENTIALS['AWS_ACCESS_KEY_ID'], aws_secret_access_key=AWS_ROOT_CREDENTIALS['AWS_SECRET_ACCESS_KEY']) aws_root_sts = boto.connect_sts(aws_access_key_id=AWS_ROOT_CREDENTIALS['AWS_ACCESS_KEY_ID'], aws_secret_access_key=AWS_ROOT_CREDENTIALS['AWS_SECRET_ACCESS_KEY']) import pdb;pdb.set_trace() # def get_sso_user_name(): # for user in aws_root_iam.get_all_users().get('list_users_response').get('list_users_result').get('users'): # if user.get('user_name').startswith("Easy_Sso"): # return user.get('user_name') # Sso_User_Role_Name = "Easy_Sso" + time.strftime("@%Y-%m-%d-%H-%M-%S", time.localtime()) # aws_root_iam.create_user(Sso_User_Role_Name) # aws_root_iam.attach_user_policy(policy_arn='arn:aws:iam::aws:policy/AdministratorAccess',user_name=Sso_User_Role_Name) aws_root_iam.get_all_access_keys('test')