def load(self):
botocore_session = BotocoreSession(profile=self._profile)
config = botocore_session.get_scoped_config()
source_profile = config.get('source_profile')
mfa_serial = config.get('mfa_serial')
if source_profile and mfa_serial:
fetcher = SourceProfileMfaCredentialsFetcher(
profile=source_profile,
mfa_serial=mfa_serial,
mfa_prompter=self._mfa_prompter,
cache=cache,
)
refresher = fetcher.fetch_credentials
role_arn = config.get('role_arn')
if role_arn:
external_id = config.get('external_id')
duration_seconds = config.get('duration_seconds')
refresher = create_assume_role_refresher(
refresher=refresher,
role_arn=role_arn,
external_id=external_id,
session_name=config.get('role_session_name') or self._profile,
duration_seconds=duration_seconds,
)
return DeferredRefreshableCredentials(
method=self.METHOD,
refresh_using=refresher,
)
def _load_mfa_creds(self, profile_name):
mfa_config = self._get_mfa_config(profile_name)
source_credentials = self._resolve_source_credentials(
mfa_config, profile_name)
mfa_serial = mfa_config.get('mfa_serial')
extra_args = {}
if mfa_serial is not None:
extra_args['SerialNumber'] = mfa_serial
fetcher = MfaCredentialFetcher(
client_creator=self._client_creator,
source_credentials=source_credentials,
extra_args=extra_args,
mfa_prompter=self._prompter,
cache=self.cache,
)
refresher = fetcher.fetch_credentials
if mfa_serial is not None:
refresher = create_mfa_serial_refresher(refresher)
return DeferredRefreshableCredentials(
method=self.METHOD,
refresh_using=refresher,
time_fetcher=_local_now,
)
def _load_creds(self, profile):
source_credentials = self._resolve_static_credentials_from_profile(
profile)
fetcher = SimpleMFACredentialFetcher(
client_creator=self._client_creator,
source_credentials=source_credentials,
mfa_serial=profile[self.MFA_CONFIG_VAR],
mfa_prompter=self._prompter,
cache=self.cache,
)
refresher = create_mfa_serial_refresher(fetcher.fetch_credentials)
return DeferredRefreshableCredentials(method=self.METHOD,
refresh_using=refresher,
time_fetcher=_local_now)
def _create_s3_client(self, s3_info):
# type: (Dict[str, Any]) -> BaseClient
"""Create the S3 client with automatic credentials renewal."""
# https://boto3.amazonaws.com/v1/documentation/api/latest/guide/resources.html#multithreading-and-multiprocessing
# The session will be able to automatically refresh credentials
creds = DeferredRefreshableCredentials(
self._refresh_credentials,
"sts-assume-role",
)
session = get_session()
session._credentials = creds
return boto3.Session(botocore_session=session).client(
UP_AMAZON_S3,
endpoint_url=s3_info.get("endpoint") or None,
config=self._s3_config,
)
def test_no_race_for_initial_refresh_of_deferred_refreshable(self):
def get_credentials():
expiry_time = (datetime.now(tzlocal()) +
timedelta(hours=24)).isoformat()
return {
'access_key': 'my-access-key',
'secret_key': 'my-secret-key',
'token': 'my-token',
'expiry_time': expiry_time
}
deferred_creds = DeferredRefreshableCredentials(
get_credentials, 'fixed')
def _run_in_thread(collected):
frozen = deferred_creds.get_frozen_credentials()
collected.append(frozen)
self.assert_non_none_retrieved_credentials(_run_in_thread)
def load(self):
"""Load AWS SSO credentials."""
sso_config = self._load_sso_config()
if not sso_config:
return None
sso_fetcher = SSOCredentialFetcher(
sso_config["sso_start_url"],
sso_config["sso_region"],
sso_config["sso_role_name"],
sso_config["sso_account_id"],
self._client_creator,
token_loader=SSOTokenLoader(cache=self._token_cache),
cache=self.cache,
)
return DeferredRefreshableCredentials(
method=self.METHOD,
refresh_using=sso_fetcher.fetch_credentials,
)
def load(self):
return DeferredRefreshableCredentials(self._fetcher.fetch_credentials,
self.METHOD)
def load(self):
return DeferredRefreshableCredentials(
refresh_using=self.get_credentials_from_upload_api, method=None)