def credstash_getall(args):
""" Returns an object containing all your Credstash secrets from `args.table`. """
# https://github.com/fugue/credstash/blob/master/credstash.py#L297
if args.verbose:
print('fetching your secrets from "{table}" '
'(Credstash is slow, this may take a few minutes...)'.format(
table=args.table))
session_params = credstash.get_session_params(None, None)
secrets = credstash.getAllSecrets('',
region=args.region,
table=args.table,
**session_params)
return secrets
def main():
parsers = get_parser()
args = parsers['super'].parse_args()
# Check for assume role and set session params
session_params = get_session_params(args.profile, args.arn)
try:
region = args.region
session = get_session(**session_params)
session.client('s3', region_name=region)
account_id = get_aws_account_id(session)
except botocore.exceptions.NoRegionError:
if 'AWS_DEFAULT_REGION' not in os.environ:
region = DEFAULT_REGION
location = args.location if args.location \
else "credential-store-" + account_id
if "action" in vars(args):
if args.action == "delete":
deleteSecrets(args.credential,
region=region,
location=location,
**session_params)
return
if args.action == "list":
list_credentials(region, location, **session_params)
return
if args.action == "put":
putSecretAction(args, location, region, **session_params)
return
if args.action == "get":
getSecretAction(args, location, region, **session_params)
return
if args.action == "getall":
getAllAction(args, location, region, **session_params)
return
if args.action == "setup":
createS3Bucket(region=region, location=location,
**session_params)
return
else:
parsers['super'].print_help()
def credstash_push(args, key, value, ver=0):
if args.verbose:
print('Pushing secret {secret} to "{table}"'.format(
secret=key, table=args.tar_table))
session_params = credstash.get_session_params(None, None)
if ver == 0:
pushed_secret = credstash.putSecret(key,
value,
region=args.region,
table=args.tar_table,
kms_key=args.kms_key_alias,
**session_params)
else:
pushed_secret = credstash.putSecret(key,
value,
version=ver,
region=args.region,
table=args.tar_table,
kms_key=args.kms_key_alias,
**session_params)
return pushed_secret
def get_session_params():
import boto3
import requests
from credstash import get_session_params
# first try boto3 (This will work on both an ec2 and laptop, but doesn't
# work in kubernetes on AWS for some reason
region = boto3.session.Session().region_name
if not region:
# next try the AWS config route (This works in kubernets)
# set a short time out on this
try:
r = requests.get(
"http://169.254.169.254/latest/dynamic/instance-identity/document",
timeout=0.2)
response_json = r.json()
region = response_json.get('region')
except requests.exceptions.ConnectTimeout:
pass
if region:
return {'region': region}
# finally as a fallback try to get session parameters from ~/.aws/config under ds-notebook profile
return get_session_params('ds-notebook', None)
# this is a bit hacky and if docker changes significantly, it won't work, and it may have some false
# positives as well, but for now, it works
on_mac = 'linuxkit-aufs' in os.uname().release
c = get_config()
# in latest version of docker, the docker host IP is being written as the last line in /etc/hosts
# specifying this will avoid a warning
for line in open('/etc/hosts', 'r'):
pass
c.NotebookApp.ip = f'{line.split()[0]}'
c.NotebookApp.port = 8888
c.NotebookApp.open_browser = False
try:
from credstash import get_session_params, listSecrets, getSecret
session_params = get_session_params('ds-notebook', None)
items = [
item['name'] for item in listSecrets(**session_params)
if item['name'] in [
'notebook.password', 'notebook.token', 'github.client_id',
'github.client_secret', 'google.drive.client_id'
]
]
except Exception:
items = []
if on_mac:
# if we are running on a mac, then go ahead and don't require authentication, we are
# in all probibility running on a developers laptop...
c.NotebookApp.password = ''
c.NotebookApp.token = ''
# this is a bit hacky and if docker changes significantly, it won't work, and it may have some false
# positives as well, but for now, it works
on_mac = 'linuxkit' in os.uname().release
c = get_config()
# in latest version of docker, the docker host IP is being written as the last line in /etc/hosts
# specifying this will avoid a warning
for line in open('/etc/hosts', 'r'):
pass
c.NotebookApp.ip = f'{line.split()[0]}'
c.NotebookApp.port = 8888
c.NotebookApp.open_browser = False
try:
from credstash import listSecrets, getSecret
session_params = get_session_params()
items = [
item['name'] for item in listSecrets(**session_params)
if item['name'] in [
'notebook.password', 'notebook.token', 'github.client_id',
'github.client_secret', 'google.drive.client_id'
]
]
except Exception:
items = []
if on_mac:
# if we are running on a mac, then go ahead and don't require authentication, we are
# in all probibility running on a developers laptop...
c.NotebookApp.password = ''
c.NotebookApp.token = ''