def get_remote_s3_client():
"""
:return: result from AssumeRole.get_client() call using "s3_remote" config.yaml parameters
"""
if "s3_remote" not in aws_config:
raise RuntimeError(
"Remote account 's3_remote' configuration parameters are not provided in the config.yaml?"
)
remote_host_account: str = aws_config["s3_remote"]["host_account"]
remote_guest_external_id: str = aws_config["s3_remote"][
"guest_external_id"]
remote_iam_role_name: str = aws_config["s3_remote"]["iam_role_name"]
remote_s3_region_name: str = aws_config["s3_remote"]["region"]
remote_assumed_role = AssumeRole(
host_account=remote_host_account,
guest_external_id=remote_guest_external_id,
iam_role_name=remote_iam_role_name)
remote_s3_client = \
remote_assumed_role.get_client(
's3',
config=Config(
signature_version='s3v4',
region_name=remote_s3_region_name
)
)
return remote_s3_client
def test_delete_user():
upi: str = aws_config["cognito"]["user-pool-id"]
role = AssumeRole()
client = role.get_client('cognito-idp')
delete_user(
client=client,
upi=upi,
uid=TEST_USER_NAME
)
def test_create_user():
upi: str = aws_config["cognito"]["user-pool-id"]
role = AssumeRole()
client = role.get_client('cognito-idp')
create_user(
client=client,
upi=upi,
uid=TEST_USER_NAME,
tpw=TEST_TEMP_PASSWORD,
attributes=TEST_USER_ATTRIBUTES
)
def get_local_s3_client():
"""
:return: result from AssumeRole.get_client() call using local config.yaml parameters
"""
local_assumed_role = AssumeRole()
local_s3_client = \
local_assumed_role.get_client(
's3',
config=Config(
signature_version='s3v4',
region_name=s3_region_name
)
)
return local_s3_client
def get_remote_client():
"""
:return:
"""
logger.debug("Validate 's3_remote' parameters")
# config.yaml 's3_remote' override - must be completely specified?
assert (
[
tag in aws_config["s3_remote"]
for tag in [
'guest_external_id',
'host_account',
'iam_role_name',
'archive-directory',
'bucket',
'region'
]
]
)
target_bucket = aws_config["s3_remote"]["bucket"]
logger.debug("Assume remote role")
target_assumed_role = AssumeRole(
host_account=aws_config["s3_remote"]['host_account'],
guest_external_id=aws_config["s3_remote"]['guest_external_id'],
iam_role_name=aws_config["s3_remote"]['iam_role_name']
)
logger.debug("Configure target client")
target_client = \
target_assumed_role.get_client(
's3',
config=Config(
signature_version='s3v4',
region_name=aws_config["s3_remote"]["region"]
)
)
return target_assumed_role, target_client, target_bucket
keypair_name: str = ''
# Prompt user for target and action for the EC2 service
if len(sys.argv) >= 3:
context = sys.argv[1].upper()
action = sys.argv[2].upper()
if context == 'INSTANCE':
instance_ids = sys.argv[3:] if len(sys.argv) > 3 else None
elif context == 'KEYPAIR':
keypair_name = sys.argv[3] if len(sys.argv) > 3 else None
else:
usage("Unrecognized context argument: '" + context + "'")
assumed_role = AssumeRole()
ec2_client = assumed_role.get_client('ec2')
if context == 'KEYPAIR':
if keypair_name:
if action == 'CREATE':
# Do a dryrun first to verify permissions
try:
response = ec2_client.create_key_pair(KeyName=keypair_name, DryRun=True)
except ClientError as e:
if 'DryRunOperation' not in str(e):
usage(str(e))
# Dry run succeeded, run start_instances without dryrun
try:
)
logger.debug(f"delete_user() response:\n{pp.pformat(response)}")
except Boto3Error as b3e:
logger.error(f"delete_user() exception: {b3e}")
if __name__ == '__main__':
if len(argv) > 1:
user_pool_id: str = aws_config["cognito"]["user-pool-id"]
operation = argv[1]
assumed_role = AssumeRole()
cognito_client = assumed_role.get_client('cognito-idp')
if operation.lower() == CREATE_USER:
if len(argv) > 3:
username = argv[2]
ua_file = argv[3]
attributes: Dict = read_user_attributes(filename=ua_file, section=username)
if 'temporary_password' in attributes:
temporary_password = attributes.pop('temporary_password')
# to a Simple Notification Service (SNS).
#
import sys
from os.path import abspath, dirname
from pathlib import Path
from json import dumps
import boto3
from kgea.aws.assume_role import AssumeRole
def usage(err_msg: str = ''):
if err_msg:
print(err_msg)
print("Usage: ")
print("python -m kgea.aws." + Path(sys.argv[0]).stem +
" <host_account_id> <guest_external_id> <target_iam_role_name>")
exit(0)
# Run the module as a CLI
if __name__ == '__main__':
assumed_role = AssumeRole()
sns_client = assumed_role.get_client('sns')
# TODO: SNS specific actions here
logger.error(f"get_url_file_size(url:'{str(url)}'): {str(exc)}")
# TODO: invalidate the size invariant to propagate a call error
# for now return -1 to encode the error state
return -1
return size
################################################
# Wrapper for AWS IAM Role for the Application #
################################################
# Obtain an AWS Clients using an Assumed IAM Role
# with default parameters (loaded from config.yaml)
#
the_role = AssumeRole()
############################
# AWS S3 client operations #
############################
def s3_client(assumed_role=None,
config=Config(signature_version='s3v4',
region_name=default_s3_region)):
"""
:param assumed_role:
:param config:
:return: S3 client
"""
import sys
from pathlib import Path
from urllib.parse import quote, quote_plus
import requests
from json import loads
import webbrowser
from kgea.aws.assume_role import AssumeRole
account_id_from_user: str = ""
external_id: str = ""
role_name_from_user: str = ""
_assumed_role = AssumeRole()
# Make a request to the AWS federation endpoint to get a sign-in.
#
# token, passing parameters in the query string. The call requires an
# Action parameter ('getSigninToken') and a Session parameter (the
# JSON string that contains the temporary credentials that have
# been URL-encoded).
request_parameters = "?Action=getSigninToken"
request_parameters += "&Session="
request_parameters += quote_plus(_assumed_role.get_credentials_jsons())
request_url = "https://signin.aws.amazon.com/federation"
request_url += request_parameters
r = requests.get(request_url)
# Get the return value from the federation endpoint.