def get_token(aws_account, ops_idp_host): """ Generate temporary SSO access credentials. Requires the config file containing the IDP hostname. Returns: A temporary boto3 client created with a session token provided by the IDP host. """ ssh_args = None # if running in a container (like the monitoring container) # use alternate ssh key and known host file if 'CONTAINER' in os.environ: ssh_args =\ ['-i', '/secrets/ssh-id-rsa', '-o', 'UserKnownHostsFile=/configdata/ssh_known_hosts'] try: creds = saml_aws_creds.get_temp_credentials( metadata_id='urn:amazon:webservices:%s' % aws_account, idp_host=ops_idp_host, ssh_args=ssh_args) client = boto3.client( 'iam', aws_access_key_id=creds['AccessKeyId'], aws_secret_access_key=creds['SecretAccessKey'], aws_session_token=creds['SessionToken']) return client except ValueError as client_exception: if 'Error retrieving SAML token' in client_exception.message and \ 'Metadata not found' in client_exception.message: print('Metadata for %s missing or misconfigured, skipping' % aws_account)
def get_token(aws_account): """ Generate temporary SSO access credentials. Requires the config file containing the IDP hostname. Returns: A temporary boto3 client created with a session token provided by the IDP host. Raises: A ValueError if the config path can not be found. """ sso_config_path = '/etc/openshift_tools/sso-config.yaml' if os.path.isfile(sso_config_path): with open(sso_config_path, 'r') as sso_config: yaml_config = yaml.load(sso_config) if yaml_config["idp_host"]: ops_idp_host = yaml_config["idp_host"] creds = saml_aws_creds.get_temp_credentials( metadata_id='urn:amazon:webservices:%s' % aws_account, idp_host=ops_idp_host) client = boto3.client( 'iam', aws_access_key_id=creds['AccessKeyId'], aws_secret_access_key=creds['SecretAccessKey'], aws_session_token=creds['SessionToken']) return client else: raise ValueError(sso_config_path + 'does not exist.')
def get_token(aws_account): """ Generate temporary SSO access credentials. Requires the config file containing the IDP hostname. Returns: A temporary boto3 client created with a session token provided by the IDP host. Raises: A ValueError if the config path can not be found. """ sso_config_path = '/etc/openshift_tools/sso-config.yaml' if os.path.isfile(sso_config_path): with open(sso_config_path, 'r') as sso_config: yaml_config = yaml.load(sso_config) if yaml_config["idp_host"]: ops_idp_host = yaml_config["idp_host"] try: creds = saml_aws_creds.get_temp_credentials( metadata_id='urn:amazon:webservices:%s' % aws_account, idp_host=ops_idp_host) client = boto3.client( 'iam', aws_access_key_id=creds['AccessKeyId'], aws_secret_access_key=creds['SecretAccessKey'], aws_session_token=creds['SessionToken']) return client except botocore.exceptions.ClientError as client_exception: print(client_exception) print('Skipping account %s' % aws_account) except ValueError as client_exception: if 'Error retrieving SAML token' in client_exception.message and \ 'Metadata not found' in client_exception.message: print(client_exception) print( 'Metadata for %s missing or misconfigured, skipping' % aws_account) else: raise else: raise ValueError(sso_config_path + 'does not exist.')