Exemplo n.º 1
0
def configure(file, account_name_pattern, saml_user, saml_password, dry_run):
    '''Configure one or more AWS account(s) matching the provided pattern'''
    config = yaml.safe_load(file)
    accounts = config.get('accounts', {})

    account_names = sorted(fnmatch.filter(accounts.keys(), account_name_pattern))

    if not account_names:
        error('No configuration found for account {}'.format(account_name_pattern))
        return

    trusted_addresses = None

    global_cfg = config.get('global', {})

    for account_name in account_names:
        cfg = accounts.get(account_name) or {}
        for key, val in global_cfg.items():
            if key not in cfg:
                cfg[key] = val

        saml_url = cfg.get('saml_identity_provider_url')
        saml_role = cfg.get('saml_admin_login_role')

        if saml_user and saml_url and saml_role:
            if not saml_password:
                saml_password = keyring.get_password('sevenseconds', saml_user)
            if not saml_password:
                saml_password = click.prompt('Please enter your SAML password', hide_input=True)

            with Action('Authenticating against {}..'.format(saml_url)):
                saml_xml, roles = authenticate(saml_url, saml_user, saml_password)
            keyring.set_password('sevenseconds', saml_user, saml_password)

            account_alias = cfg.get('alias', account_name).format(account_name=account_name)
            matching_roles = [(parn, rarn, aname)
                              for parn, rarn, aname in roles if aname == account_alias and rarn.endswith(saml_role)]
            if not matching_roles:
                error('No matching role found for account {}: {}'.format(account_name, roles))
                warning('Skipping account configuration of {} due to missing credentials'.format(account_name))
                continue
            role = matching_roles[0]
            with Action('Assuming role {}..'.format(role)):
                key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])
            write_aws_credentials('default', key_id, secret, session_token)

        if not trusted_addresses:
            trusted_addresses = get_trusted_addresses(config)

        try:
            configure_account(account_name, cfg, trusted_addresses, dry_run)
        except Exception:
            error('Error while configuring {}: {}'.format(account_name, traceback.format_exc()))
Exemplo n.º 2
0
def get_aws_credentials(saml_user, saml_password, saml_url, saml_role, account_alias, credential_name):
    if not saml_password:
        saml_password = keyring.get_password('sevenseconds', saml_user)
    if not saml_password:
        saml_password = click.prompt('Please enter your SAML password', hide_input=True)
    with Action('[{}] Authenticating against {}..'.format(credential_name, saml_url)):
        saml_xml, roles = authenticate(saml_url, saml_user, saml_password)
    keyring.set_password('sevenseconds', saml_user, saml_password)
    matching_roles = [(parn, rarn, aname)
                      for parn, rarn, aname in roles if aname == account_alias and rarn.endswith(saml_role)]
    if not matching_roles:
        error('[{}] No matching role found for account {}'.format(credential_name, account_alias))
        return False
    else:
        role = matching_roles[0]
        with Action('[{}] Assuming role {}..'.format(credential_name, role)):
            key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])
        write_aws_credentials(credential_name, key_id, secret, session_token)
        return True
Exemplo n.º 3
0
def login_with_profile(obj, profile, config, awsprofile):
    url = config.get('saml_identity_provider_url')
    user = config.get('saml_user')
    role = config.get('saml_role')

    if not url:
        raise click.UsageError('Missing identity provider URL')

    if not user:
        raise click.UsageError('Missing SAML username')

    saml_xml, roles = saml_login(user, url)

    with Action('Assuming role {role}..', role=get_role_label(role)):
        key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])

    with Action('Writing temporary AWS credentials..'):
        write_aws_credentials(awsprofile, key_id, secret, session_token)
        with open(obj['last-update-filename'], 'w') as fd:
            yaml.safe_dump({'timestamp': time.time(), 'profile': profile}, fd)
Exemplo n.º 4
0
Arquivo: cli.py Projeto: mpare-net/mai
def login_with_profile(obj, profile, config, awsprofile):
    url = config.get("saml_identity_provider_url")
    user = config.get("saml_user")
    role = config.get("saml_role")

    if not url:
        raise click.UsageError("Missing identity provider URL")

    if not user:
        raise click.UsageError("Missing SAML username")

    saml_xml, roles = saml_login(user, url)

    with Action("Assuming role {role}..", role=get_role_label(role)):
        key_id, secret, session_token = assume_role(saml_xml, role[0], role[1])

    with Action("Writing temporary AWS credentials.."):
        write_aws_credentials(awsprofile, key_id, secret, session_token)
        with open(obj["last-update-filename"], "w") as fd:
            yaml.safe_dump({"timestamp": time.time(), "profile": profile}, fd)