Exemplo n.º 1
0
def get_profile(profile=None,
                session_duration=DEFAULT_SESSION_DURATION,
                assume_role=True,
                refresh=False,
                account_id=None):
    """
    Construct an AWS Profile.

    :param profile: the name of the profile to use; resolves via environment
           variables if not set
    :param session_duration: the session duration (in seconds), defafults to
           one hour, which is also the maximum
    :param assume_role: control whether the given profile's role will be assumed;
           if not, the default profile's credentials will be used
    """
    # choose the profile name if necessary
    if profile is None:
        profile = get_profile_name()

    # look for a cached session in the environment
    cached_session = CachedSession.from_environment(
        session_duration=session_duration,
    ) if assume_role and not refresh else None

    # then load the profile, updating credentials based on the cached session and/or assumed role
    aws_profile = AWSProfile(
        profile=profile,
        session_duration=session_duration,
        cached_session=cached_session,
        account_id=account_id,
    )
    if assume_role:
        aws_profile.update_credentials()

    return aws_profile
Exemplo n.º 2
0
def test_profile_role_arn_cached_session():
    """
    A profile with a role arn but a valid cached session will not (re)assume any role.
    """
    with custom_config(profile=PROFILE, role_arn=ROLE_ARN):
        aws_profile = AWSProfile(
            profile=PROFILE,
            cached_session=CACHED_SESSION,
            session_duration=DEFAULT_SESSION_DURATION,
        )

        assert_that(aws_profile.role_arn, is_(equal_to(ROLE_ARN)))
        assert_that(aws_profile.cached_session, is_(equal_to(CACHED_SESSION)))

        with patch.object(aws_profile, "assume_role") as assume_role:
            # we do not expect a role to be assumed
            aws_profile.update_credentials()
            assert_that(assume_role.call_count, is_(equal_to(0)))
            assert_that(aws_profile.cached_session,
                        is_(equal_to(CACHED_SESSION)))

        # session variables are set
        assert_that(
            aws_profile.to_envvars().get("AWS_SESSION_TOKEN"),
            is_(equal_to(CACHED_SESSION.token)),
        )
        assert_that(
            aws_profile.to_envvars().get("AWS_SESSION_NAME"),
            is_(equal_to(CACHED_SESSION.name)),
        )
Exemplo n.º 3
0
def test_profile_no_role_arn():
    """
    A profile with no role arn defined will not assume any role.
    """
    with custom_config(profile=PROFILE):
        aws_profile = AWSProfile(
            profile=PROFILE,
            session_duration=DEFAULT_SESSION_DURATION,
            cached_session=None,
        )

        assert_that(aws_profile.role_arn, is_(none()))
        assert_that(aws_profile.cached_session, is_(none()))

        with patch.object(aws_profile, "assume_role") as assume_role:
            # we do not expect a role to be assumed
            aws_profile.update_credentials()
            assert_that(assume_role.call_count, is_(equal_to(0)))
            assert_that(aws_profile.cached_session, is_(none()))

        # session variables are NOT set
        assert_that(aws_profile.to_envvars().get("AWS_SESSION_TOKEN"),
                    is_(none()))
        assert_that(aws_profile.to_envvars().get("AWS_SESSION_NAME"),
                    is_(none()))
Exemplo n.º 4
0
def test_profile_with_role_arn():
    """
    A profile with a role arn and no cached session will assume the role.
    """
    with custom_config(profile=PROFILE, role_arn=ROLE_ARN):
        aws_profile = AWSProfile(
            profile=PROFILE,
            session_duration=DEFAULT_SESSION_DURATION,
            cached_session=None,
        )
        assert_that(aws_profile.role_arn, is_(equal_to(ROLE_ARN)))
        assert_that(aws_profile.cached_session, is_(none()))

        with patch.object(aws_profile, "assume_role") as assume_role:
            # we do expect a role to be assumed
            def create_cached_session():
                aws_profile.cached_session = CACHED_SESSION
                return "access_key", "secret_key"

            assume_role.side_effect = create_cached_session
            aws_profile.update_credentials()
            assert_that(assume_role.call_count, is_(equal_to(1)))

        # session variables are set
        assert_that(
            aws_profile.to_envvars().get("AWS_SESSION_TOKEN"),
            is_(equal_to(CACHED_SESSION.token)),
        )
        assert_that(
            aws_profile.to_envvars().get("AWS_SESSION_NAME"),
            is_(equal_to(CACHED_SESSION.name)),
        )
Exemplo n.º 5
0
def test_profile_region_from_envvar():
    """
    Use AWS_REGION environment variable for region if set.
    """
    with custom_config(profile=PROFILE, role_arn=ROLE_ARN):
        region = 'us-east-2'
        environ['AWS_REGION'] = region
        aws_profile = AWSProfile(
            profile=PROFILE,
            session_duration=DEFAULT_SESSION_DURATION,
            cached_session=None,
        )
        assert_that(aws_profile.region_name, is_(equal_to(region)))