def make_aws_credentials(config, role_arn=None, role_name=None):
if role_arn:
try:
sts_connection = STSConnection()
assumedRoleObject = sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_name
)
except:
out("Oops! something went wrong trying to assume the specified role")
else:
# create credentials for switching roles
aws = AwsCredentials(
assumedRoleObject.credentials.access_key,
assumedRoleObject.credentials.secret_key,
assumedRoleObject.credentials.session_token,
get(config, 'aws.region', os.environ.get('AWS_DEFAULT_REGION')),
get(config, 'aws.bucket', os.environ.get('AWS_BEANSTALK_BUCKET_NAME')),
get(config, 'aws.bucket_path', os.environ.get('AWS_BEANSTALK_BUCKET_NAME_PATH')))
out("Using Role: "+role_name)
else:
# create credentials
aws = AwsCredentials(
get(config, 'aws.access_key', os.environ.get('AWS_ACCESS_KEY_ID')),
get(config, 'aws.secret_key', os.environ.get('AWS_SECRET_ACCESS_KEY')),
get(config, 'aws.secret_token', os.environ.get('AWS_SECRET_TOKEN')),
get(config, 'aws.region', os.environ.get('AWS_DEFAULT_REGION')),
get(config, 'aws.bucket', os.environ.get('AWS_BEANSTALK_BUCKET_NAME')),
get(config, 'aws.bucket_path', os.environ.get('AWS_BEANSTALK_BUCKET_NAME_PATH')))
return aws
def oauth_authorized(resp):
facebook_graph = facebook.GraphAPI(resp.get('access_token'))
email = facebook_graph.get_object("me")['email']
sts_connection = STSConnection()
role = sts_connection.assume_role(
role_arn="arn:aws:iam::054060359478:role/facebook-login",
role_session_name=email
)
creds = {
'sessionId': role.credentials.access_key,
'sessionKey': role.credentials.secret_key,
'sessionToken': role.credentials.session_token
}
params = {
'Action': 'getSigninToken',
'Session': json.dumps(creds),
}
auth_url = "https://signin.aws.amazon.com/federation"
r = requests.get(auth_url, params=params)
signin_token = json.loads(r.text).get('SigninToken')
params.update({
'Action': 'login',
'Issuer': 'ranman.org',
'Destination': 'https://console.aws.amazon.com/',
'SigninToken': signin_token
})
url = requests.Request('GET', auth_url, params=params).prepare().url
return redirect(url)
def get_aws_credentials(self, account_alias, role):
"""Get temporary credentials from AWS"""
self.check_user_permissions(account_alias, role)
try:
account_id = self.account_config[account_alias]['id']
except Exception:
message = "No Configuration for account '{account}'."
raise ConfigurationError(message.format(account=account_alias))
arn = "arn:aws:iam::{account_id}:role/{role}".format(
account_id=account_id, role=role)
key_id = self.application_config['aws']['access_key']
secret_key = self.application_config['aws']['secret_key']
try:
sts_connection = STSConnection(
aws_access_key_id=key_id,
aws_secret_access_key=secret_key)
assumed_role_object = sts_connection.assume_role(
role_arn=arn,
role_session_name=self.user)
except Exception as error:
if getattr(error, 'status', None) == 403:
raise PermissionError(str(error))
self.logger.exception("AWS STS failed with: {exc_vars}".format(
exc_vars=vars(error)))
raise AWSError(str(error))
return assumed_role_object.credentials
def get_connection(self):
ret = None
if self._cross_account_number and self._cross_account_role:
self._info(
subject=_status.parse_status('cross_account_connect', (self._cross_account_number, self._cross_account_role, self._region)),
src_account=self._cross_account_number,
src_role=self._cross_account_role,
category='connection')
from boto.sts import STSConnection
import boto
try:
role_arn = 'arn:aws:iam::%s:role/%s' % (self._cross_account_number, self._cross_account_role)
sts = STSConnection()
assumed_role = sts.assume_role(role_arn=role_arn, role_session_name='AssumeRoleSession')
ret = ec2.connect_to_region(
self._region,
aws_access_key_id=assumed_role.credentials.access_key,
aws_secret_access_key=assumed_role.credentials.secret_key,
security_token=assumed_role.credentials.session_token
)
except BotoServerError, e:
raise BackupMonkeyException('%s: %s' % (_status.parse_status('cross_account_error'), e.message),
subject=_status.parse_status('cross_account_error'),
body=e.message,
src_account=self._cross_account_number,
src_role=self._cross_account_role,
category='connection')
def get_sts(duration, mfa_serial, mfa_device_name,
long_term, short_term, assume_role_arn=None):
if boto.config.get(long_term, 'aws_access_key_id') is None:
logger.error('aws_access_key_id is missing from section %s'
'or config file is missing.' % (long_term,))
sys.exit(1)
else:
long_term_id = boto.config.get(long_term, 'aws_access_key_id')
if boto.config.get(long_term, 'aws_secret_access_key') is None:
logger.error('aws_secret_access_key is missing from section '
'or config file is missing.' % (long_term,))
sys.exit(1)
else:
long_term_secret = boto.config.get(long_term, 'aws_secret_access_key')
if boto.config.has_section(short_term):
boto.config.remove_option(short_term, 'aws_security_token')
mfa_TOTP = raw_input('Enter AWS MFA code for user %s '
'(renewing for %s seconds):' %
(mfa_device_name, duration))
try:
sts_connection = STSConnection(aws_access_key_id=long_term_id,
aws_secret_access_key=long_term_secret)
if assume_role_arn is None:
tempCredentials = sts_connection.get_session_token(
duration=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
assumed_role = 'False'
else:
role_session_name = assume_role_arn.split('/')[-1]
assumedRole = sts_connection.assume_role(
assume_role_arn, role_session_name,
duration_seconds=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
tempCredentials = assumedRole.credentials
assumed_role = 'True'
default_options = [
('aws_access_key_id', tempCredentials.access_key),
('aws_secret_access_key', tempCredentials.secret_key),
('aws_security_token', tempCredentials.session_token),
('expiration', tempCredentials.expiration),
('assumed_role', assumed_role)
]
for option, value in default_options:
boto.config.save_user_option(
short_term,
option,
value
)
except boto.exception.BotoServerError as e:
message = '%s - Please try again.' % (e.message)
logger.error(message)
sys.exit(1)
def get_conn(self):
"""
Returns the boto S3Connection object.
"""
if self._creds_in_config_file:
a_key, s_key = _parse_s3_config(self.s3_config_file,
self.s3_config_format,
self.profile)
else:
a_key = self._a_key
s_key = self._s_key
if self._sts_conn_required:
sts_connection = STSConnection(aws_access_key_id=a_key,
aws_secret_access_key=s_key,
profile_name=self.profile)
assumed_role_object = sts_connection.assume_role(
role_arn=self.role_arn,
role_session_name="Airflow_" + self.s3_conn_id
)
creds = assumed_role_object.credentials
connection = S3Connection(
aws_access_key_id=creds.access_key,
aws_secret_access_key=creds.secret_key,
security_token=creds.session_token
)
else:
connection = S3Connection(aws_access_key_id=a_key,
aws_secret_access_key=s_key)
return connection
def assume(self):
"""Assume a role a collect the AWS keys for that role. This will set
the environment variables AND will print the results. It returns the
credentials object from the assume_role function.
"""
self._clear_expired()
try:
sts = STSConnection()
except boto.exception.NoAuthHandlerFound:
sys.stderr.write(
"Please ensure that your AWS keys can "
"assume roles.\n"
)
sys.exit(1)
output = sts.assume_role(self.get_role_arn(), self.session_name)
for source, dest in self.map_.items():
# SVC-4728 - Add security_token support
if source is 'security_token':
source = 'session_token'
value = getattr(output.credentials, source)
self.set_env(dest, value)
self.credentials = output.credentials
if self.save:
self._save()
return self.credentials
def __init__(self):
''' Main execution path '''
# Inventory grouped by instance IDs, tags, security groups, regions, elbs and availability zones
self.inventory = self._empty_inventory()
# Index of hostname (address) to instance ID
#self.index = {}
# Read settings and parse CLI arguments
self.read_settings()
self.parse_cli_args()
#Initiate the STS connection:
sts_connection = STSConnection( )
data_to_print = {}
for i in self.aws_creds.keys():
# Creating the object from the sts_connection
assumedRoleObject = sts_connection.assume_role(
role_arn=self.aws_creds[i]["arn"],
role_session_name="AssumeRoleSession")
# Index of hostname (address) to instance ID
self.index = {}
self.creds = self.aws_creds[i]
# Cache Setup
self.cache_path_cache = self.cache_dir + "/ansible-%s.cache" % i
self.cache_path_index = self.cache_dir + "/ansible-%s.index" % i
# Cache
if self.args.refresh_cache:
self.do_api_calls_update_cache(assumedRoleObject)
elif not self.is_cache_valid():
self.do_api_calls_update_cache(assumedRoleObject)
# Data to print
if self.args.host:
data_to_print = self.get_host_info()
elif self.args.list:
# Display list of instances for inventory
if self.inventory == self._empty_inventory():
data_to_print = self.get_inventory_from_cache()
else:
data_to_print = self.json_format_dict(self.inventory, True)
print(data_to_print)
def get_conn(self):
"""
Returns the boto S3Connection object.
"""
if self._default_to_boto:
return S3Connection(profile_name=self.profile)
a_key = s_key = None
if self._creds_in_config_file:
a_key, s_key, calling_format = _parse_s3_config(self.s3_config_file,
self.s3_config_format,
self.profile)
elif self._creds_in_conn:
a_key = self._a_key
s_key = self._s_key
calling_format = self.calling_format
s3_host = self.s3_host
if calling_format is None:
calling_format = 'boto.s3.connection.SubdomainCallingFormat'
if s3_host is None:
s3_host = NoHostProvided
if self._sts_conn_required:
sts_connection = STSConnection(aws_access_key_id=a_key,
aws_secret_access_key=s_key,
profile_name=self.profile)
assumed_role_object = sts_connection.assume_role(
role_arn=self.role_arn,
role_session_name="Airflow_" + self.s3_conn_id
)
creds = assumed_role_object.credentials
connection = S3Connection(
aws_access_key_id=creds.access_key,
aws_secret_access_key=creds.secret_key,
calling_format=calling_format,
security_token=creds.session_token
)
else:
connection = S3Connection(aws_access_key_id=a_key,
aws_secret_access_key=s_key,
calling_format=calling_format,
host=s3_host,
profile_name=self.profile)
return connection
def assumeRole(credentials, arn):
sts_connection = STSConnection(
aws_access_key_id=credentials['AWS_ACCESS_KEY_ID'],
aws_secret_access_key=credentials['AWS_SECRET_ACCESS_KEY'])
sessionName = "awsudo-%08x" % (random.randint(0, 0xffffffff),)
response = sts_connection.assume_role(
role_arn=arn,
role_session_name=sessionName)
credentials = response.credentials
return {
'AWS_ACCESS_KEY_ID': credentials.access_key,
'AWS_SECRET_ACCESS_KEY': credentials.secret_key,
'AWS_SESSION_TOKEN': credentials.session_token,
}
def get_connection(self):
ret = None
if self._cross_account_number and self._cross_account_role:
from boto.sts import STSConnection
import boto
try:
role_arn = 'arn:aws:iam::%s:role/%s' % (self._cross_account_number, self._cross_account_role)
sts = STSConnection()
assumed_role = sts.assume_role(role_arn=role_arn, role_session_name='AssumeRoleSession')
ret = ec2.connect_to_region(
self._region,
aws_access_key_id=assumed_role.credentials.access_key,
aws_secret_access_key=assumed_role.credentials.secret_key,
security_token=assumed_role.credentials.session_token
)
except Exception,e:
print e
raise BackupMonkeyException('Cannot complete cross account access')
def get_conn(self):
"""
Returns the boto S3Connection object.
"""
if self._default_to_boto:
return S3Connection(profile_name=self.profile)
a_key = s_key = None
if self._creds_in_config_file:
a_key, s_key, calling_format = _parse_s3_config(
self.s3_config_file, self.s3_config_format, self.profile)
elif self._creds_in_conn:
a_key = self._a_key
s_key = self._s_key
calling_format = self.calling_format
s3_host = self.s3_host
if calling_format is None:
calling_format = 'boto.s3.connection.SubdomainCallingFormat'
if s3_host is None:
s3_host = NoHostProvided
if self._sts_conn_required:
sts_connection = STSConnection(aws_access_key_id=a_key,
aws_secret_access_key=s_key,
profile_name=self.profile)
assumed_role_object = sts_connection.assume_role(
role_arn=self.role_arn,
role_session_name="Airflow_" + self.s3_conn_id)
creds = assumed_role_object.credentials
connection = S3Connection(aws_access_key_id=creds.access_key,
aws_secret_access_key=creds.secret_key,
calling_format=calling_format,
security_token=creds.session_token)
else:
connection = S3Connection(aws_access_key_id=a_key,
aws_secret_access_key=s_key,
calling_format=calling_format,
host=s3_host,
profile_name=self.profile)
return connection
def connect_sts(aws_access_key_id=None, aws_secret_access_key=None, **kwargs):
"""
:type aws_access_key_id: string
:param aws_access_key_id: Your AWS Access Key ID
:type aws_secret_access_key: string
:param aws_secret_access_key: Your AWS Secret Access Key
:rtype: :class:`boto.sts.STSConnection`
:return: A connection to Amazon's STS
"""
from boto.sts import STSConnection
return STSConnection(aws_access_key_id, aws_secret_access_key, **kwargs)
def _add_assumed_role(self, config):
c = {}
c['region_name'] = config['region_name']
assumedRoleObject = STSConnection().assume_role(
role_arn=config["assumed_role_arn"],
role_session_name="assumeRole_" + uuid.uuid4().urn[-12:])
c["aws_access_key_id"] = assumedRoleObject.credentials.access_key
c["aws_secret_access_key"] = assumedRoleObject.credentials.secret_key
c["security_token"] = assumedRoleObject.credentials.session_token
return c
def sync(name=None):
if not name:
name = get_default_name()
credentials = get_credentials(name)
if not credentials.mfa_serial:
# Nothing to do here.
return
# Have temporary credentials and they aren't expired yet, so no need to
# get new ones.
if (credentials.temporary_credentials and
credentials.temporary_credentials.time_until_expiration() > 0):
return
import boto
from boto.sts import STSConnection
mfa_TOTP = getpass("Enter the MFA code: ")
sts_connection = STSConnection(
aws_access_key_id=credentials.access_key_id,
aws_secret_access_key=credentials.secret_access_key
)
temporary_credentials = sts_connection.get_session_token(
duration=SESSION_DURATION,
mfa_serial_number=credentials.mfa_serial,
mfa_token=mfa_TOTP,
)
details = TemporaryCredentials(
temporary_access_key=temporary_credentials.access_key,
temporary_secret_key=temporary_credentials.secret_key,
session_token=temporary_credentials.session_token,
expiration=temporary_credentials.expiration
)
keyring.set_password('aws-keyring-temporary-credentials', name, str(details))
def assumed_role(debug, OTP, mfa_serial, sts_duration, roleArn, SessionName):
try:
sts_connection = STSConnection()
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
#OTP = input("Enter OTP: ")
#debug is used if you want assume-role print credentials
tempCredentials = sts_connection.get_session_token(
duration=sts_duration,
mfa_serial_number=
mfa_serial, #"arn:aws:iam::101549811061:mfa/SecurityAuditUser",
mfa_token=OTP)
STSsession = boto3.client(
'sts',
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
aws_session_token=tempCredentials.session_token)
assumed_role_object = STSsession.assume_role(
RoleArn=roleArn, #"arn:aws:iam::072979390894:role/read",
RoleSessionName=SessionName #"SecurityAuditSession"
)
credentials = assumed_role_object['Credentials']
except (ValueError, IOError) as e:
raise ("Error Processing your information for Assuming a role")
credentials = ""
if (debug):
print(credentials['AccessKeyId'])
print(credentials['SecretAccessKey'])
print(credentials['SessionToken'])
return credentials
def get_sts(duration):
os.environ['AWS_ACCESS_KEY_ID'] = boto.config.get(
'long-term',
'aws_access_key_id')
os.environ['AWS_SECRET_ACCESS_KEY'] = boto.config.get(
'long-term',
'aws_secret_access_key')
boto.config.remove_option('Credentials', 'aws_security_token')
try:
del os.environ['AWS_SECURITY_TOKEN']
except:
pass
mfa_TOTP = raw_input("Enter AWS MFA code for user %s:" % mfa_device_name)
try:
sts_connection = STSConnection()
tempCredentials = sts_connection.get_session_token(
duration=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
boto.config.save_user_option(
'Credentials',
'aws_access_key_id',
tempCredentials.access_key)
boto.config.save_user_option(
'Credentials',
'aws_secret_access_key',
tempCredentials.secret_key)
boto.config.save_user_option(
'Credentials',
'aws_security_token',
tempCredentials.session_token)
boto.config.save_user_option(
'Credentials',
'expiration',
tempCredentials.expiration)
except boto.exception.BotoServerError as e:
message = '%s - Please try again.' % (e.message)
sys.exit(message)
def get_session_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project_name, environment_name, role_name, token_expiration, session_token_expiration):
try:
if not args.nomfa:
mfa_token = raw_input("Enter the MFA code: ")
sts_session = sts_connection.get_session_token(
duration=session_token_expiration,
mfa_serial_number=mfa_serial_number,
mfa_token=mfa_token
)
session_sts_connection = STSConnection(aws_access_key_id=sts_session.access_key,
aws_secret_access_key=sts_session.secret_key,
security_token=sts_session.session_token)
if args.externalid:
assumed_role_object = session_sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_session_name,
duration_seconds=token_expiration,
external_id=externalid
)
else:
assumed_role_object = session_sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_session_name,
duration_seconds=token_expiration,
)
else:
colormsg ("When using get_session you must use MFA", "error")
exit(1)
except Exception, e:
colormsg ("There was an error assuming role", "error")
verbose(e)
exit(1)
def get_session_token(sts_connection, role_arn, mfa_serial_number,
role_session_name, project_name, environment_name,
role_name, token_expiration, session_token_expiration):
try:
if not args.nomfa:
mfa_token = raw_input("Enter the MFA code: ")
sts_session = sts_connection.get_session_token(
duration=session_token_expiration,
mfa_serial_number=mfa_serial_number,
mfa_token=mfa_token)
session_sts_connection = STSConnection(
aws_access_key_id=sts_session.access_key,
aws_secret_access_key=sts_session.secret_key,
security_token=sts_session.session_token)
if args.externalid:
assumed_role_object = session_sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_session_name,
duration_seconds=token_expiration,
external_id=externalid)
else:
assumed_role_object = session_sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_session_name,
duration_seconds=token_expiration,
)
else:
colormsg("When using get_session you must use MFA", "error")
exit(1)
except Exception, e:
colormsg("There was an error assuming role", "error")
verbose(e)
exit(1)
def make_aws_credentials(config, role_arn=None, role_name=None):
if role_arn:
try:
sts_connection = STSConnection()
assumedRoleObject = sts_connection.assume_role(
role_arn=role_arn, role_session_name=role_name)
except:
out("Oops! something went wrong trying to assume the specified role"
)
else:
# create credentials for switching roles
aws = AwsCredentials(
assumedRoleObject.credentials.access_key,
assumedRoleObject.credentials.secret_key,
assumedRoleObject.credentials.session_token,
get(config, 'aws.region',
os.environ.get('AWS_DEFAULT_REGION')),
get(config, 'aws.bucket',
os.environ.get('AWS_BEANSTALK_BUCKET_NAME')),
get(config, 'aws.bucket_path',
os.environ.get('AWS_BEANSTALK_BUCKET_NAME_PATH')))
out("Using Role: " + role_name)
else:
# create credentials
aws = AwsCredentials(
get(config, 'aws.access_key', os.environ.get('AWS_ACCESS_KEY_ID')),
get(config, 'aws.secret_key',
os.environ.get('AWS_SECRET_ACCESS_KEY')),
get(config, 'aws.secret_token',
os.environ.get('AWS_SECRET_TOKEN')),
get(config, 'aws.region', os.environ.get('AWS_DEFAULT_REGION')),
get(config, 'aws.bucket',
os.environ.get('AWS_BEANSTALK_BUCKET_NAME')),
get(config, 'aws.bucket_path',
os.environ.get('AWS_BEANSTALK_BUCKET_NAME_PATH')))
return aws
def get_sts_keys(default_keys):
from boto.sts import STSConnection
baseline_keys = load_keys(args.profile + ".credentials")
conn = STSConnection(default_keys["aws_access_key_id"], default_keys["aws_secret_access_key"])
mfaArn = "arn:aws:iam::{0}:mfa/{1}".format(args.accountId, args.userName)
log("mfa device = %s" % mfaArn)
try:
creds = conn.get_session_token(args.duration, args.force_new, mfaArn, args.mfaToken)
log("Session will expire at %s" % creds.expiration)
return {
"aws_access_key_id": creds.access_key,
"aws_secret_access_key": creds.secret_key,
"aws_session_token": creds.session_token,
}
except boto.exception.BotoServerError, e:
if "MultiFactorAuthentication failed" in str(e):
log("Invalid MFA token, resetting default keys")
return default_keys
elif "InvalidClientTokenId" in str(e):
log("Invalid default credentials")
return None
else:
raise e
def awsTVMUpload(archiveFile=None,bucket=None,aws_key=None,aws_secret=None,foldername=None):
if not aws_key:
aws_key=settings.BUCKETS[bucket]["AWS_KEY_ID"]
if not aws_secret:
aws_secret=settings.BUCKETS[bucket]["AWS_SECRET"]
stsconn = STSConnection(aws_access_key_id=aws_key, aws_secret_access_key=aws_secret)
policydict={
"Statement": [
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::%s/%s/*" % (bucket,foldername)
],
"Effect": "Allow"
},{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::%s*" % (bucket)
],
"Effect": "Allow"
}
] }
policystring = json.dumps(policydict)
ststoken = stsconn.get_federation_token("sys_upload", 24*3600, policystring)
jsonoutput={}
jsonoutput["SecretAccessKey"]=ststoken.credentials.secret_key
jsonoutput["AccessKeyId"]=ststoken.credentials.access_key
jsonoutput["SessionToken"]=ststoken.credentials.session_token
return jsonoutput
def get_aws_credentials(self, account_alias, role):
"""Get temporary credentials from AWS"""
self.check_user_permissions(account_alias, role)
try:
account_id = self.account_config[account_alias]['id']
except Exception:
message = "No Configuration for account '{account}'."
raise ConfigurationError(message.format(account=account_alias))
arn = "arn:aws:iam::{account_id}:role/{role}".format(
account_id=account_id, role=role)
key_id = self.application_config['aws']['access_key']
secret_key = self.application_config['aws']['secret_key']
try:
sts_connection = STSConnection(aws_access_key_id=key_id,
aws_secret_access_key=secret_key)
assumed_role_object = sts_connection.assume_role(
role_arn=arn, role_session_name=self.user)
except Exception as error:
if getattr(error, 'status', None) == 403:
raise PermissionError(str(error))
self.logger.exception(
"AWS STS failed with: {exc_vars}".format(exc_vars=vars(error)))
raise AWSError(str(error))
return assumed_role_object.credentials
def connect_sts(aws_access_key_id=None, aws_secret_access_key=None, **kwargs):
"""
:type aws_access_key_id: string
:param aws_access_key_id: Your AWS Access Key ID
:type aws_secret_access_key: string
:param aws_secret_access_key: Your AWS Secret Access Key
:rtype: :class:`boto.sts.STSConnection`
:return: A connection to Amazon's STS
"""
access_key, secret_key = get_govcloud_creds(aws_access_key_id,
aws_secret_access_key)
from boto.sts import STSConnection
region = RegionInfo(name='govcloud',
endpoint='ec2.us-gov-west-1.amazonaws.com')
return STSConnection(access_key, secret_key,
region=region, **kwargs)
from pprint import pprint
appId ="{{ priam_cluster_name }}"
def put_record(domain, prop, val):
print"Inserting into %s: %s -> %s" % (domain, prop, val)
itemname ="%s.%s" % (appId, prop)
sdb.put_attributes(domain, itemname, {"appId" : appId,"property" : prop,"value" : val})
return
roleArn = '{{ priam_assume_role_arn|default('None') }}'
if roleArn == 'None':
sdb = boto.sdb.connect_to_region("us-east-1")
else:
sts = STSConnection()
assumed = sts.assume_role(roleArn, 'sdb_script')
sdb = boto.sdb.connect_to_region('us-east-1', aws_access_key_id=assumed.credentials.access_key, aws_secret_access_key=assumed.credentials.secret_key, security_token=assumed.credentials.session_token)
ii = sdb.lookup("InstanceIdentity", validate=True)
if ii is None:
print"No InstanceIdentity, creating."
ii = sdb.create_domain("InstanceIdentity")
pp = sdb.lookup("PriamProperties", validate=True)
if pp is None:
print"No PriamProperties, creating."
pp = sdb.create_domain("PriamProperties")
put_record("PriamProperties","priam.s3.bucket","{{ priam_s3_bucket }}")
put_record("PriamProperties","priam.s3.base_dir","{{ priam_s3_base_dir }}")
def get_session_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project_name, environment_name, role_name, token_expiration, session_token_expiration, args):
global access_key
global session_key
global session_token
try:
if not args.nomfa:
mfa_token = input("Enter the MFA code: ")
sts_session = sts_connection.get_session_token(
duration=session_token_expiration,
mfa_serial_number=mfa_serial_number,
mfa_token=mfa_token
)
session_sts_connection = STSConnection(aws_access_key_id=sts_session.access_key,
aws_secret_access_key=sts_session.secret_key,
security_token=sts_session.session_token)
if args.externalid:
assumed_role_object = session_sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_session_name,
duration_seconds=token_expiration,
external_id=externalid
)
else:
assumed_role_object = session_sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_session_name,
duration_seconds=token_expiration,
)
else:
colormsg("When using get_session you must use MFA", "error")
exit(1)
except Exception as e:
colormsg("There was an error assuming role", "error")
verbose(str(e))
exit(1)
colormsg ("Assumed the role successfully", "ok")
# Format resulting temporary credentials into a JSON block using
# known field names.
access_key = sts_session.access_key
session_key = sts_session.secret_key
session_token = sts_session.session_token
expiration = sts_session.expiration
login_to_fedaccount(access_key, session_key, session_token, role_session_name, args=args)
if not args.profile:
credential_profile = 'default'
else:
credential_profile = args.profile
save_credentials(access_key, session_key, session_token, role_session_name, 'corp', 'session', credential_profile, region)
# save_credentials(access_key, session_key, session_token, role_session_name, project_name, environment_name, role_name, region)
# and save them on the CLI config file .aws/credentials
save_cli_credentials(access_key, session_key, session_token, '-'.join(['corp','session',credential_profile]), region)
if args.stdout:
print("")
print("If you want to use your credentials from the environment with an external Tool (for instance, Terraform), you can use the following instructions:")
print("WARNING: If you use it in the same shell as anwbis exported variables takes precedence over the .aws/credentials, so use it carefully")
print("")
print("export AWS_ACCESS_KEY_ID='%s'" % access_key)
print("export AWS_SECRET_ACCESS_KEY='%s'" % session_key)
print("export AWS_SESSION_TOKEN='%s'" % session_token)
print("export AWS_DEFAULT_REGION='%s'" % region)
print("Expiration='%s'" % expiration)
print("")
return {'access_key': access_key,
'session_key': session_key,
'session_token': session_token,
'role_session_name': role_session_name}
import hashlib
import sys
import boto
from boto.sts import STSConnection
from boto.s3.connection import S3Connection
print ('Assuming role to access S3 on a different account')
ROLE_ARN = os.environ['ROLE_ARN']
ROLE_SESS_NAME = os.environ['ROLE_SESS_NAME']
FILE_ROOT = os.environ['WORKSPACE'] + '/project/deploy/'
BUCKET_PARAM = os.environ['BUCKET_NAME']
CF_DIST_ID = os.environ['CF_DIST_ID']
sts_connection = STSConnection()
assumedRoleObject = sts_connection.assume_role(
role_arn=ROLE_ARN,
role_session_name=ROLE_SESS_NAME
)
ACCESS_KEY = assumedRoleObject.credentials.access_key
SECRET_KEY = assumedRoleObject.credentials.secret_key
TOKEN = assumedRoleObject.credentials.session_token
# Use the temporary credentials returned by AssumeRole to call Amazon S3
connection = S3Connection(
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
security_token=TOKEN,
calling_format=boto.s3.connection.OrdinaryCallingFormat()
mfa_serial_number = mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices[
0].serial_number
else:
colormsg("You don't have MFA devices associated with our user",
"error")
exit(1)
else:
mfa_serial_number = "arn:aws:iam::" + account_id + ":mfa/" + role_session_name
# Create an ARN out of the information provided by the user.
role_arn = "arn:aws:iam::" + account_id_from_user + ":role/"
role_arn += role_name_from_user
# Connect to AWS STS and then call AssumeRole. This returns temporary security credentials.
if args.profile:
sts_connection = STSConnection(profile_name=args.profile)
else:
sts_connection = STSConnection()
# Assume the role
if not args.nomfa:
verbose("Assuming role " + role_arn + " using MFA device " +
mfa_serial_number + "...")
if args.project:
colormsg(
"Assuming role " + role + " from project " + project +
" using MFA device from user " + role_session_name + "...",
"normal")
elif args.iam_delegated_role:
colormsg(
"Assuming role " + role + " using MFA device from user " +
def signedUrlUpload(archiveFile=None,
bucket=None,
aws_key=None,
aws_secret=None):
'''
This method returns data required for a pre-signed PUT operation for uploading
a file to the S3 bucket directly.
Note: This method depends on STS permissions and thus an IAM user configured and
will be removed soon as a result. Moving forward it is best to use the
pre-signed POSTs returned from the Filemaster API.
:param archiveFile:
:param bucket:
:param aws_key:
:param aws_secret:
:return: dict
'''
if not bucket:
bucket = settings.S3_DEFAULT_BUCKET
foldername = str(uuid.uuid4())
key = foldername + "/" + archiveFile.filename
try:
if not aws_key:
aws_key = settings.BUCKET_CREDENTIALS.get(bucket,
{}).get("AWS_KEY_ID")
if not aws_secret:
aws_secret = settings.BUCKET_CREDENTIALS.get(bucket,
{}).get('AWS_SECRET')
conn = S3Connection(aws_key,
aws_secret,
is_secure=True,
host=S3Connection.DefaultHost)
url = "S3://{bucket}/{key}".format(bucket=bucket, key=key)
# register file
fl = FileLocation(url=url, storagetype='s3')
fl.save()
archiveFile.locations.add(fl)
url = conn.generate_url(3600 * 24 * 7,
'PUT',
bucket=bucket,
key=foldername + "/" + archiveFile.filename,
force_http=False)
stsconn = STSConnection(aws_access_key_id=aws_key,
aws_secret_access_key=aws_secret)
policydict = {
"Statement": [{
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::{bucket}/{foldername}/*".format(
bucket=bucket, foldername=foldername)
],
"Effect":
"Allow"
}, {
"Action": ["s3:PutObject"],
"Resource": ["arn:aws:s3:::{bucket}*".format(bucket=bucket)],
"Effect":
"Allow"
}]
}
policystring = json.dumps(policydict)
ststoken = stsconn.get_federation_token("sys_upload", 24 * 3600,
policystring)
jsonoutput = {
"url": url,
"location": "s3://{bucket}/{key}/".format(bucket=bucket, key=key),
"locationid": fl.id,
"bucket": bucket,
"foldername": foldername,
"filename": archiveFile.filename,
"secretkey": ststoken.credentials.secret_key,
"accesskey": ststoken.credentials.access_key,
"sessiontoken": ststoken.credentials.session_token,
}
return jsonoutput
except Exception as exc:
log.error("Error: %s" % exc)
return {}
def main():
import logging
from boto.s3.connection import S3Connection
from boto.sts import STSConnection
# Prompt for token code
mfa = raw_input("Enter the mfa authcode for ec2-dev: ")
#
sts_connection = STSConnection()
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="arn:aws:iam::231871078230:mfa/ec2-dev",
mfa_token=mfa
)
# Use the temporary credentials to list the contents of an S3 bucket
s3_connection = S3Connection(
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
security_token=tempCredentials.session_token
)
# Set up logging
logging.basicConfig(filename='ec2-termination.log',
format='%(asctime)s = %(levelname)s: %(message)s',
level=logging.DEBUG)
# List comprehension for regions
ec2_regions = [region['RegionName'] for region in client.describe_regions()['Regions']]
# tag values to ignore
tag_value = ['openshift-node','openshift-master']
for region in ec2_regions:
#sets current working region
print("Currently process instances in %s" % region)
region_id = boto3.resource('ec2',region_name=region)
# Gets a list of EC2 instances which are running
instances = region_id.instances.filter(
Filters=[{'Name': 'instance-state-name', 'Values': ['running','stopped']}])
flag = True
for instance in instances:
for tag in instance.tags:
if tag['Key'] == 'Name':
name = tag['Value']
if name in tag_value:
flag = False
try:
logging.info("Deleting instance %s "% instance.id)
if flag:
#disableAPIProtection(instance.id)
#response = instance.terminate()
print("Instance %s termination" % instance.id)
else:
pass
#print("Instance %s termination" % name)
except botocore.exceptions.ClientError as e:
logging.error(e.response['Error']['Code'])
import boto3
from boto.sts import STSConnection
from boto.s3.connection import S3Connection
from boto3 import client
# Prompt for MFA time-based one-time password (TOTP)
mfa_TOTP = raw_input("Enter the MFA code: ")
# The calls to AWS STS GetSessionToken must be signed with the access key ID and secret
# access key of an IAM user. The credentials can be in environment variables or in
# a configuration file and will be discovered automatically
# by the STSConnection() function. For more information, see the Python SDK
# documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection(
aws_access_key_id="AKIAJEGDPRSEOJMV46ZA",
aws_secret_access_key="RHrGRGJrpb8mWAq6zRXTwmX1TmvjfQZTOevPatg9")
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
tempCredentials = sts_connection.get_session_token(
duration=2800,
mfa_serial_number="arn:aws:iam::186502235371:mfa/sthathamsetty",
mfa_token=mfa_TOTP)
print(tempCredentials.access_key)
print(tempCredentials.secret_key)
print("\n" + tempCredentials.session_token)
sts_connection1 = STSConnection(
secret_access_key = raw_input("Enter your AWS Secret Access Key: ")
config.set(profile, AWS_SECRET_ACCESS_KEY, secret_access_key)
write_config = True
if config.has_option(profile, AWS_MFA_DEVICE) == False:
mfa_device = raw_input("Enter your username: "******"arn:aws:iam::973692506099:mfa/" + mfa_device
# use the passed in code if any
mfa_TOTP = args.code
if args.code is None:
mfa_TOTP = raw_input("Enter your MFA code: ")
# Get temp credentials
tempCredentials = sts_connection.get_session_token(
duration=28800,
mfa_serial_number=serial_number,
mfa_token=mfa_TOTP
import json
import boto
import boto3
import os
import commands
import boto.ec2
from boto import ec2
from boto.sts import STSConnection
import sys
arn=str(sys.argv[1])
print arn
sts_connection = STSConnection()
assumed_role_object = sts_connection.assume_role(
role_arn=arn,
role_session_name="run-script"
)
os.environ["AWS_ACCESS_KEY_ID"] =assumed_role_object.credentials.access_key
os.environ["AWS_SECRET_ACCESS_KEY"] = assumed_role_object.credentials.secret_key
os.environ["AWS_SESSION_TOKEN"] = assumed_role_object.credentials.session_token
############ Get Account name & ID #############################################
accountname=commands.getoutput("aws iam list-account-aliases | awk {'print $2'}")
accountid=(boto3.client('sts').get_caller_identity()['Account'])
print accountname
f1=open('/tmp/email_output.html', 'a')
f1.write("<h2 style='color:#0066cc;'>"+accountname+" ["+accountid+"]</h2><hr>\n<h4>Security Group Ports Summary for EC2 Instances</h4>\n<table style=\'width:100%\', border=\'1\'>\n<thead><th>Instance Name</th><th>Instance Type</th><th>VPC</th><th>Security Group</th><th>Ports Opened</th></thead>\n<tbody>\n")
############# EC2 instance INFo with attached security group name/ID ###########
def get_name(instance):
if instance.tags:
def run(self,
conn,
tmp,
module_name,
module_args,
inject,
complex_args=None,
**kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
# get starting credentials
# from environment:
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
# use get started credentials to do the roles dance and obtain
# temporary credentials in target account
#target_role_name = 'init-test3-shoppertrak-NucleatorCageBuilder-1I5ZOAYRJLS8Z'
data = {}
data.update(inject)
# TODO use nucleator facts instead
source_role_name = data[
'nucleator_builder_role_name'] # TODO - RHS var here could have names in better alignment with current conventions
target_role_name = data[
'cage_builder_role_name'] # TODO - RHS var here could have names in better alignment with current conventions
print "Target Role Name: ", target_role_name
print "Source Role Name: ", source_role_name
source_account_id = data['source_account_number']
target_account_id = data['target_account_number']
print "Target Account Number: ", target_account_id
print "Source Account Number: ", source_account_id
try:
envdict = {}
if self.runner.environment:
env = template.template(self.runner.basedir,
self.runner.environment,
inject,
convert_bare=True)
env = utils.safe_eval(env)
aws_access_key_id = env.get("AWS_ACCESS_KEY_ID")
aws_secret_access_key = env.get("AWS_SECRET_ACCESS_KEY")
security_token = env.get("AWS_SECURITY_TOKEN")
aws_access_key_id = aws_access_key_id if aws_access_key_id else None
aws_secret_access_key = aws_secret_access_key if aws_secret_access_key else None
security_token = security_token if security_token else None
sts_connection = STSConnection(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
security_token=security_token)
source_role = sts_connection.assume_role(
role_arn='arn:aws:iam::{0}:role/{1}'.format(
source_account_id, source_role_name),
role_session_name='SourceRoleSession')
vv("Successfully assumed {0} role in account {1}".format(
source_role_name, source_account_id))
except Exception, e:
result = dict(
failed=True,
msg=type(e).__name__ +
": Failed to obtain temporary credentials for role " +
source_role_name + " in target account " +
source_account_id + ", message: '" + str(e))
return ReturnData(conn=conn, comm_ok=False, result=result)
try:
sts_connection = STSConnection(
aws_access_key_id=source_role.credentials.access_key,
aws_secret_access_key=source_role.credentials.secret_key,
security_token=source_role.credentials.session_token)
target_role = sts_connection.assume_role(
role_arn='arn:aws:iam::{0}:role/{1}'.format(
target_account_id, target_role_name),
role_session_name='TargetRoleSession')
vv("Successfully assumed {0} role in account {1}".format(
target_role_name, target_account_id))
except Exception, e:
# deal with failure gracefully
result = dict(
failed=True,
msg=type(e).__name__ +
": Failed to obtain temporary credentials for role " +
target_role_name + " in target account " +
target_account_id + ", message: '" + str(e) +
" Security_Token: " +
source_role.credentials.session_token)
return ReturnData(conn=conn, comm_ok=False, result=result)
from io import StringIO
import hashlib
import sys
import boto
from boto.sts import STSConnection
from boto.s3.connection import S3Connection
print('Assuming role to access S3 on a different account')
ROLE_ARN = os.environ['ROLE_ARN']
ROLE_SESS_NAME = os.environ['ROLE_SESS_NAME']
FILE_ROOT = os.environ['WORKSPACE'] + '/project/deploy/'
BUCKET_PARAM = os.environ['BUCKET_NAME']
CF_DIST_ID = os.environ['CF_DIST_ID']
sts_connection = STSConnection()
assumedRoleObject = sts_connection.assume_role(
role_arn=ROLE_ARN, role_session_name=ROLE_SESS_NAME)
ACCESS_KEY = assumedRoleObject.credentials.access_key
SECRET_KEY = assumedRoleObject.credentials.secret_key
TOKEN = assumedRoleObject.credentials.session_token
# Use the temporary credentials returned by AssumeRole to call Amazon S3
connection = S3Connection(
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
security_token=TOKEN,
calling_format=boto.s3.connection.OrdinaryCallingFormat())
print('File Root: ', FILE_ROOT)
# "aws:MultiFactorAuthAge": false #mfa condition is optional
# }
# }
# }
# ]
# }
# And appropriate IAM policy
roleArn = "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<NAME_OF_EXISTING_ROLE>"
###########################################
### Create preSigned URL
###########################################
# Taken from : http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-manualURL.html#STSConsoleLink_programPython
sts_connection = STSConnection()
assumed_role_object = sts_connection.assume_role(
role_arn=roleArn,
role_session_name="ConsoleSSOSession",
duration_seconds=1800
)
# Step 3: Format resulting temporary credentials into JSON
json_string_with_temp_credentials = '{'
json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
json_string_with_temp_credentials += '}'
# Step 4. Make request to AWS federation endpoint to get sign-in token. Pass
def get_aws_connection_info(module):
ec2_url = module.params.get('ec2_url')
access_key = module.params.get('aws_access_key')
secret_key = module.params.get('aws_secret_key')
security_token = module.params.get('security_token')
region = module.params.get('region')
aws_profile = module.params.get('aws_profile')
validate_certs = module.params.get('validate_certs')
profile_dict = {}
if not ec2_url:
if 'EC2_URL' in os.environ:
ec2_url = os.environ['EC2_URL']
elif 'AWS_URL' in os.environ:
ec2_url = os.environ['AWS_URL']
if not region:
if 'EC2_REGION' in os.environ:
region = os.environ['EC2_REGION']
elif 'AWS_REGION' in os.environ:
region = os.environ['AWS_REGION']
else:
# boto.config.get returns None if config not found
region = boto.config.get('Boto', 'aws_region')
if not region:
region = boto.config.get('Boto', 'ec2_region')
if aws_profile:
# sanity checks
if aws_profile != "default":
if "HOME" not in os.environ:
module.fail_json(
msg=
"No $HOME environment variable could be detected. Do you even UNIX bro?"
)
aws_config_file = os.path.join(os.environ["HOME"], ".aws/config")
if not os.path.exists(aws_config_file):
module.fail_json(msg="Does $HOME/aws/.config even exist?")
config = ConfigParser.ConfigParser()
config.read(aws_config_file)
sections = config.sections()
if 'profile ' + aws_profile not in sections:
module.fail_json(msg="AWS profile: %s was not found" %
aws_profile)
profile_dict = config_section_map(config, 'profile ' + aws_profile)
else:
aws_profile = None
if profile_dict and 'role_arn' in profile_dict:
role_arn = profile_dict['role_arn']
source_profile = profile_dict['source_profile']
role_session_name = 'CustomAnsibleSession'
# get creds by following source_profile
aws_credentials_file = os.path.join(os.environ["HOME"],
".aws/credentials")
if not os.path.exists(aws_credentials_file):
module.fail_json(msg="Does $HOME/aws/.credentials even exist?")
config.read(aws_credentials_file)
source_profile_dict = config_section_map(config, source_profile)
aws_access_key = source_profile_dict['aws_access_key_id']
aws_secret_key = source_profile_dict['aws_secret_access_key']
sts_connection = STSConnection(aws_access_key_id=aws_access_key,
aws_secret_access_key=aws_secret_key)
assumedRoleObject = sts_connection.assume_role(
role_arn=role_arn, role_session_name=role_session_name)
access_key = assumedRoleObject.credentials.access_key
secret_key = assumedRoleObject.credentials.secret_key
security_token = assumedRoleObject.credentials.session_token
else:
if not access_key:
if 'EC2_ACCESS_KEY' in os.environ:
access_key = os.environ['EC2_ACCESS_KEY']
elif 'AWS_ACCESS_KEY_ID' in os.environ:
access_key = os.environ['AWS_ACCESS_KEY_ID']
elif 'AWS_ACCESS_KEY' in os.environ:
access_key = os.environ['AWS_ACCESS_KEY']
else:
# in case access_key came in as empty string
access_key = None
if not secret_key:
if 'EC2_SECRET_KEY' in os.environ:
secret_key = os.environ['EC2_SECRET_KEY']
elif 'AWS_SECRET_ACCESS_KEY' in os.environ:
secret_key = os.environ['AWS_SECRET_ACCESS_KEY']
elif 'AWS_SECRET_KEY' in os.environ:
secret_key = os.environ['AWS_SECRET_KEY']
else:
# in case secret_key came in as empty string
secret_key = None
if not security_token:
if 'AWS_SECURITY_TOKEN' in os.environ:
security_token = os.environ['AWS_SECURITY_TOKEN']
else:
# in case security_token came in as empty string
security_token = None
boto_params = dict(aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
profile_name=aws_profile,
security_token=security_token)
return region, ec2_url, boto_params
import urllib, json
import requests # 'pip install requests'
from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto'
# Step 1: Authenticate user in your own identity system.
# Step 2: Using the access keys for an IAM user in your AWS account,
# call "AssumeRole" to get temporary access keys for the federated user
# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
# and secret access key of an IAM user or using existing temporary credentials.
# The credentials can be in EC2 instance metadata, in environment variables,
# or in a configuration file, and will be discovered automatically by the
# STSConnection() function. For more information, see the Python SDK docs:
# http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection()
assumed_role_object = sts_connection.assume_role(
role_arn="arn:aws:iam::348107122702:role/Test",
role_session_name="AssumeRoleSession")
# Step 3: Format resulting temporary credentials into JSON
json_string_with_temp_credentials = '{'
json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
json_string_with_temp_credentials += '}'
# Step 4. Make request to AWS federation endpoint to get sign-in token. Pass
# the action and JSON document with temporary credentials as parameters.
request_parameters = "?Action=getSigninToken"
# Import the SDK
import boto
import uuid
import boto.ec2
from boto.ec2.connection import EC2Connection
from boto.sts import STSConnection
from sys import argv
script_name, account_id_from_user, role_name_from_user, my_region = argv
theregion = boto.ec2.get_region(my_region)
role_arn = "arn:aws:iam::" + account_id_from_user + ":role/"
role_arn += role_name_from_user
sts_connection = STSConnection()
assumed_role_object = sts_connection.assume_role(
role_arn=role_arn,
role_session_name="AssumeRoleSession"
)
access = assumed_role_object.credentials.access_key
secret = assumed_role_object.credentials.secret_key
token = assumed_role_object.credentials.session_token
myimages = EC2Connection(region=theregion)
listims = myimages.get_all_images(owners='self')
ec2conn = EC2Connection(aws_access_key_id=access,aws_secret_access_key=secret,security_token=token,region=theregion)
for x in listims:
theimage = str([x])
theimage = theimage.replace('Image:','')
def decode_message(self, message):
'''Decodes an any encrypted AWS Error message'''
from boto.sts import STSConnection
sts_connection = STSConnection()
print("---------- Decoded message ----------")
print((sts_connection.decode_authorization_message(message).decoded_message))
def connect_to_sts_region(aws_access_key, aws_secret_key):
try:
return STSConnection(aws_access_key, aws_secret_key)
except:
raise
def get_sts(duration,
mfa_serial,
mfa_device_name,
long_term,
short_term,
assume_role_arn=None):
if boto.config.get(long_term, 'aws_access_key_id') is None:
logger.error('aws_access_key_id is missing from section %s'
'or config file is missing.' % (long_term, ))
sys.exit(1)
else:
long_term_id = boto.config.get(long_term, 'aws_access_key_id')
if boto.config.get(long_term, 'aws_secret_access_key') is None:
logger.error('aws_secret_access_key is missing from section '
'or config file is missing.' % (long_term, ))
sys.exit(1)
else:
long_term_secret = boto.config.get(long_term, 'aws_secret_access_key')
if boto.config.has_section(short_term):
boto.config.remove_option(short_term, 'aws_security_token')
mfa_TOTP = raw_input('Enter AWS MFA code for user %s '
'(renewing for %s seconds):' %
(mfa_device_name, duration))
try:
sts_connection = STSConnection(aws_access_key_id=long_term_id,
aws_secret_access_key=long_term_secret)
if assume_role_arn is None:
tempCredentials = sts_connection.get_session_token(
duration=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
assumed_role = 'False'
else:
role_session_name = assume_role_arn.split('/')[-1]
assumedRole = sts_connection.assume_role(
assume_role_arn,
role_session_name,
duration_seconds=duration,
mfa_serial_number=mfa_serial,
mfa_token=mfa_TOTP)
tempCredentials = assumedRole.credentials
assumed_role = 'True'
default_options = [
('aws_access_key_id', tempCredentials.access_key),
('aws_secret_access_key', tempCredentials.secret_key),
('aws_security_token', tempCredentials.session_token),
('expiration', tempCredentials.expiration),
('assumed_role', assumed_role)
]
for option, value in default_options:
boto.config.save_user_option(short_term, option, value)
except boto.exception.BotoServerError as e:
message = '%s - Please try again.' % (e.message)
logger.error(message)
sys.exit(1)
def token(self):
global region
global role
global externalid
global browser
global access_key
global session_key
global session_token
global filter_name
# Welcome
if self.args.verbose:
print("")
print(" __ ___ _ _____ ")
print(" /\ \ \ / / | (_)/ ____|")
print(" / \ _ _\ \ /\ / /| |__ _| (___ ")
print(" / /\ \ | '_ \ \/ \/ / | '_ \| |\___ \ ")
print(" / ____ \| | | \ /\ / | |_) | |____) |")
print(" /_/ \_\_| |_|\/ \/ |_.__/|_|_____/ ")
print("")
print(" Amazon Account Access "+ version)
print("")
else:
print("")
print("AnWbiS Amazon Account Access "+ version)
print("")
# Set values from parser
if not self.args.project or not self.args.env:
if not self.args.iam_master_group or not self.args.iam_policy or not self.args.iam_delegated_role and not self.args.from_ec2_role:
colormsg("You must provide either -p and -e flags or --iam_master_group, --iam_policy and --iam_delegated_role to use Anwbis", "error")
exit(1)
elif self.args.from_ec2_role and not self.args.iam_delegated_role:
colormsg("When using credentials stored in EC2 roles you must use either -p and -e flags or --iam_delegated_role to use Anwbis", "error")
exit(1)
if self.args.role:
if self.args.role == 'contractor' and not self.args.contractor:
colormsg ("When using role contractor you must provide --contractor (-c) flag with the contractor policy to asume", "error")
exit(1)
elif self.args.role == 'contractor' and self.args.contractor and not self.args.externalid:
colormsg ("When using role contractor you must provide --externalid (-ext) code with the ExternalID to use", "error")
exit(1)
elif self.args.role == 'contractor' and self.args.contractor and self.args.externalid:
role = self.args.role+'-'+self.args.contractor
verbose("Asuming contractor role: "+ self.args.role+'-'+self.args.contractor)
else:
role = self.args.role
elif self.args.iam_delegated_role:
role = self.args.iam_delegated_role
else:
role = 'developer'
if self.args.profile:
profile_name = self.args.profile
if self.args.region:
region = self.args.region
else:
region = 'eu-west-1'
if self.args.project:
project = self.args.project
#project = project.lower()
verbose("Proyect: "+project)
if self.args.env:
env = self.args.env
#env = env.lower()
verbose("Environment: "+env)
if self.args.browser:
browser = self.args.browser
else:
browser = 'none'
# Max token duration = 1h, session token = 8h
if self.args.duration > 3600:
token_expiration = 3600
if self.args.get_session:
if self.args.duration > 28800:
session_token_expiration = 28800
elif self.args.duration < 900:
token_expiration = 900
if self.args.get_session:
session_token_expiration = token_expiration
else:
token_expiration = self.args.duration
if self.args.get_session and not self.args.duration:
session_token_expiration = token_expiration
else:
session_token_expiration = 28800
if self.args.externalid:
externalid = self.args.externalid
# Get Corp Account ID and set session name
if self.args.profile:
iam_connection = IAMConnection(profile_name=self.args.profile)
else:
iam_connection = IAMConnection()
# role_session_name=iam_connection.get_user()['get_user_response']['get_user_result']['user']['user_name']
try:
if self.args.from_ec2_role:
request_url = "http://169.254.169.254/latest/meta-data/iam/info/"
r = requests.get(request_url)
profilearn = json.loads(r.text)["InstanceProfileArn"]
profileid = json.loads(r.text)["InstanceProfileId"]
profilename = json.loads(r.text)["InstanceProfileArn"].split('/')[1]
role_session_name = profilename
else:
role_session_name=iam_connection.get_user().get_user_response.get_user_result.user.user_name
except Exception as e:
colormsg("There was an error retrieving your session_name. Check your credentials", "error")
verbose(str(e))
exit(1)
# account_id=iam_connection.get_user()['get_user_response']['get_user_result']['user']['arn'].split(':')[4]
try:
if self.args.from_ec2_role:
account_id = profilearn = json.loads(r.text)["InstanceProfileArn"].split(':')[4]
account_id_from_user = account_id
role_name_from_user = profilename
else:
account_id=iam_connection.get_user().get_user_response.get_user_result.user.arn.split(':')[4]
except Exception as e:
colormsg ("There was an error retrieving your account id. Check your credentials", "error")
verbose(str(e))
exit(1)
# Regexp for groups and policies. Set the policy name used by your organization
group_name = None
if self.args.project and self.args.env:
if not self.args.from_ec2_role:
group_name = 'corp-'+project+'-master-'+role
policy_name = 'Delegated_Roles'
role_filter = env+'-'+project+'-delegated-'+role
else:
group_name = 'IAM EC2 ROLE'
policy_name = 'Delegated_Roles'
role_filter = env+'-'+project+'-delegated-'+role
# Get rid of the standard for using another policies or group names
elif self.args.from_ec2_role and self.args.iam_delegated_role:
role_filter = self.args.iam_delegated_role
# Fix references to project, env and role in .anwbis file for non-standard use
role = role_filter
project = group_name
env = "ec2-role"
elif self.args.iam_master_group and self.args.iam_policy and self.args.iam_delegated_role:
group_name = self.args.iam_master_group
policy_name = self.args.iam_policy
role_filter = self.args.iam_delegated_role
# Fix references to project, env and role in .anwbis file for non-standard use
role = role_filter
project = group_name
env = policy_name
# Step 1: Prompt user for target account ID and name of role to assume
# IAM groups
verbose("Getting IAM group info:")
delegated_policy = []
group_policy = []
delegated_arn = []
try:
if not self.args.from_ec2_role:
policy = iam_connection.get_group_policy(group_name, policy_name)
else:
# policy = iam_connection.get_instance_profile(profilename)
policy = iam_connection.get_role_policy(profilename, policy_name)
except Exception as e:
colormsg("There was an error retrieving your group policy. Check your credentials, group_name and policy_name",
"error")
verbose(e)
exit(1)
if not self.args.from_ec2_role:
policy = policy.get_group_policy_response.get_group_policy_result.policy_document
policy = urllib.parse.unquote(policy)
group_policy.append(config_line_policy("iam:grouppolicy", group_name, policy_name, policy))
else:
policy = policy.get_role_policy_response.get_role_policy_result.policy_document
policy = urllib.parse.unquote(policy)
group_policy.append(config_line_policy("iam:grouppolicy", group_name, policy_name, policy))
output_lines(group_policy)
# Format policy and search by role_filter
policy = re.split('"', policy)
for i in policy:
result_filter = re.search(role_filter, i)
if result_filter:
delegated_arn.append(i)
if len(delegated_arn) == 0:
if self.args.role and self.args.project:
colormsg("Sorry, you are not authorized to use the role " + role + " for project "+ project, "error")
exit(1)
else:
colormsg("Sorry, you are not authorized to use the role "+ role_filter, "error")
exit(1)
elif len(delegated_arn) == 1:
account_id_from_user = delegated_arn[0].split(':')[4]
role_name_from_user = delegated_arn[0].split('/')[1]
else:
colormsg("There are two or more policies matching your input", "error")
exit(1)
colormsg("You are authenticated as " + role_session_name, "ok")
# MFA
if not self.args.nomfa:
mfa_devices_r = iam_connection.get_all_mfa_devices(role_session_name)
if mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices:
mfa_serial_number = mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices[0].serial_number
else:
colormsg("You don't have MFA devices associated with our user", "error")
exit(1)
else:
mfa_serial_number = "arn:aws:iam::"+ account_id +":mfa/"+role_session_name
# Create an ARN out of the information provided by the user.
role_arn = "arn:aws:iam::" + account_id_from_user + ":role/"
role_arn += role_name_from_user
# Connect to AWS STS and then call AssumeRole. This returns temporary security credentials.
if self.args.profile:
sts_connection = STSConnection(profile_name=self.args.profile)
else:
sts_connection = STSConnection()
# Assume the role
if not self.args.nomfa:
verbose("Assuming role " + role_arn + " using MFA device " + mfa_serial_number + "...")
if self.args.project:
colormsg("Assuming role " + role + " from project " + project + " using MFA device from user " + role_session_name + "...", "normal")
elif self.args.iam_delegated_role:
colormsg("Assuming role " + role + " using MFA device from user " + role_session_name+ "...", "normal")
else:
verbose("Assuming role " + role_arn + "...")
if self.args.project:
colormsg("Assuming role " + role + " from project "+ project+ " from user " + role_session_name + "...", "normal")
elif self.args.iam_delegated_role:
colormsg("Assuming role " + role + " from user "+ role_session_name + "...", "normal")
if self.args.get_session:
sts_token = get_session_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project, env, role, token_expiration, session_token_expiration, self.args)
else:
if os.path.isfile(os.path.expanduser('~/.anwbis')):
with open(os.path.expanduser('~/.anwbis')) as json_file:
root_json_data = json.load(json_file)
json_file.close()
if project in root_json_data and env in root_json_data[project] and role in root_json_data[project][env]:
json_data = root_json_data[project][env][role]
anwbis_last_timestamp = json_data["anwbis_last_timestamp"]
# check if the token has expired
# TODO: Check if token is written in credentials
if int(time.time()) - int(anwbis_last_timestamp) > token_expiration or self.args.refresh:
verbose("token has expired")
sts_token = get_sts_token(sts_connection,
role_arn,
mfa_serial_number,
role_session_name,
project,
env,
role,
token_expiration,
self.args)
else:
verbose("token has not expired, trying to login...")
login_to_fedaccount(json_data["access_key"],
json_data["session_key"],
json_data["session_token"],
json_data["role_session_name"],
args=self.args)
sts_token = {'access_key': json_data["access_key"],
'session_key':json_data["session_key"],
'session_token': json_data["session_token"],
'role_session_name': json_data["role_session_name"]}
else:
sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project, env, role, token_expiration, self.args)
else:
# print ".anwbis configuration file doesn't exists"
verbose("role is " + role)
sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project, env, role, token_expiration, self.args)
return sts_token
def get_aws_connection_info(module):
ec2_url = module.params.get('ec2_url')
access_key = module.params.get('aws_access_key')
secret_key = module.params.get('aws_secret_key')
security_token = module.params.get('security_token')
region = module.params.get('region')
aws_profile = module.params.get('aws_profile')
validate_certs = module.params.get('validate_certs')
profile_dict = {}
if not ec2_url:
if 'EC2_URL' in os.environ:
ec2_url = os.environ['EC2_URL']
elif 'AWS_URL' in os.environ:
ec2_url = os.environ['AWS_URL']
if not region:
if 'EC2_REGION' in os.environ:
region = os.environ['EC2_REGION']
elif 'AWS_REGION' in os.environ:
region = os.environ['AWS_REGION']
else:
# boto.config.get returns None if config not found
region = boto.config.get('Boto', 'aws_region')
if not region:
region = boto.config.get('Boto', 'ec2_region')
if aws_profile:
# sanity checks
if aws_profile != "default":
if "HOME" not in os.environ:
module.fail_json(msg="No $HOME environment variable could be detected. Do you even UNIX bro?")
aws_config_file = os.path.join(os.environ["HOME"], ".aws/config")
if not os.path.exists(aws_config_file):
module.fail_json(msg="Does $HOME/aws/.config even exist?")
config = ConfigParser.ConfigParser()
config.read(aws_config_file)
sections = config.sections()
if 'profile ' + aws_profile not in sections:
module.fail_json(msg="AWS profile: %s was not found" % aws_profile)
profile_dict = config_section_map(config, 'profile ' + aws_profile)
else:
aws_profile = None
if profile_dict and 'role_arn' in profile_dict:
role_arn = profile_dict['role_arn']
source_profile = profile_dict['source_profile']
role_session_name = 'CustomAnsibleSession'
# get creds by following source_profile
aws_credentials_file = os.path.join(os.environ["HOME"], ".aws/credentials")
if not os.path.exists(aws_credentials_file):
module.fail_json(msg="Does $HOME/aws/.credentials even exist?")
config.read(aws_credentials_file)
source_profile_dict = config_section_map(config, source_profile)
aws_access_key = source_profile_dict['aws_access_key_id']
aws_secret_key = source_profile_dict['aws_secret_access_key']
sts_connection = STSConnection(aws_access_key_id=aws_access_key, aws_secret_access_key=aws_secret_key)
assumedRoleObject = sts_connection.assume_role(
role_arn=role_arn,
role_session_name=role_session_name
)
access_key = assumedRoleObject.credentials.access_key
secret_key = assumedRoleObject.credentials.secret_key
security_token = assumedRoleObject.credentials.session_token
else:
if not access_key:
if 'EC2_ACCESS_KEY' in os.environ:
access_key = os.environ['EC2_ACCESS_KEY']
elif 'AWS_ACCESS_KEY_ID' in os.environ:
access_key = os.environ['AWS_ACCESS_KEY_ID']
elif 'AWS_ACCESS_KEY' in os.environ:
access_key = os.environ['AWS_ACCESS_KEY']
else:
# in case access_key came in as empty string
access_key = None
if not secret_key:
if 'EC2_SECRET_KEY' in os.environ:
secret_key = os.environ['EC2_SECRET_KEY']
elif 'AWS_SECRET_ACCESS_KEY' in os.environ:
secret_key = os.environ['AWS_SECRET_ACCESS_KEY']
elif 'AWS_SECRET_KEY' in os.environ:
secret_key = os.environ['AWS_SECRET_KEY']
else:
# in case secret_key came in as empty string
secret_key = None
if not security_token:
if 'AWS_SECURITY_TOKEN' in os.environ:
security_token = os.environ['AWS_SECURITY_TOKEN']
else:
# in case security_token came in as empty string
security_token = None
boto_params = dict(aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
profile_name=aws_profile,
security_token=security_token)
return region, ec2_url, boto_params
def run(self,
conn,
tmp,
module_name,
module_args,
inject,
complex_args=None,
**kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
access_policies = {}
role_name = args["role_name"]
print "Role Name: ", role_name
assume_role_trust_policy = json.dumps(args["trust_policy"])
access_policies = args["access_policies"]
envdict = {}
if self.runner.environment:
env = template.template(self.runner.basedir,
self.runner.environment,
inject,
convert_bare=True)
env = utils.safe_eval(env)
sts_connection = STSConnection(
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
c = boto.connect_iam(
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
#Look for the role
try:
role = c.get_role(role_name)
#Make sure the trust policy exists
try:
temp_trust_policy = urllib.unquote(
role["get_role_response"]["get_role_result"]["role"]
["assume_role_policy_document"])
#Reorganize the json dict so it is in the same order of the yaml policy
temp_trust_policy = json.dumps(
json.loads(temp_trust_policy))
#Trust policy does not match, update it
if not assume_role_trust_policy == temp_trust_policy:
if not assume_role_trust_policy == "\"\"":
c.update_assume_role_policy(
role_name, assume_role_trust_policy)
#Make sure each new policy exists
for policies in access_policies:
try:
temp_policy = urllib.unquote(
c.get_role_policy(role_name,
policies["policy_name"])
["get_role_policy_response"]
["get_role_policy_result"]["policy_document"])
#Policy has same name but does not match, update it
if not temp_policy == json.dumps(
policies["policy_document"]):
if not policies["policy_document"] == "\"\"":
c.delete_role_policy(
role_name, policies["policy_name"])
c.put_role_policy(
role_name, policies["policy_name"],
json.dumps(
policies["policy_document"]))
#Can't find policy, add it
except Exception, e:
try:
c.put_role_policy(
role_name, policies["policy_name"],
json.dumps(policies["policy_document"]))
except Exception, e:
# deal with failure gracefully
result = dict(failed=True,
msg=type(e).__name__ + ": " +
str(e))
return ReturnData(conn=conn,
comm_ok=False,
result=result)
#Returns true if the policy name exists
def checkIfPolicyExists(access_policies, temp_name):
for policy_name in access_policies:
if policy_name["policy_name"] == temp_name:
return True
return False
#Delete any policies that are not in the yaml
temp_policy_names = c.list_role_policies(role_name)
for temp_name in temp_policy_names[
"list_role_policies_response"][
"list_role_policies_result"]["policy_names"]:
exists = checkIfPolicyExists(access_policies,
temp_name)
if not exists:
c.delete_role_policy(role_name, temp_name)
#Can't find trust policy, add it
except Exception, e:
try:
c.update_assume_role_policy(role_name,
assume_role_trust_policy)
except Exception, e:
# deal with failure gracefully
result = dict(failed=True,
msg=type(e).__name__ + ": " + str(e))
return ReturnData(conn=conn,
comm_ok=False,
result=result)
# snippet-start:[iam.python.get_session_token_with_mfa.complete]
import boto
from boto.s3.connection import S3Connection
from boto.sts import STSConnection
# Prompt for MFA time-based one-time password (TOTP)
mfa_TOTP = raw_input("Enter the MFA code: ")
# The calls to AWS STS GetSessionToken must be signed with the access key ID and secret
# access key of an IAM user. The credentials can be in environment variables or in
# a configuration file and will be discovered automatically
# by the STSConnection() function. For more information, see the Python SDK
# documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection()
# Use the appropriate device ID (serial number for hardware device or ARN for virtual device).
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values.
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="®ion-arn;iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID",
mfa_token=mfa_TOTP
)
# Use the temporary credentials to list the contents of an S3 bucket
s3_connection = S3Connection(
aws_access_key_id=tempCredentials.access_key,
aws_secret_access_key=tempCredentials.secret_key,
security_token=tempCredentials.session_token
import urllib, json
import requests # 'pip install requests'
from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto'
# Step 1: Authenticate user in your own identity system.
# Step 2: Using the access keys for an IAM user in your AWS account,
# call "AssumeRole" to get temporary access keys for the federated user
# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
# and secret access key of an IAM user or using existing temporary credentials.
# The credentials can be in EC2 instance metadata, in environment variables,
# or in a configuration file, and will be discovered automatically by the
# STSConnection() function. For more information, see the Python SDK docs:
# http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection()
assumed_role_object = sts_connection.assume_role(
role_arn="arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/ROLE-NAME",
role_session_name="AssumeRoleSession")
# Step 3: Format resulting temporary credentials into JSON
json_string_with_temp_credentials = '{'
json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
json_string_with_temp_credentials += '}'
# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
# as parameters.
def token(self):
global region
global role
global access_key
global session_key
global session_token
# Welcome
if args.verbose:
print()
print("Awsauth Amazon Account Access " + version)
print()
else:
print()
print("Awsauth Amazon Account Access " + version)
print()
# Set values from parser
if args.role:
role = args.role
else:
role = 'developer'
if args.region:
region = args.region
else:
region = 'eu-west-1'
if args.project:
project = args.project
project = project.lower()
verbose("Project: " + project)
if args.env:
env = args.env
env = env.lower()
verbose("Environment: " + env)
token_expiration = 3600
iam_connection = IAMConnection()
# role_session_name=iam_connection.get_user()['get_user_response']['get_user_result']['user']['user_name']
try:
role_session_name = iam_connection.get_user().get_user_response.get_user_result.user.user_name
except Exception as e:
colormsg("There was an error retrieving your session_name. Check your credentials", "error")
verbose(e)
exit(1)
# account_id=iam_connection.get_user()['get_user_response']['get_user_result']['user']['arn'].split(':')[4]
try:
account_id = iam_connection.get_user().get_user_response.get_user_result.user.arn.split(':')[4]
except Exception as e:
colormsg("There was an error retrieving your account id. Check your credentials", "error")
verbose(e)
exit(1)
# Regexp for groups and policies. Set the policy name used by your organization
if args.project and args.env:
group_name = 'corp-' + project + '-master-' + role
policy_name = 'Delegated_Roles'
role_filter = env + '-' + project + '-delegated-' + role
# Step 1: Prompt user for target account ID and name of role to assume
# IAM groups
verbose("Getting IAM group info:")
delegated_policy = []
group_policy = []
delegated_arn = []
try:
policy = iam_connection.get_group_policy(group_name, policy_name)
except Exception as e:
colormsg(
"There was an error retrieving your group policy. Check your credentials, group_name and policy_name",
"error")
verbose(e)
exit(1)
policy = policy.get_group_policy_response.get_group_policy_result.policy_document
policy = unquote(policy)
group_policy.append(config_line_policy("iam:grouppolicy", group_name, policy_name, policy))
output_lines(group_policy)
# Format policy and search by role_filter
policy = re.split('"', policy)
for i in policy:
result_filter = re.search(role_filter, i)
if result_filter:
delegated_arn.append(i)
if len(delegated_arn) == 0:
if args.role and args.project:
colormsg("Sorry, you are not authorized to use the role " + role + " for project " + project, "error")
exit(1)
else:
colormsg("Sorry, you are not authorized to use the role " + role_filter, "error")
exit(1)
elif len(delegated_arn) == 1:
account_id_from_user = delegated_arn[0].split(':')[4]
role_name_from_user = delegated_arn[0].split('/')[1]
else:
colormsg("There are two or more policies matching your input", "error")
exit(1)
colormsg("You are authenticated as " + role_session_name, "ok")
# MFA
if not args.nomfa:
mfa_devices_r = iam_connection.get_all_mfa_devices(role_session_name)
if mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices:
mfa_serial_number = mfa_devices_r.list_mfa_devices_response.list_mfa_devices_result.mfa_devices[
0].serial_number
else:
colormsg("You don't have MFA devices associated with our user", "error")
exit(1)
else:
mfa_serial_number = "arn:aws:iam::" + account_id + ":mfa/" + role_session_name
# Create an ARN out of the information provided by the user.
role_arn = "arn:aws:iam::" + account_id_from_user + ":role/"
role_arn += role_name_from_user
# Connect to AWS STS and then call AssumeRole. This returns temporary security credentials.
sts_connection = STSConnection()
# Assume the role
if not args.nomfa:
verbose("Assuming role " + role_arn + " using MFA device " + mfa_serial_number + "...")
if args.project:
colormsg(
"Assuming role " + role + " from project " + project + " using MFA device from user " + role_session_name + "...",
"normal")
elif args.iam_delegated_role:
colormsg("Assuming role " + role + " using MFA device from user " + role_session_name + "...", "normal")
else:
verbose("Assuming role " + role_arn + "...")
if args.project:
colormsg(
"Assuming role " + role + " from project " + project + " from user " + role_session_name + "...",
"normal")
elif args.iam_delegated_role:
colormsg("Assuming role " + role + " from user " + role_session_name + "...", "normal")
if os.path.isfile(os.path.expanduser('~/.awsauth')):
with open(os.path.expanduser('~/.awsauth')) as json_file:
root_json_data = json.load(json_file)
json_file.close()
if project in root_json_data and env in root_json_data[project] and role in root_json_data[project][
env]:
json_data = root_json_data[project][env][role]
awsauth_last_timestamp = json_data["awsauth_last_timestamp"]
# check if the token has expired
if int(time.time()) - int(awsauth_last_timestamp) > token_expiration or args.refresh:
verbose("token has expired")
sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name,
project, env, role, token_expiration)
else:
verbose("token has not expired, trying to login...")
login_to_fedaccount(json_data["access_key"], json_data["session_key"], json_data["session_token"],
json_data["role_session_name"])
sts_token = {'access_key': json_data["access_key"], 'session_key': json_data["session_key"],
'session_token': json_data["session_token"],
'role_session_name': json_data["role_session_name"]}
else:
sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project,
env, role, token_expiration)
else:
verbose("role is " + role)
sts_token = get_sts_token(sts_connection, role_arn, mfa_serial_number, role_session_name, project, env,
role, token_expiration)
return sts_token
if len(sys.argv) == 3:
account_id_from_user = sys.argv[1]
role_name_from_user = sys.argv[2]
else:
print "\n\tUsage: ",
print os.path.basename(sys.argv[0]), # script name
print " <account_id> <role_name>"
exit(0)
# Create an ARN out of the information provided by the user.
role_arn = "arn:aws:iam::" + account_id_from_user + ":role/"
role_arn += role_name_from_user
# Step 2: Connect to AWS STS and then call AssumeRole. This returns
# temporary security credentials.
sts_connection = STSConnection()
assumed_role_object = sts_connection.assume_role(
role_arn=role_arn, role_session_name="AssumeRoleSession")
# Step 3: Format resulting temporary credentials into a JSON block using
# known field names.
access_key = assumed_role_object.credentials.access_key
session_key = assumed_role_object.credentials.secret_key
session_token = assumed_role_object.credentials.session_token
json_temp_credentials = '{'
json_temp_credentials += '"sessionId":"' + access_key + '",'
json_temp_credentials += '"sessionKey":"' + session_key + '",'
json_temp_credentials += '"sessionToken":"' + session_token + '"'
json_temp_credentials += '}'
# Step 4. Make a request to the AWS federation endpoint to get a sign-in
import boto
from boto.s3.connection import S3Connection
from boto.sts import STSConnection
# Prompt for MFA time-based one-time password (TOTP)
mfa_TOTP = raw_input("Enter the MFA code: ")
# The calls to AWS STS AssumeRole must be signed with the access key ID and secret
# access key of an IAM user. (The AssumeRole API operation can also be called using temporary
# credentials, but this example does not show that scenario.)
# The IAM user credentials can be in environment variables or in
# a configuration file and will be discovered automatically
# by the STSConnection() function. For more information, see the Python SDK
# documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection()
# Use appropriate device ID (serial number for hardware device or ARN for virtual device)
# Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS, ROLE-NAME, and MFA-DEVICE-ID with appropriate values
tempCredentials = sts_connection.assume_role(
role_arn="arn:aws:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:role/ROLE-NAME",
role_session_name="AssumeRoleSession1",
mfa_serial_number="arn:aws:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID",
mfa_token=mfa_TOTP
)
# Use the temporary credentials to list the contents of an S3 bucket
s3_connection = S3Connection(
aws_access_key_id=tempCredentials.credentials.access_key,
aws_secret_access_key=tempCredentials.credentials.secret_key,
security_token=tempCredentials.credentials.session_token
