async def _retrieve_credentials_using(self, credential_process):
# We're not using shell=True, so we need to pass the
# command and all arguments as a list.
process_list = compat_shell_split(credential_process)
p = await self._popen(*process_list,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = await p.communicate()
if p.returncode != 0:
raise CredentialRetrievalError(provider=self.METHOD,
error_msg=stderr.decode('utf-8'))
parsed = botocore.compat.json.loads(stdout.decode('utf-8'))
version = parsed.get('Version', '<Version key not provided>')
if version != 1:
raise CredentialRetrievalError(
provider=self.METHOD,
error_msg=("Unsupported version '%s' for credential process "
"provider, supported versions: 1" % version))
try:
return {
'access_key': parsed['AccessKeyId'],
'secret_key': parsed['SecretAccessKey'],
'token': parsed.get('SessionToken'),
'expiry_time': parsed.get('Expiration'),
}
except KeyError as e:
raise CredentialRetrievalError(
provider=self.METHOD,
error_msg="Missing required key in response: %s" % e)
def fetch_credentials():
# HTTP headers are case insensitive filter out
# all duplicate headers and pick one.
headers = {}
headers['content-type'] = 'application/x-www-form-urlencoded'
headers['authorization'] = urllib3.make_headers(
basic_auth='%s:%s' % (self.cid, self.csec))['authorization']
response = self._http.urlopen(
'POST',
self.idp_ep,
body="grant_type=client_credentials",
headers=headers,
preload_content=True,
)
if response.status != 200:
message = "Credential refresh failed, response: %s"
raise CredentialRetrievalError(
provider=method,
error_msg=message % response.status,
)
creds = json.loads(response.data)
query = {}
query['Action'] = 'AssumeRoleWithClientGrants'
query['Token'] = creds['access_token']
query['DurationSeconds'] = creds['expires_in']
query['Version'] = '2011-06-15'
query_components = []
for key in query:
if query[key] is not None:
query_components.append("%s=%s" % (key, query[key]))
query_string = '&'.join(query_components)
sts_ep_url = self.sts_ep
if query_string:
sts_ep_url = self.sts_ep + '?' + query_string
response = self._http.urlopen('POST',
sts_ep_url,
preload_content=True)
if response.status != 200:
message = "Credential refresh failed, response: %s"
raise CredentialRetrievalError(
provider=method,
error_msg=message % response.status,
)
return parse_grants_response(response.data)
def fetch_credentials():
# Obtain a lock file so prevent races between multiple processes trying to obtain tokens at the same time
with portalocker.Lock(self.lock_filename, timeout=10):
# Try to use cached credentials if at all possible
credentials = self._read_credential_cache()
if credentials:
return credentials
# No cache, so obtain new credentials
try:
vcl = common.get_vault_auth().authenticated_client()
result = vcl.read(self.path)
except Exception as e:
utils.log_exception(
'Failed to load configuration from Vault at path {}.'.
format(self.path))
raise CredentialRetrievalError(provider=self.METHOD,
error_msg=str(e))
expiry_time = datetime.utcnow().replace(tzinfo=pytz.utc)
expiry_time += timedelta(seconds=result['lease_duration'])
expiry_time -= timedelta(seconds=self.REFRESH_MARGIN)
credentials = {
'access_key': result['data']['access_key'],
'secret_key': result['data']['secret_key'],
'token': result['data']['security_token'],
'expiry_time': expiry_time.strftime('%Y-%m-%d %H:%M:%S%z'),
}
self._write_credential_cache(credentials)
return credentials
async def _resolve_credentials_from_source(self, credential_source,
profile_name):
credentials = await self._credential_sourcer.source_credentials(
credential_source)
if credentials is None:
raise CredentialRetrievalError(
provider=credential_source,
error_msg=(
'No credentials found in credential_source referenced '
'in profile %s' % profile_name))
return credentials
def _resolve_credentials_from_source(self, credential_source,
profile_name):
credentials = self._credential_sourcer.source_credentials(
credential_source)
if credentials is None:
raise CredentialRetrievalError(
provider=credential_source,
error_msg=(
'No credentials found in credential_source referenced '
'in profile "{profile_name}".'.format(
profile_name=profile_name, ), ),
)
def fetch_creds():
try:
response = self._fetcher.retrieve_uri(relative_uri)
except MetadataRetrievalError as e:
logger.debug("Error retrieving ECS metadata: %s",
e,
exc_info=True)
raise CredentialRetrievalError(provider=self.METHOD,
error_msg=str(e))
return {
'access_key': response['AccessKeyId'],
'secret_key': response['SecretAccessKey'],
'token': response['Token'],
'expiry_time': response['Expiration'],
}
