async def _retrieve_credentials_using(self, credential_process): # We're not using shell=True, so we need to pass the # command and all arguments as a list. process_list = compat_shell_split(credential_process) p = await self._popen(*process_list, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = await p.communicate() if p.returncode != 0: raise CredentialRetrievalError(provider=self.METHOD, error_msg=stderr.decode('utf-8')) parsed = botocore.compat.json.loads(stdout.decode('utf-8')) version = parsed.get('Version', '<Version key not provided>') if version != 1: raise CredentialRetrievalError( provider=self.METHOD, error_msg=("Unsupported version '%s' for credential process " "provider, supported versions: 1" % version)) try: return { 'access_key': parsed['AccessKeyId'], 'secret_key': parsed['SecretAccessKey'], 'token': parsed.get('SessionToken'), 'expiry_time': parsed.get('Expiration'), } except KeyError as e: raise CredentialRetrievalError( provider=self.METHOD, error_msg="Missing required key in response: %s" % e)
def fetch_credentials(): # HTTP headers are case insensitive filter out # all duplicate headers and pick one. headers = {} headers['content-type'] = 'application/x-www-form-urlencoded' headers['authorization'] = urllib3.make_headers( basic_auth='%s:%s' % (self.cid, self.csec))['authorization'] response = self._http.urlopen( 'POST', self.idp_ep, body="grant_type=client_credentials", headers=headers, preload_content=True, ) if response.status != 200: message = "Credential refresh failed, response: %s" raise CredentialRetrievalError( provider=method, error_msg=message % response.status, ) creds = json.loads(response.data) query = {} query['Action'] = 'AssumeRoleWithClientGrants' query['Token'] = creds['access_token'] query['DurationSeconds'] = creds['expires_in'] query['Version'] = '2011-06-15' query_components = [] for key in query: if query[key] is not None: query_components.append("%s=%s" % (key, query[key])) query_string = '&'.join(query_components) sts_ep_url = self.sts_ep if query_string: sts_ep_url = self.sts_ep + '?' + query_string response = self._http.urlopen('POST', sts_ep_url, preload_content=True) if response.status != 200: message = "Credential refresh failed, response: %s" raise CredentialRetrievalError( provider=method, error_msg=message % response.status, ) return parse_grants_response(response.data)
def fetch_credentials(): # Obtain a lock file so prevent races between multiple processes trying to obtain tokens at the same time with portalocker.Lock(self.lock_filename, timeout=10): # Try to use cached credentials if at all possible credentials = self._read_credential_cache() if credentials: return credentials # No cache, so obtain new credentials try: vcl = common.get_vault_auth().authenticated_client() result = vcl.read(self.path) except Exception as e: utils.log_exception( 'Failed to load configuration from Vault at path {}.'. format(self.path)) raise CredentialRetrievalError(provider=self.METHOD, error_msg=str(e)) expiry_time = datetime.utcnow().replace(tzinfo=pytz.utc) expiry_time += timedelta(seconds=result['lease_duration']) expiry_time -= timedelta(seconds=self.REFRESH_MARGIN) credentials = { 'access_key': result['data']['access_key'], 'secret_key': result['data']['secret_key'], 'token': result['data']['security_token'], 'expiry_time': expiry_time.strftime('%Y-%m-%d %H:%M:%S%z'), } self._write_credential_cache(credentials) return credentials
async def _resolve_credentials_from_source(self, credential_source, profile_name): credentials = await self._credential_sourcer.source_credentials( credential_source) if credentials is None: raise CredentialRetrievalError( provider=credential_source, error_msg=( 'No credentials found in credential_source referenced ' 'in profile %s' % profile_name)) return credentials
def _resolve_credentials_from_source(self, credential_source, profile_name): credentials = self._credential_sourcer.source_credentials( credential_source) if credentials is None: raise CredentialRetrievalError( provider=credential_source, error_msg=( 'No credentials found in credential_source referenced ' 'in profile "{profile_name}".'.format( profile_name=profile_name, ), ), )
def fetch_creds(): try: response = self._fetcher.retrieve_uri(relative_uri) except MetadataRetrievalError as e: logger.debug("Error retrieving ECS metadata: %s", e, exc_info=True) raise CredentialRetrievalError(provider=self.METHOD, error_msg=str(e)) return { 'access_key': response['AccessKeyId'], 'secret_key': response['SecretAccessKey'], 'token': response['Token'], 'expiry_time': response['Expiration'], }