def fetch_credentials(require_expiry=True): credentials = {} access_key = environ.get(mapping['access_key']) if access_key is None: raise PartialCredentialsError(provider=method, cred_var=mapping['access_key']) credentials['access_key'] = access_key secret_key = environ.get(mapping['secret_key']) if secret_key is None: raise PartialCredentialsError(provider=method, cred_var=mapping['secret_key']) credentials['secret_key'] = secret_key token = None for token_env_var in mapping['token']: if token_env_var in environ: token = environ[token_env_var] break credentials['token'] = token expiry_time = environ.get(mapping['expiry_time']) if require_expiry and expiry_time is None: raise PartialCredentialsError(provider=method, cred_var=mapping['expiry_time']) credentials['expiry_time'] = expiry_time return credentials
def _get_role_config_values(self): # This returns the role related configuration. profiles = self._loaded_config.get('profiles', {}) try: source_profile = profiles[self._profile_name]['source_profile'] role_arn = profiles[self._profile_name]['role_arn'] mfa_serial = profiles[self._profile_name].get('mfa_serial') except KeyError as e: raise PartialCredentialsError(provider=self.METHOD, cred_var=str(e)) external_id = profiles[self._profile_name].get('external_id') role_session_name = \ profiles[self._profile_name].get('role_session_name') if source_profile not in profiles: raise InvalidConfigError( error_msg=('The source_profile "%s" referenced in ' 'the profile "%s" does not exist.' % (source_profile, self._profile_name))) source_cred_values = profiles[source_profile] return { 'role_arn': role_arn, 'external_id': external_id, 'source_profile': source_profile, 'mfa_serial': mfa_serial, 'source_cred_values': source_cred_values, 'role_session_name': role_session_name }
def _get_mfa_config(self, profile_name): profiles = self._loaded_config.get('profiles', {}) profile = profiles[profile_name] source_profile = profile.get('source_profile') credential_source = profile.get('credential_source') mfa_config = { 'mfa_serial': profile.get('mfa_serial'), 'source_profile': source_profile, 'credential_source': credential_source, } if credential_source is not None and source_profile is not None: raise InvalidConfigError(error_msg=( 'The profile "{profile_name}" contains both source_profile and ' 'credential_source.'.format(profile_name=profile_name)), ) elif credential_source is None and source_profile is None: raise PartialCredentialsError( provider=self.METHOD, cred_var='source_profile or credential_source', ) elif credential_source is not None: self._validate_credential_source(profile_name, credential_source) else: self._validate_source_profile(profile_name, source_profile) return mfa_config
def test_boto3_raises_exceptions_fail(self, boto3, config): boto3.session.Session.side_effect = PartialCredentialsError( provider=Mock(), cred_var=Mock()) assert CWDataSource(config).test() == False boto3.session.Session.side_effect = ClientError(MagicMock(), Mock()) assert CWDataSource(config).test() == False boto3.session.Session.side_effect = NoRegionError() assert CWDataSource(config).test() == False
def _resolve_static_credentials_from_profile(self, profile): try: return AioCredentials(access_key=profile['aws_access_key_id'], secret_key=profile['aws_secret_access_key'], token=profile.get('aws_session_token')) except KeyError as e: raise PartialCredentialsError(provider=self.METHOD, cred_var=str(e))
def _extract_creds_from_mapping(self, mapping, *key_names): found = [] for key_name in key_names: try: found.append(mapping[key_name]) except KeyError: raise PartialCredentialsError(provider=self.METHOD, cred_var=key_name) return found
def test_raises_boto3clienterror(self, boto3, config): boto3.session.Session.side_effect = PartialCredentialsError( provider=Mock(), cred_var=Mock()) with pytest.raises(Boto3ClientError): CWDataSource(config)._cw_client() boto3.session.Session.side_effect = ClientError(MagicMock(), Mock()) with pytest.raises(Boto3ClientError): CWDataSource(config)._cw_client() boto3.session.Session.side_effect = NoRegionError() with pytest.raises(Boto3ClientError): CWDataSource(config)._cw_client()
def create_client(self, service_name, region_name=None, api_version=None, use_ssl=True, verify=None, endpoint_url=None, aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None, config=None): """Create a botocore client. :type service_name: string :param service_name: The name of the service for which a client will be created. You can use the ``Sesssion.get_available_services()`` method to get a list of all available service names. :type region_name: string :param region_name: The name of the region associated with the client. A client is associated with a single region. :type api_version: string :param api_version: The API version to use. By default, botocore will use the latest API version when creating a client. You only need to specify this parameter if you want to use a previous API version of the client. :type use_ssl: boolean :param use_ssl: Whether or not to use SSL. By default, SSL is used. Note that not all services support non-ssl connections. :type verify: boolean/string :param verify: Whether or not to verify SSL certificates. By default SSL certificates are verified. You can provide the following values: * False - do not validate SSL certificates. SSL will still be used (unless use_ssl is False), but SSL certificates will not be verified. * path/to/cert/bundle.pem - A filename of the CA cert bundle to uses. You can specify this argument if you want to use a different CA cert bundle than the one used by botocore. :type endpoint_url: string :param endpoint_url: The complete URL to use for the constructed client. Normally, botocore will automatically construct the appropriate URL to use when communicating with a service. You can specify a complete URL (including the "http/https" scheme) to override this behavior. If this value is provided, then ``use_ssl`` is ignored. :type aws_access_key_id: string :param aws_access_key_id: The access key to use when creating the client. This is entirely optional, and if not provided, the credentials configured for the session will automatically be used. You only need to provide this argument if you want to override the credentials used for this specific client. :type aws_secret_access_key: string :param aws_secret_access_key: The secret key to use when creating the client. Same semantics as aws_access_key_id above. :type aws_session_token: string :param aws_session_token: The session token to use when creating the client. Same semantics as aws_access_key_id above. :type config: botocore.client.Config :param config: Advanced client configuration options. If a value is specified in the client config, its value will take precedence over environment variables and configuration values, but not over a value passed explicitly to the method. If a default config object is set on the session, the config object used when creating the client will be the result of calling ``merge()`` on the default config with the config provided to this call. :rtype: botocore.client.BaseClient :return: A botocore client instance """ default_client_config = self.get_default_client_config() # If a config is provided and a default config is set, then # use the config resulting from merging the two. if config is not None and default_client_config is not None: config = default_client_config.merge(config) # If a config was not provided then use the default # client config from the session elif default_client_config is not None: config = default_client_config # Figure out the user-provided region based on the various # configuration options. if region_name is None: if config and config.region_name is not None: region_name = config.region_name else: region_name = self.get_config_variable('region') # Figure out the verify value base on the various # configuration options. if verify is None: verify = self.get_config_variable('ca_bundle') if api_version is None: api_version = self.get_config_variable('api_versions').get( service_name, None) loader = self.get_component('data_loader') event_emitter = self.get_component('event_emitter') response_parser_factory = self.get_component('response_parser_factory') if aws_access_key_id is not None and aws_secret_access_key is not None: credentials = botocore.credentials.Credentials( access_key=aws_access_key_id, secret_key=aws_secret_access_key, token=aws_session_token) elif self._missing_cred_vars(aws_access_key_id, aws_secret_access_key): raise PartialCredentialsError(provider='explicit', cred_var=self._missing_cred_vars( aws_access_key_id, aws_secret_access_key)) else: credentials = self.get_credentials() endpoint_resolver = self.get_component('endpoint_resolver') client_creator = botocore.client.ClientCreator( loader, endpoint_resolver, self.user_agent(), event_emitter, retryhandler, translate, response_parser_factory) client = client_creator.create_client( service_name=service_name, region_name=region_name, is_secure=use_ssl, endpoint_url=endpoint_url, verify=verify, credentials=credentials, scoped_config=self.get_scoped_config(), client_config=config, api_version=api_version) return client
def create_client(self, service_name, region_name=None, api_version=None, use_ssl=True, verify=None, endpoint_url=None, aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None, config=None): default_client_config = self.get_default_client_config() # If a config is provided and a default config is set, then # use the config resulting from merging the two. if config is not None and default_client_config is not None: config = default_client_config.merge(config) # If a config was not provided then use the default # client config from the session elif default_client_config is not None: config = default_client_config region_name = self._resolve_region_name(region_name, config) # Figure out the verify value base on the various # configuration options. if verify is None: verify = self.get_config_variable('ca_bundle') if api_version is None: api_version = self.get_config_variable('api_versions').get( service_name, None) loader = self.get_component('data_loader') event_emitter = self.get_component('event_emitter') response_parser_factory = self.get_component( 'response_parser_factory') if config is not None and config.signature_version is UNSIGNED: credentials = None elif aws_access_key_id is not None and \ aws_secret_access_key is not None: credentials = botocore.credentials.Credentials( access_key=aws_access_key_id, secret_key=aws_secret_access_key, token=aws_session_token) elif self._missing_cred_vars(aws_access_key_id, aws_secret_access_key): raise PartialCredentialsError( provider='explicit', cred_var=self._missing_cred_vars(aws_access_key_id, aws_secret_access_key)) else: credentials = self.get_credentials() endpoint_resolver = self._get_internal_component('endpoint_resolver') exceptions_factory = self._get_internal_component('exceptions_factory') config_store = self.get_component('config_store') client_creator = AioClientCreator( loader, endpoint_resolver, self.user_agent(), event_emitter, retryhandler, translate, response_parser_factory, exceptions_factory, config_store, loop=self._loop) client = client_creator.create_client( service_name=service_name, region_name=region_name, is_secure=use_ssl, endpoint_url=endpoint_url, verify=verify, credentials=credentials, scoped_config=self.get_scoped_config(), client_config=config, api_version=api_version) monitor = self._get_internal_component('monitor') if monitor is not None: monitor.register(client.meta.events) return client
def __init__(self, session=None, region_name=None, api_version=None, use_ssl=None, verify=None, endpoint_url=None, aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None, config=None, endpoints=None): if session is None: session = botocore.session.get_session() else: if not isinstance(session, botocore.session.Session): try: # Check for a boto3 session-ish object and get the internal botocore session _session = session._session except AttributeError: raise ValueError( 'session must be a botocore or boto3 session') else: session = _session if use_ssl: raise ValueError('SSL/TLS is not supported. Set use_ssl=False.') self._session = session default_client_config = self._session.get_default_client_config() if config is not None and default_client_config is not None: # If a config is provided and a default config is set, then # use the config resulting from merging the two. config = default_client_config.merge(config) elif default_client_config is not None: # If a config was not provided then use the default # client config from the session config = default_client_config self._client_config = config if config is not None else Config( region_name=region_name) # resolve the region name if region_name is None: if config and config.region_name: region_name = config.region_name else: region_name = self._session.get_config_variable('region') self._region_name = region_name # Figure out the verify value base on the various # configuration options. if verify is None: verify = self._session.get_config_variable('ca_bundle') self._verify = verify # Gather endpoints self._endpoints = endpoints or [] if endpoint_url and endpoint_url not in self._endpoints: # If endpoint_url is provided, include it self._endpoints.insert(0, endpoint_url) if not self._endpoints: raise ValueError('No endpoints provided') # Resolve credentials if aws_access_key_id is not None and aws_secret_access_key is not None: self._credentials = Credentials(aws_access_key_id, aws_secret_access_key, aws_session_token) elif self._session._missing_cred_vars(aws_access_key_id, aws_secret_access_key): raise PartialCredentialsError( provider='explicit', cred_var=self._session._missing_cred_vars( aws_access_key_id, aws_secret_access_key)) else: self._credentials = self._session.get_credentials() # Fake out the meta information as much as possible loader = session.get_component('data_loader') json_model = loader.load_service_model('dynamodb', 'service-2', api_version=api_version) service_model = ServiceModel(json_model, service_name='dynamodb') event_emitter = session.get_component('event_emitter') partition = None self.meta = ClientMeta(event_emitter, self._client_config, self._endpoints[0], service_model, self._PY_TO_OP_NAME, partition) # Check signing version if self._client_config.signature_version and self._client_config.signature_version != 'v4': logger.warning( 'DAX only supports SigV4 signing; given signature_version "%s" ignored.', self._client_config.signature_version) # Start cluster connection & background tasks self._cluster = Cluster(self._region_name, self._endpoints, self._credentials, self._client_config.user_agent, self._client_config.user_agent_extra, self._client_config.connect_timeout, self._client_config.read_timeout) self._cluster.start()
def create_client(self, service_name, region_name=None, api_version=None, use_ssl=True, verify=None, endpoint_url=None, aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None, config=None, http_session=None): assert http_session, "http_session is required" # CUT AND PASTE FROM BOTOCORE default_client_config = self.get_default_client_config() # If a config is provided and a default config is set, then # use the config resulting from merging the two. if config is not None and default_client_config is not None: config = default_client_config.merge(config) # If a config was not provided then use the default # client config from the session elif default_client_config is not None: config = default_client_config # Figure out the user-provided region based on the various # configuration options. if region_name is None: if config and config.region_name is not None: region_name = config.region_name else: region_name = self.get_config_variable('region') # Figure out the verify value base on the various # configuration options. if verify is None: verify = self.get_config_variable('ca_bundle') if api_version is None: api_version = self.get_config_variable('api_versions').get( service_name, None) loader = self.get_component('data_loader') event_emitter = self.get_component('event_emitter') response_parser_factory = self.get_component('response_parser_factory') if aws_access_key_id is not None and aws_secret_access_key is not None: credentials = botocore.credentials.Credentials( access_key=aws_access_key_id, secret_key=aws_secret_access_key, token=aws_session_token) elif self._missing_cred_vars(aws_access_key_id, aws_secret_access_key): raise PartialCredentialsError(provider='explicit', cred_var=self._missing_cred_vars( aws_access_key_id, aws_secret_access_key)) else: credentials = self.get_credentials() endpoint_resolver = self.get_component('endpoint_resolver') # END OF CUT AND PASTE client_creator = AsyncClientCreator(http_session, loader, endpoint_resolver, self.user_agent(), event_emitter, retryhandler, translate, response_parser_factory) client = client_creator.create_client( service_name=service_name, region_name=region_name, is_secure=use_ssl, endpoint_url=endpoint_url, verify=verify, credentials=credentials, scoped_config=self.get_scoped_config(), client_config=config, api_version=api_version) return client