├── .github
    └── workflows
    │   └── pypi.yaml
├── .gitignore
├── CONTRIBUTORS.md
├── LICENSE
├── README.md
├── aws_export_credentials
    ├── __init__.py
    ├── __main__.py
    ├── aws_export_credentials.py
    └── config_file_writer.py
└── pyproject.toml


/.github/workflows/pypi.yaml:
--------------------------------------------------------------------------------
 1 | name: pypi
 2 | on:
 3 |   push:
 4 |     tags: "v*"
 5 | jobs:
 6 |   build-and-publish:
 7 |     runs-on: ubuntu-latest
 8 |     steps:
 9 |       - uses: actions/checkout@v3
10 |       - uses: actions/setup-python@v4
11 |         with:
12 |           python-version: "3.9"
13 |       - run: curl -sSL https://install.python-poetry.org | python3 -
14 |         shell: bash
15 |       - run: poetry build
16 |         shell: bash
17 |       - uses: pypa/gh-action-pypi-publish@release/v1
18 |         with:
19 |           user: __token__
20 |           password: ${{ secrets.PYPI_API_TOKEN }}
21 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | .vscode
 2 | Pipfile.lock
 3 | 
 4 | .DS_Store?
 5 | ._*
 6 | .Spotlight-V100
 7 | .Trashes
 8 | ehthumbs.db
 9 | Thumbs.db
10 | *.swp
11 | 
12 | .*project
13 | *.py[cxo]
14 | __pycache__
15 | .venv
16 | .env
17 | 
18 | .aws-sam
19 | samconfig.toml
20 | 
21 | dist
22 | poetry.lock
23 | 


--------------------------------------------------------------------------------
/CONTRIBUTORS.md:
--------------------------------------------------------------------------------
1 | # aws-export-credentials contributors
2 | 
3 | - [Ben Kehoe](https://github.com/benkehoe)
4 | - [Matt Kornfield](https://github.com/mckornfield)
5 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 
179 |    APPENDIX: How to apply the Apache License to your work.
180 | 
181 |       To apply the Apache License to your work, attach the following
182 |       boilerplate notice, with the fields enclosed by brackets "[]"
183 |       replaced with your own identifying information. (Don't include
184 |       the brackets!)  The text should be enclosed in the appropriate
185 |       comment syntax for the file format. We also recommend that a
186 |       file or class name and description of purpose be included on the
187 |       same "printed page" as the copyright notice for easier
188 |       identification within third-party archives.
189 | 
190 |    Copyright 2020 Ben Kehoe
191 | 
192 |    Licensed under the Apache License, Version 2.0 (the "License");
193 |    you may not use this file except in compliance with the License.
194 |    You may obtain a copy of the License at
195 | 
196 |        http://www.apache.org/licenses/LICENSE-2.0
197 | 
198 |    Unless required by applicable law or agreed to in writing, software
199 |    distributed under the License is distributed on an "AS IS" BASIS,
200 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 |    See the License for the specific language governing permissions and
202 |    limitations under the License.
203 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # aws-export-credentials
  2 | **Get AWS credentials from a profile to inject into other programs**
  3 | 
  4 | > :warning: The AWS CLI now includes a command [`aws configure export-credentials`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/export-credentials.html) that covers the `--json`, `--env`, and `--env-export` options of `aws-export-credentials`, as well as providing env options for Windows.
  5 | > 
  6 | > If you want to inject refreshable credentials into a locally-run container, [`imds-credential-server`](https://github.com/benkehoe/imds-credential-server) is a more focused solution for that.
  7 | 
  8 | There are a number of other projects that extract AWS credentials and/or inject them into programs, but all the ones I've seen use the CLI's cache files directly, rather than leveraging boto3's ability to retrieve and refresh credentials.
  9 | So I wrote this to do that.
 10 | 
 11 | [boto3 (the AWS Python SDK)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) has added support for loading credentials cached by [`aws sso login`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/login.html) as of [botocore version 1.17.0](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst#1170).
 12 | `aws-export-credentials` now requires boto3 >= 1.14.0, and so supports AWS SSO credentials as well.
 13 | If all you want is AWS SSO support for an SDK other than Python, Go, or JavaScript (v3), take a look at [aws-sso-util](https://github.com/benkehoe/aws-sso-util#adding-aws-sso-support-to-aws-sdks), which can help you configure your profiles with a [credential process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) that doesn't require the credential injection process that `aws-export-credentials` does.
 14 | 
 15 | ## Quickstart
 16 | 
 17 | I recommend you install [`pipx`](https://pipxproject.github.io/pipx/), which installs the tool in an isolated virtualenv while linking the script you need.
 18 | 
 19 | ```bash
 20 | # with pipx
 21 | pipx install aws-export-credentials
 22 | 
 23 | # without pipx
 24 | python3 -m pip install --user aws-export-credentials
 25 | 
 26 | # run it
 27 | aws-export-credentials
 28 | {
 29 |   "Version": 1,
 30 |   "AccessKeyId": "<your access key here>",
 31 |   "SecretAccessKey": "<shhh it's your secret key>",
 32 |   "SessionToken": "<do you ever wonder what's inside the session token?>"
 33 | }
 34 | ```
 35 | 
 36 | You can also download the Python file directly [here](https://raw.githubusercontent.com/benkehoe/aws-export-credentials/stable/aws_export_credentials/aws_export_credentials.py).
 37 | 
 38 | ## Usage
 39 | ### Profile
 40 | Profiles work like in the AWS CLI (since it uses boto3); it will pick up the `AWS_PROFILE`
 41 | or `AWS_DEFAULT_PROFILE` env vars, but the `--profile` argument takes precedence.
 42 | 
 43 | ### JSON
 44 | ```
 45 | aws-export-credentials --profile my-profile --json [--pretty]
 46 | ```
 47 | Print the credentials to stdout as a JSON object compatible with the `credential_process`
 48 | spec. If `--pretty` is added, it'll be pretty-printed.
 49 | 
 50 | ### Env vars
 51 | ```
 52 | aws-export-credentials --profile my-profile --env
 53 | export $(aws-export-credentials --profile my-profile --env)
 54 | eval $(aws-export-credentials --profile my-profile --env-export)
 55 | ```
 56 | Print the credentials as environment variables. With `--env-export`, the lines are prefixed
 57 | by "`export `".
 58 | 
 59 | ### Exec wrapper
 60 | ```
 61 | aws-export-credentials --profile my-profile --exec echo 'my access key id is $AWS_ACCESS_KEY_ID'
 62 | ```
 63 | Execute the arguments after `--exec` using `os.system()`, injecting the credentials through
 64 | environment variables.
 65 | 
 66 | ### `~/.aws/credentials`
 67 | ```
 68 | aws-export-credentials --profile my-profile --credentials-file-profile my-exported-profile
 69 | aws-export-credentials --profile my-profile -c my-exported-profile
 70 | ```
 71 | Put the credentials in the given profile in your [shared credentials file](https://ben11kehoe.medium.com/aws-configuration-files-explained-9a7ea7a5b42e), which is typically `~/.aws/credentials` but can be controlled using the environment variable [`AWS_SHARED_CREDENTIALS_FILE`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).
 72 | 
 73 | ### Credential-serving options
 74 | There are two credential-serving options, `--imds` for a server presenting the EC2 IMDSv2 interface, and `--container` for a server presenting the ECS container metadata credentials interface.
 75 | 
 76 | > :warning: If you want to inject refreshable credentials into a locally-run container, [imds-credential-server](https://github.com/benkehoe/imds-credential-server) is a more focused solution for that.
 77 | 
 78 | #### IMDS
 79 | You can use `--imds` to start a server, compliant with [the EC2 IMDSv2 endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), that exports your credentials, and this can be used with containers.
 80 | 
 81 | You provide `--imds` with a port (you can optionally provide the host part as well).
 82 | 
 83 | If you're using docker, map the port from the host to the container, and set the environment variable `AWS_EC2_METADATA_SERVICE_ENDPOINT` to `http://host.docker.internal:MAPPED_PORT/` with the approporiate port and **remember to include the trailing slash.**
 84 | 
 85 | AWS SDKs run inside the container should just work.
 86 | ```bash
 87 | # in one terminal
 88 | $ aws-export-credentials --imds 8081
 89 | 
 90 | # in a separate terminal
 91 | $ docker run --rm -p 8081:8081 -e AWS_EC2_METADATA_SERVICE_ENDPOINT=http://host.docker.internal:8081/
 92 | amazon/aws-cli sts get-caller-identity
 93 | {
 94 |     "UserId": "AROAXXXXXXXXXXXXXXXXX:SessionName",
 95 |     "Account": "123456789012",
 96 |     "Arn": "arn:aws:sts::123456789012:assumed-role/SomeRole/SessionName"
 97 | }
 98 | ```
 99 | 
100 | #### ECS
101 | > :warning: This method of providing credentials to containers doesn't work well. It only works on Linux using `--network host`. [On Mac](https://docs.docker.com/desktop/mac/networking/#use-cases-and-workarounds) and [Windows](https://docs.docker.com/desktop/windows/networking/#use-cases-and-workarounds), `--network host` is not available, the docker network is always separate. On all three, without `--network host` the host cannot be referenced as `localhost`, only as `host.docker.internal`, which is [not an allowed host the AWS SDKs](https://github.com/aws/aws-sdk/issues/562).
102 | 
103 | You can use `--container` to start a server, compliant with the ECS metadata server, that exports your credentials, suitable for use with containers.
104 | 
105 | You provide `--container` with a port (you can optionally provide the host part as well) and an authorization token.
106 | On your container, map the port from the server, set the `AWS_CONTAINER_CREDENTIALS_FULL_URI` environment variable to the URL as accessed inside the container, and set the `AWS_CONTAINER_AUTHORIZATION_TOKEN` environment variable to the same value you provided the server.
107 | 
108 | You can use any value for the authorization, but it's best use a random value.
109 | 
110 | ```bash
111 | # Generate token. For example, on Linux:
112 | AWS_CONTAINER_AUTHORIZATION_TOKEN=$(/proc/sys/kernel/random/uuid)
113 | 
114 | # start the server in the background
115 | aws-export-credentials --profile my-profile --container 8081 $AWS_CONTAINER_AUTHORIZATION_TOKEN &
116 | 
117 | # run your container
118 | docker run --network host -e AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:8081 -e AWS_CONTAINER_AUTHORIZATION_TOKEN=$AWS_CONTAINER_AUTHORIZATION_TOKEN amazon/aws-cli sts get-caller-identity
119 | ```
120 | 
121 | ## Caching
122 | To avoid retrieving credentials every time when using `aws-export-credentials` with the same identity, you can cache the credentials in a file using the `--cache-file` argument.
123 | **Note `aws-export-credentials` does not distinguish in the cache between different identities. Different identities should use different cache files.**
124 | If you do not account for this, credentials may be loaded from the cache and exported that do not correspond to the credentials that would be exported without the cache.
125 | An example of a way to address this would be using a cache file named after the config profile you are exporting.
126 | 
127 | Cache loading and saving fails silently, to ensure caching does not interrupt usage.
128 | If caching is not working, you can see the details with `--debug`.
129 | 
130 | By default, cached credentials are considered expired if their expiration is less than 10 minutes in the future.
131 | You can change this value using the `--cache-expiration-buffer` argument, which takes a number of minutes.
132 | 
133 | You can force the cache to refresh using `--refresh`.
134 | 
135 | ## Temporary credentials
136 | IAM Users and the account root have long-term credentials, which carry higher risk than temporary credentials.
137 | The [STS.GetSessionToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html) API call exists to provide temporary credentials based on these long-term credentials.
138 | If you pass the `--ensure-temporary` flag, it will use this API to get temporary credentials to export for an IAM User or account root.
139 | This process is always used for `--imds` and `--container`.
140 | 
141 | # Role assumption
142 | In general, it's better to do role assumption by using profiles in `~/.aws/config` like this:
143 | 
144 | ```ini
145 | # this is a pre-existing profile you already have
146 | [profile profile-to-call-assume-role-with]
147 | # maybe it's IAM User credentials
148 | # or AWS SSO config
149 | # or whatever else you may have
150 | 
151 | [profile my-assumed-role]
152 | role_arn = arn:aws:iam::123456789012:role/MyRole
153 | # optional: role_session_name = MyRoleSessionName
154 | 
155 | source_profile = profile-to-call-assume-role-with
156 | # or instead of source_profile, you can tell it to
157 | # use external credentials. one of:
158 | # credential_source = Environment
159 | # credential_source = Ec2InstanceMetadata
160 | # credential_source = EcsContainer
161 | ```
162 | 
163 | You can then use `my-assumed-role` like any other profile.
164 | It uses the AWS SDKs' built-in support for role assumption, rather than relying on third party code.
165 | It also gets you credential refreshing from the SDKs, where getting the credentials in the manner below cannot refresh them when they expire.
166 | 
167 | You can then, if needed, export the assumed role credentials with `aws-export-credentials --profile my-assumed-role`.
168 | 
169 | But if you absolutely must have ad hoc role assumption on the command line, you can accomplish that through [`aws-assume-role-lib`](https://github.com/benkehoe/aws-assume-role-lib#command-line-use).
170 | 


--------------------------------------------------------------------------------
/aws_export_credentials/__init__.py:
--------------------------------------------------------------------------------
1 | from .aws_export_credentials import main, __version__
2 | 


--------------------------------------------------------------------------------
/aws_export_credentials/__main__.py:
--------------------------------------------------------------------------------
1 | from .aws_export_credentials import main
2 | main()
3 | 


--------------------------------------------------------------------------------
/aws_export_credentials/aws_export_credentials.py:
--------------------------------------------------------------------------------
  1 | # Copyright 2020 Ben Kehoe
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #     http://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | 
 15 | import argparse
 16 | import json
 17 | import os
 18 | import os.path
 19 | import sys
 20 | import shlex
 21 | import traceback
 22 | import logging
 23 | from datetime import datetime, timezone, timedelta
 24 | from collections import namedtuple
 25 | from http.server import HTTPServer, BaseHTTPRequestHandler
 26 | from http import HTTPStatus
 27 | import functools
 28 | import secrets
 29 | import subprocess
 30 | 
 31 | from boto3 import Session
 32 | 
 33 | __version__ = '0.18.0' # Update here and pyproject.toml
 34 | 
 35 | LOGGER = logging.getLogger('aws-export-credentials')
 36 | 
 37 | DESCRIPTION ="""\
 38 | Get AWS credentials from a profile to inject into other programs.
 39 | 
 40 | If you need credentials from AWS SSO,
 41 | set up your profiles with aws-sso-util
 42 | 
 43 | https://github.com/benkehoe/aws-sso-util
 44 | """
 45 | 
 46 | TIME_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
 47 | 
 48 | Credentials = namedtuple('Credentials', ['AccessKeyId', 'SecretAccessKey', 'SessionToken', 'Expiration'])
 49 | def convert_creds(read_only_creds, expiration=None):
 50 |     return Credentials(*list(read_only_creds) + [expiration])
 51 | 
 52 | def parse_container_arg(value):
 53 |     token = value[1]
 54 |     host_post = value[0].rsplit(':', 1)
 55 |     if len(host_post) == 1:
 56 |         host = ''
 57 |         port = int(host_post[0])
 58 |     else:
 59 |         host = host_post[0]
 60 |         port = int(host_post[1])
 61 |     return (host, port), token
 62 | 
 63 | def parse_imds_arg(value):
 64 |     host_post = value.rsplit(':', 1)
 65 |     if len(host_post) == 1:
 66 |         host = ''
 67 |         port = int(host_post[0])
 68 |     else:
 69 |         host = host_post[0]
 70 |         port = int(host_post[1])
 71 |     return host, port
 72 | 
 73 | def serialize_date(dt):
 74 |     if isinstance(dt, str):
 75 |         return dt
 76 |     return dt.strftime(TIME_FORMAT)
 77 | 
 78 | def deserialize_date(dt_str):
 79 |     return datetime.strptime(dt_str, TIME_FORMAT).replace(tzinfo=timezone.utc)
 80 | 
 81 | def get_credentials(session, ensure_temporary=False, ensure_expiration=False):
 82 |     session_credentials = session.get_credentials()
 83 |     if not session_credentials:
 84 |         return None
 85 | 
 86 |     read_only_credentials = session_credentials.get_frozen_credentials()
 87 | 
 88 |     if ensure_temporary and not read_only_credentials.token:
 89 |         return get_temporary_credentials(session)
 90 | 
 91 |     expiration = None
 92 | 
 93 |     if hasattr(session_credentials, '_expiry_time') and session_credentials._expiry_time:
 94 |         if isinstance(session_credentials._expiry_time, datetime):
 95 |             expiration = session_credentials._expiry_time
 96 |         else:
 97 |             LOGGER.debug("Expiration in session credentials is of type {}, not datetime".format(type(expiration)))
 98 | 
 99 |     if not expiration and ensure_expiration:
100 |         # provide an expiration, even if it's wrong
101 |         expiration = datetime.now(tz=timezone.utc) + timedelta(hours=1)
102 | 
103 |     credentials = convert_creds(read_only_credentials, expiration)
104 |     return credentials
105 | 
106 | def get_temporary_credentials(session):
107 |     sts_client = session.client('sts')
108 |     response = sts_client.get_session_token()
109 |     response_creds = response['Credentials']
110 | 
111 |     return Credentials(
112 |         AccessKeyId=response_creds['AccessKeyId'],
113 |         SecretAccessKey=response_creds['SecretAccessKey'],
114 |         SessionToken=response_creds['SessionToken'],
115 |         Expiration=response_creds['Expiration']
116 |     )
117 | 
118 | def main():
119 |     parser = argparse.ArgumentParser(description=DESCRIPTION)
120 | 
121 |     parser.add_argument('--profile', help='The AWS config profile to use')
122 | 
123 |     group = parser.add_mutually_exclusive_group()
124 |     group.add_argument('--json', action='store_const', const='json', dest='format', help="Print credential_process-compatible JSON to stdout (default)")
125 |     group.add_argument('--env', action='store_const', const='env', dest='format', help="Print as env vars")
126 |     group.add_argument('--env-export', action='store_const', const='env-export', dest='format', help="Print as env vars prefixed by 'export ' for shell sourcing")
127 |     group.add_argument('--exec', nargs=argparse.REMAINDER, help="Exec remaining input w/ creds injected as env vars")
128 |     group.add_argument('--credentials-file-profile', '-c', metavar='PROFILE_NAME', help="Write to a profile in AWS credentials file")
129 |     group.add_argument('--container', nargs=2, metavar=('HOST_PORT', 'TOKEN'), help="Start an ECS-compatible server on [HOST:]PORT, requires TOKEN for auth")
130 |     group.add_argument('--imds', metavar='HOST_PORT', help="Start an IMDSv2 server on [HOST:]PORT")
131 | 
132 |     parser.add_argument('--ensure-temporary', action='store_true', help='Get temporary credentials for IAM and root users')
133 |     parser.add_argument('--pretty', action='store_true', help='For --json, pretty-print')
134 | 
135 |     parser.add_argument('--version', action='store_true')
136 |     parser.add_argument('--debug', action='store_true')
137 | 
138 |     cache_group = parser.add_argument_group('Caching')
139 |     cache_group.add_argument('--cache-file')
140 |     buffer_type = lambda v: timedelta(minutes=int(v))
141 |     buffer_default = timedelta(minutes=10)
142 |     cache_group.add_argument('--cache-expiration-buffer', type=buffer_type, default=buffer_default, metavar='MINUTES', help='Expiration buffer in minutes, defaults to 10 minutes')
143 |     cache_group.add_argument('--refresh', action='store_true', help='Refresh the cache')
144 | 
145 |     args = parser.parse_args()
146 | 
147 |     if args.version:
148 |         print(__version__)
149 |         parser.exit()
150 | 
151 |     if not any([args.format, args.exec, args.credentials_file_profile, args.container, args.imds]):
152 |         args.format = 'json'
153 |         args.pretty = True
154 | 
155 |     if args.debug:
156 |         logging.basicConfig(level=logging.DEBUG)
157 | 
158 |     if args.container:
159 |         try:
160 |             args.container = parse_container_arg(args.container)
161 |         except Exception:
162 |             parser.error("invalid value for --container")
163 |         if args.cache_file:
164 |             parser.error("cannot use --cache-file with --container")
165 |     if args.imds:
166 |         try:
167 |             args.imds = parse_imds_arg(args.imds)
168 |         except Exception:
169 |             parser.error("invalid value for --imds")
170 |         if args.cache_file:
171 |             parser.error("cannot use --cache-file with --imds")
172 | 
173 |     for key in ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN']:
174 |         os.environ.pop(key, None)
175 | 
176 |     # if args.profile:
177 |     #     for key in ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']:
178 |     #         os.environ.pop(key, None)
179 | 
180 |     credentials = None
181 | 
182 |     if args.cache_file and not args.refresh:
183 |         credentials = load_cache(args.cache_file, args.cache_expiration_buffer)
184 | 
185 |     if credentials and args.credentials_file_profile:
186 |         session = Session(profile_name=args.profile)
187 |     elif not credentials:
188 |         try:
189 |             session = Session(profile_name=args.profile)
190 | 
191 |             credentials = get_credentials(session, ensure_temporary=args.ensure_temporary)
192 | 
193 |             if not credentials:
194 |                 print('Unable to locate credentials.', file=sys.stderr)
195 |                 sys.exit(2)
196 | 
197 |             if args.cache_file:
198 |                 save_cache(args.cache_file, credentials)
199 |         except Exception as e:
200 |             if args.debug:
201 |                 traceback.print_exc()
202 |             print(str(e), file=sys.stderr)
203 |             sys.exit(3)
204 | 
205 |     if args.exec:
206 |         env = os.environ.copy()
207 | 
208 |         for key in ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']:
209 |             env.pop(key, None)
210 | 
211 |         env.update({
212 |             'AWS_CLI_AUTO_PROMPT': 'off',
213 |             'AWS_ACCESS_KEY_ID': credentials.AccessKeyId,
214 |             'AWS_SECRET_ACCESS_KEY': credentials.SecretAccessKey,
215 |         })
216 |         if credentials.SessionToken:
217 |             env['AWS_SESSION_TOKEN'] = credentials.SessionToken
218 |         if credentials.Expiration:
219 |             env['AWS_CREDENTIAL_EXPIRATION'] = serialize_date(credentials.Expiration)
220 | 
221 |         region_name = session.region_name
222 |         if region_name:
223 |             env['AWS_DEFAULT_REGION'] = region_name
224 | 
225 |         command = ' '.join(shlex.quote(arg) for arg in args.exec)
226 |         result = subprocess.run(command, shell=True, env=env)
227 |         sys.exit(result.returncode)
228 |     elif args.format == 'json':
229 |         data = {
230 |             'Version': 1,
231 |             'AccessKeyId': credentials.AccessKeyId,
232 |             'SecretAccessKey': credentials.SecretAccessKey,
233 |         }
234 |         if credentials.SessionToken:
235 |             data['SessionToken'] = credentials.SessionToken
236 |         if credentials.Expiration:
237 |             data['Expiration'] = serialize_date(credentials.Expiration)
238 | 
239 |         if args.pretty:
240 |             json_kwargs={'indent': 2}
241 |         else:
242 |             json_kwargs={'separators': (',', ':')}
243 | 
244 |         print(json.dumps(data, **json_kwargs))
245 |     elif args.format in ['env', 'env-export']:
246 |         if args.format == 'env-export':
247 |             prefix = 'export '
248 |         else:
249 |             prefix = ''
250 |         lines = [
251 |             '{}AWS_ACCESS_KEY_ID={}'.format(prefix, credentials.AccessKeyId),
252 |             '{}AWS_SECRET_ACCESS_KEY={}'.format(prefix, credentials.SecretAccessKey),
253 |         ]
254 |         if credentials.SessionToken:
255 |             lines.append('{}AWS_SESSION_TOKEN={}'.format(prefix, credentials.SessionToken))
256 |         if credentials.Expiration:
257 |             lines.append('{}AWS_CREDENTIAL_EXPIRATION={}'.format(prefix, serialize_date(credentials.Expiration)))
258 |         print('\n'.join(lines))
259 |     elif args.credentials_file_profile:
260 |         values = {
261 |             'aws_access_key_id': credentials.AccessKeyId,
262 |             'aws_secret_access_key': credentials.SecretAccessKey,
263 |         }
264 |         if credentials.SessionToken:
265 |             values['aws_session_token'] = credentials.SessionToken
266 |         if credentials.Expiration:
267 |             values['aws_credential_expiration'] = serialize_date(credentials.Expiration)
268 | 
269 |         write_values(session, args.credentials_file_profile, values)
270 |     elif args.container:
271 |         server_address, token = args.container
272 |         handler_class = functools.partial(ContainerRequestHandler,
273 |             token=token,
274 |             session=session,
275 |         )
276 |         server = HTTPServer(server_address, handler_class)
277 |         try:
278 |             server.serve_forever()
279 |         except KeyboardInterrupt:
280 |             pass
281 |     elif args.imds:
282 |         server_address = args.imds
283 |         token = secrets.token_urlsafe()
284 |         handler_class = functools.partial(IMDSRequestHandler,
285 |             token=token,
286 |             session=session,
287 |         )
288 |         server = HTTPServer(server_address, handler_class)
289 |         try:
290 |             server.serve_forever()
291 |         except KeyboardInterrupt:
292 |             pass
293 |     else:
294 |         print("ERROR: no option set (this should never happen)", file=sys.stderr)
295 |         sys.exit(1)
296 | 
297 | def load_cache(file_path, expiration_buffer):
298 |     try:
299 |         with open(file_path, 'r') as fp:
300 |             data = json.load(fp)
301 |         LOGGER.debug('Loaded cache from {}: {}'.format(file_path, json.dumps(data)))
302 |     except Exception as e:
303 |         LOGGER.debug('Failed to load cache from {}'.format(file_path))
304 |         return None
305 | 
306 |     try:
307 |         data = data['Credentials']
308 |     except:
309 |         LOGGER.debug('Did not find credentials in cache')
310 |         return None
311 | 
312 |     try:
313 |         expiration_str = data['Expiration']
314 |     except:
315 |         LOGGER.debug('Did not find expiration in cache')
316 |         return None
317 | 
318 |     try:
319 |         expiration = deserialize_date(expiration_str)
320 |         data['Expiration'] = expiration
321 |     except Exception as e:
322 |         LOGGER.debug('Could not parse expiration {}: {}'.format(expiration_str, e))
323 |         return None
324 | 
325 |     try:
326 |         now = datetime.now(tz=timezone.utc)
327 |         if expiration - expiration_buffer < now:
328 |             LOGGER.debug('Cache is expired')
329 |             return None
330 |     except Exception as e:
331 |         LOGGER.debug('Failed checking expiration: {}'.format(e))
332 |         return None
333 | 
334 |     sanitized_data = {}
335 |     for field in Credentials._fields:
336 |         if field in data:
337 |             sanitized_data[field] = data[field]
338 |         else:
339 |             LOGGER.debug("Field {} missing from cache".format(field))
340 |             return None
341 | 
342 |     return Credentials(**sanitized_data)
343 | 
344 | def save_cache(file_path, credentials):
345 |     if not credentials.Expiration:
346 |         LOGGER.debug("Not caching credentials, no expiration")
347 |         return
348 |     try:
349 |         cache_data = {
350 |             'ProviderType': 'aws-export-credentials',
351 |             'Credentials': credentials._asdict()
352 |         }
353 |         cache_data['Credentials']['Expiration'] = serialize_date(credentials.Expiration)
354 |         os.makedirs(os.path.dirname(file_path), exist_ok=True)
355 |         with open(file_path, 'w') as fp:
356 |             json.dump(cache_data, fp)
357 |         try:
358 |             os.chmod(file_path, 0o600)
359 |         except Exception as e:
360 |             LOGGER.debug('Failed to set cache file mode: {}'.format(e))
361 |         LOGGER.debug('Saved cache to {}: {}'.format(file_path, json.dumps(cache_data)))
362 |     except Exception as e:
363 |         LOGGER.debug('Cache saving failed: {}'.format(e))
364 | 
365 | try:
366 |     from .config_file_writer import write_values
367 | except ImportError:
368 |     import configparser
369 |     def write_values(session, profile_name, values):
370 |         credentials_file = os.path.expanduser(os.environ.get('AWS_SHARED_CREDENTIALS_FILE') or '~/.aws/credentials')
371 | 
372 |         parser = configparser.ConfigParser()
373 | 
374 |         try:
375 |             with open(credentials_file, 'r') as fp:
376 |                 parser.read_file(fp)
377 |         except FileNotFoundError:
378 |             pass
379 | 
380 |         if not parser.has_section(profile_name):
381 |             parser.add_section(profile_name)
382 | 
383 |         for key, value in values.items():
384 |             parser.set(profile_name, key, value)
385 | 
386 |         with open(credentials_file, 'w') as fp:
387 |             parser.write(fp)
388 | 
389 | class ContainerRequestHandler(BaseHTTPRequestHandler):
390 |     # error_message_format = json.dumps({"Error": {"Code": "InvalidRequest", "Message": "%(message)"}})
391 |     # error_content_type = "application/json"
392 | 
393 |     def __init__(self, request, client_address, server, token, session):
394 |         self._token = token
395 |         self._session = session
396 |         super().__init__(request, client_address, server)
397 | 
398 |     def do_GET(self):
399 |         if self.path.startswith('/role/') or self.path.startswith('/role-arn/'):
400 |             self.send_response(HTTPStatus.NOT_FOUND)
401 |             body = {"Error": {"Code": "NotImplemented", "Message": "Role assumption is not supported"}}
402 |         if self.path not in ['/', '/creds']:
403 |             self.send_response(HTTPStatus.NOT_FOUND)
404 |             body = {"Error": {"Code": "InvalidPath", "Message": "Only the base path is accepted"}}
405 |         if 'Authorization' not in self.headers:
406 |             self.send_response(HTTPStatus.UNAUTHORIZED)
407 |             body = {"Error": {"Code": "NoAuthorizationHeader", "Message": "Authorization header not provided"}}
408 |         elif self.headers['Authorization'] != self._token:
409 |             self.send_response(HTTPStatus.UNAUTHORIZED)
410 |             body = {"Error": {"Code": "InvalidToken", "Message": "The provided token was invalid"}}
411 |         else:
412 |             self.send_response(HTTPStatus.OK)
413 |             credentials = get_credentials(self._session, ensure_temporary=True, ensure_expiration=True)
414 |             body = {
415 |                 'AccessKeyId': credentials.AccessKeyId,
416 |                 'SecretAccessKey': credentials.SecretAccessKey,
417 |                 'Token': credentials.SessionToken,
418 |                 'Expiration': serialize_date(credentials.Expiration)
419 |             }
420 | 
421 |         body_bytes = json.dumps(body).encode('utf-8')
422 | 
423 |         self.send_header("Content-Type", "application/json")
424 |         self.send_header("Content-Length", len(body_bytes))
425 |         self.end_headers()
426 | 
427 |         self.wfile.write(body_bytes)
428 | 
429 | class IMDSRequestHandler(BaseHTTPRequestHandler):
430 |     def __init__(self, request, client_address, server, token, session):
431 |         self._token = token
432 |         self._session = session
433 |         self._sts_client = self._session.client("sts")
434 |         self._role_name = None
435 |         super().__init__(request, client_address, server)
436 | 
437 |     def send_error(self, status, code, message):
438 |         self.send_response(status)
439 |         body = {"Error": {"Code": code, "Message": message}}
440 |         body_bytes = json.dumps(body).encode('utf-8')
441 |         self.send_header("Content-Type", "application/json")
442 |         self.send_header("Content-Length", len(body_bytes))
443 |         self.end_headers()
444 | 
445 |         self.wfile.write(body_bytes)
446 | 
447 |     def send_ok(self, content_type, body):
448 |         self.send_response(HTTPStatus.OK)
449 |         if not isinstance(body, bytes):
450 |             body = json.dumps(body).encode("utf-8")
451 |         self.send_header("Content-Type", content_type)
452 |         self.send_header("Content-Length", len(body))
453 |         self.end_headers()
454 | 
455 |         self.wfile.write(body)
456 | 
457 |     def do_PUT(self):
458 |         if self.path != "/latest/api/token":
459 |             return self.send_error(
460 |                 HTTPStatus.NOT_FOUND,
461 |                 "InvalidPath",
462 |                 "Invalid path"
463 |             )
464 | 
465 |         if self.headers["x-forwarded-for"]:
466 |             return self.send_error(
467 |                 HTTPStatus.UNAUTHORIZED,
468 |                 "InvalidHeader",
469 |                 "PUT requests can't contain X-Forwarded-For"
470 |             )
471 |         if not self.headers["x-aws-ec2-metadata-token-ttl-seconds"]:
472 |             # TODO: the expiration isn't used or enforced
473 |             return self.send_error(
474 |                 HTTPStatus.UNAUTHORIZED,
475 |                 "MissingToken",
476 |                 "The IMDSv2 token expiration header is missing"
477 |             )
478 |         return self.send_ok("text/plain", self._token.encode("ascii"))
479 | 
480 |     def _ensure_role_name(self):
481 |         if not self._role_name:
482 |             response = self._sts_client.get_caller_identity()
483 |             arn = response["Arn"]
484 |             arn_parts = arn.split(":")
485 |             name_parts = arn_parts[-1].split("/")
486 |             name_type = name_parts[0]
487 |             if name_type == "user":
488 |                 role_name = name_parts[-1]
489 |             else:
490 |                 role_name = name_parts[1]
491 |             self._role_name = role_name
492 | 
493 |     def do_GET(self):
494 |         if self.path == "/latest/api/token":
495 |             return self.send_error(
496 |                 HTTPStatus.METHOD_NOT_ALLOWED,
497 |                 "MethodNotAllowed",
498 |                 "Token must be obtained with PUT"
499 |             )
500 | 
501 |         if self.headers["x-aws-ec2-metadata-token"] != self._token:
502 |             return self.send_error(
503 |                 HTTPStatus.UNAUTHORIZED,
504 |                 "MissingToken",
505 |                 "The IMDSv2 token header is missing"
506 |             )
507 |         elif self.path == "/latest/meta-data/iam/security-credentials/":
508 |             self._ensure_role_name()
509 |             return self.send_ok("text/plain", self._role_name.encode("ascii"))
510 |         elif self.path.startswith("/latest/meta-data/iam/security-credentials/"):
511 |             self._ensure_role_name()
512 |             role_name = self.path.rsplit("/", 1)[1]
513 |             if role_name != self._role_name:
514 |                 return self.send_error(
515 |                     HTTPStatus.FORBIDDEN,
516 |                     "InvalidRoleName",
517 |                     "The role name is incorrect"
518 |                 )
519 |             else:
520 |                 credentials = get_credentials(self._session, ensure_temporary=True, ensure_expiration=True)
521 |                 body = {
522 |                     'AccessKeyId': credentials.AccessKeyId,
523 |                     'SecretAccessKey': credentials.SecretAccessKey,
524 |                     'Token': credentials.SessionToken,
525 |                     'Expiration': serialize_date(credentials.Expiration)
526 |                 }
527 |                 return self.send_ok("application/json", body)
528 |         return self.send_error(
529 |             HTTPStatus.NOT_FOUND,
530 |             "InvalidPath",
531 |             "Invalid path"
532 |         )
533 | 
534 | if __name__ == '__main__':
535 |     main()
536 | 


--------------------------------------------------------------------------------
/aws_export_credentials/config_file_writer.py:
--------------------------------------------------------------------------------
  1 | # Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License"). You
  4 | # may not use this file except in compliance with the License. A copy of
  5 | # the License is located at
  6 | #
  7 | #     http://aws.amazon.com/apache2.0/
  8 | #
  9 | # or in the "license" file accompanying this file. This file is
 10 | # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 11 | # ANY KIND, either express or implied. See the License for the specific
 12 | # language governing permissions and limitations under the License.
 13 | 
 14 | # modified from customizations/configure/writer.py and configure.py in aws-cli
 15 | 
 16 | import os
 17 | import re
 18 | import shlex
 19 | 
 20 | class SectionNotFoundError(Exception):
 21 |     pass
 22 | 
 23 | def get_config_filename(session):
 24 |     # get botocore session if it's a boto3 session
 25 |     if hasattr(session, "_session"):
 26 |         session = session._session
 27 |     return os.path.expanduser(session.get_config_variable('config_file'))
 28 | 
 29 | _WHITESPACE = ' \t'
 30 | def process_profile_name(profile_name):
 31 |     if any(c in _WHITESPACE for c in profile_name):
 32 |         profile_name = shlex.quote(profile_name)
 33 |     return profile_name
 34 | 
 35 | def write_values(session, profile_name, values, config_file_writer=None, existing_config_action=None):
 36 |     # get botocore session if it's a boto3 session
 37 |     if hasattr(session, "_session"):
 38 |         session = session._session
 39 |     if not config_file_writer:
 40 |         config_file_writer = ConfigFileWriter()
 41 | 
 42 |     new_values = values.copy()
 43 | 
 44 |     # The access_key/secret_key are now *always* written to the shared
 45 |     # credentials file (~/.aws/credentials), see aws/aws-cli#847.
 46 |     # post-conditions: ~/.aws/credentials will have the updated credential
 47 |     # file values and new_values will have the cred vars removed.
 48 |     credential_file_values = {}
 49 |     for credential_key in [
 50 |             'aws_access_key_id',
 51 |             'aws_secret_access_key',
 52 |             'aws_session_token']:
 53 |         if credential_key in new_values:
 54 |             credential_file_values[credential_key] = new_values.pop(
 55 |                 credential_key)
 56 |     if credential_file_values:
 57 |         if profile_name is not None:
 58 |             credential_file_values['__section__'] = profile_name
 59 |         shared_credentials_filename = os.path.expanduser(
 60 |             session.get_config_variable('credentials_file'))
 61 |         config_file_writer.update_config(
 62 |             credential_file_values,
 63 |             shared_credentials_filename)
 64 | 
 65 |     if new_values:
 66 |         config_filename = os.path.expanduser(
 67 |             session.get_config_variable('config_file'))
 68 | 
 69 |         section = 'profile {}'.format(process_profile_name(profile_name))
 70 |         new_values['__section__'] = section
 71 |         config_file_writer.update_config(new_values, config_filename, existing_config_action)
 72 | 
 73 | 
 74 | class ConfigFileWriter(object):
 75 |     SECTION_REGEX = re.compile(r'^\s*\[(?P<header>[^]]+)\]')
 76 |     OPTION_REGEX = re.compile(
 77 |         r'(?P<option>[^:=][^:=]*)'
 78 |         r'\s*(?P<vi>[:=])\s*'
 79 |         r'(?P<value>.*)$'
 80 |     )
 81 | 
 82 |     def update_config(self, new_values, config_filename, existing_config_action=None):
 83 |         """Update config file with new values.
 84 | 
 85 |         This method will update a section in a config file with
 86 |         new key value pairs.
 87 | 
 88 |         This method provides a few conveniences:
 89 | 
 90 |         * If the ``config_filename`` does not exist, it will
 91 |           be created.  Any parent directories will also be created
 92 |           if necessary.
 93 |         * If the section to update does not exist, it will be created.
 94 | 
 95 | 
 96 |         :type new_values: dict
 97 |         :param new_values: The values to update.  There is a special
 98 |             key ``__section__``, that specifies what section in the INI
 99 |             file to update.  If this key is not present, then the
100 |             ``default`` section will be updated with the new values.
101 | 
102 |         :type config_filename: str
103 |         :param config_filename: The config filename where values will be
104 |             written.
105 | 
106 |         :type existing_config_action: str
107 |         :param existing_config_action: One of "overwrite" (the default),
108 |             "keep", or "discard". The latter will discard all existing
109 |             config for the section.
110 | 
111 |         """
112 |         if existing_config_action is None:
113 |             existing_config_action = "overwrite"
114 |         section_name = new_values.pop('__section__', 'default')
115 |         if not os.path.isfile(config_filename):
116 |             self._create_file(config_filename)
117 |             self._write_new_section(section_name, new_values, config_filename)
118 |             return
119 |         with open(config_filename, 'r') as f:
120 |             contents = f.readlines()
121 |         # We can only update a single section at a time so we first need
122 |         # to find the section in question
123 |         try:
124 |             self._update_section_contents(contents, section_name, new_values, existing_config_action)
125 |             with open(config_filename, 'w') as f:
126 |                 f.write(''.join(contents))
127 |         except SectionNotFoundError:
128 |             self._write_new_section(section_name, new_values, config_filename)
129 | 
130 |     def _create_file(self, config_filename):
131 |         # Create the file as well as the parent dir if needed.
132 |         dirname = os.path.split(config_filename)[0]
133 |         if not os.path.isdir(dirname):
134 |             os.makedirs(dirname)
135 |         with os.fdopen(os.open(config_filename,
136 |                                os.O_WRONLY | os.O_CREAT, 0o600), 'w'):
137 |             pass
138 | 
139 |     def _write_new_section(self, section_name, new_values, config_filename):
140 |         with open(config_filename, 'a') as f:
141 |             f.write('\n[%s]\n' % section_name)
142 |             contents = []
143 |             self._insert_new_values(line_number=0,
144 |                                     contents=contents,
145 |                                     new_values=new_values)
146 |             f.write(''.join(contents))
147 | 
148 |     def _find_section_start(self, contents, section_name):
149 |         for i in range(len(contents)):
150 |             line = contents[i]
151 |             if line.strip().startswith(('#', ';')):
152 |                 # This is a comment, so we can safely ignore this line.
153 |                 continue
154 |             match = self.SECTION_REGEX.search(line)
155 |             if match is not None and self._matches_section(match,
156 |                                                            section_name):
157 |                 return i
158 |         raise SectionNotFoundError(section_name)
159 | 
160 |     def _update_section_contents(self, contents, section_name, new_values, existing_config_action):
161 |         # First, find the line where the section_name is defined.
162 |         # This will be the value of i.
163 |         new_values = new_values.copy()
164 |         # ``contents`` is a list of file line contents.
165 |         section_start_line_num = self._find_section_start(contents,
166 |                                                           section_name)
167 |         # If we get here, then we've found the section.  We now need
168 |         # to figure out if we're updating a value or adding a new value.
169 |         # There's 2 cases.  Either we're setting a normal scalar value
170 |         # of, we're setting a nested value.
171 |         last_matching_line = section_start_line_num
172 |         j = last_matching_line + 1
173 |         while j < len(contents):
174 |             line = contents[j]
175 |             if self.SECTION_REGEX.search(line) is not None:
176 |                 # We've hit a new section which means the config key is
177 |                 # not in the section.  We need to add it here.
178 |                 self._insert_new_values(line_number=last_matching_line,
179 |                                         contents=contents,
180 |                                         new_values=new_values)
181 |                 return
182 |             match = self.OPTION_REGEX.search(line)
183 |             if match is not None:
184 |                 last_matching_line = j
185 |                 key_name = match.group(1).strip()
186 |                 if key_name in new_values:
187 |                     # We've found the line that defines the option name.
188 |                     # if the value is not a dict, then we can write the line
189 |                     # out now.
190 |                     if existing_config_action != "keep":
191 |                         option_value = new_values[key_name]
192 |                         new_line = '%s = %s\n' % (key_name, option_value)
193 |                         contents[j] = new_line
194 |                     del new_values[key_name]
195 |                 elif existing_config_action == "discard":
196 |                     del contents[j]
197 |                     j -= 1
198 |             j += 1
199 | 
200 |         if new_values:
201 |             if not contents[-1].endswith('\n'):
202 |                 contents.append('\n')
203 |             self._insert_new_values(line_number=last_matching_line + 1,
204 |                                     contents=contents,
205 |                                     new_values=new_values)
206 | 
207 |     def _insert_new_values(self, line_number, contents, new_values, indent=''):
208 |         new_contents = []
209 |         for key, value in list(new_values.items()):
210 |             if isinstance(value, dict):
211 |                 subindent = indent + '    '
212 |                 new_contents.append('%s%s =\n' % (indent, key))
213 |                 for subkey, subval in list(value.items()):
214 |                     new_contents.append('%s%s = %s\n' % (subindent, subkey,
215 |                                                          subval))
216 |             else:
217 |                 new_contents.append('%s%s = %s\n' % (indent, key, value))
218 |             del new_values[key]
219 |         contents.insert(line_number + 1, ''.join(new_contents))
220 | 
221 |     def _matches_section(self, match, section_name):
222 |         parts = section_name.split(' ')
223 |         unquoted_match = match.group(0) == '[%s]' % section_name
224 |         if len(parts) > 1:
225 |             quoted_match = match.group(0) == '[%s "%s"]' % (
226 |                 parts[0], ' '.join(parts[1:]))
227 |             return unquoted_match or quoted_match
228 |         return unquoted_match
229 | 
230 | if __name__ == "__main__":
231 |     import sys
232 |     import json
233 |     file_name = sys.argv[1]
234 |     section_name = sys.argv[2]
235 |     data = json.loads(sys.argv[3])
236 |     data["__section__"] = section_name
237 |     cfw = ConfigFileWriter()
238 |     cfw.update_config(data, file_name, existing_config_action=sys.argv[4])
239 | 


--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
 1 | [tool.poetry]
 2 | name = "aws-export-credentials"
 3 | version = "0.18.0" # Update here and aws_export_credentials.py
 4 | description = "Get AWS credentials from a profile to inject into other programs"
 5 | authors = ["Ben Kehoe <ben@kehoe.io>"]
 6 | license = "Apache-2.0"
 7 | readme = "README.md"
 8 | homepage = "https://github.com/benkehoe/aws-export-credentials"
 9 | repository = "https://github.com/benkehoe/aws-export-credentials"
10 | classifiers = [
11 |     "Development Status :: 4 - Beta",
12 |     "Intended Audience :: Developers",
13 |     "Intended Audience :: System Administrators",
14 |     "License :: OSI Approved :: Apache Software License",
15 |     "Operating System :: OS Independent",
16 |     "Topic :: Utilities"
17 | ]
18 | 
19 | [tool.poetry.scripts]
20 | aws-export-credentials = 'aws_export_credentials:main'
21 | 
22 | [tool.poetry.dependencies]
23 | python = "^3.7"
24 | boto3 = ">=1.14"
25 | 
26 | [tool.poetry.dev-dependencies]
27 | 
28 | [build-system]
29 | requires = ["poetry>=0.12"]
30 | build-backend = "poetry.masonry.api"
31 | 


--------------------------------------------------------------------------------