Ben Kehoe benkehoe

## kms_random.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              3 stars
            
          
                benkehoe
                / kms_random.md
            
            
              Created
              April 28, 2023 14:45
            
              
                Python random numbers from KMS.GenerateRandom
              
          
      View kms_random.md
  
      
    Python random numbers from KMS.GenerateRandom
Spurred by this twitter conversation.
random.SystemRandom uses os.urandom as a source of bytes, but doesn't provide a way to use a different source of bytes.
So stream_random.py is exactly that.
Then kms_random.py has raw and buffered bytestreams pulling from KMS.GenerateRandom.
The main interface is kms_random.get_kms_random(boto3_session, buffer_size=None). The default buffer size is 16, chosen arbitrarily.
I do not vouch for the randomness properties of the results.

  
## dont-use-aws-s3-ls-to-check-credentials.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              2 stars
            
          
                benkehoe
                / dont-use-aws-s3-ls-to-check-credentials.md
            
            
              Last active
              April 23, 2023 16:22
            
              
                Use "aws sts get-caller-identity" instead of "aws s3 ls" for checking credentials
              
          
      View dont-use-aws-s3-ls-to-check-credentials.md
  
      
    People shouldn't use aws s3 ls to check credentials
Here's why, and an SCP to stop them
Lots of people use aws s3 ls to check that they have valid credentials.
If it succeeds, they assume they are good to go.
Even AWS blog tutorials often use it.
They're all wrong.
There's multiple things wrong with using aws s3 ls to check credential validity.
The first is that it has an IAM permission, s3:ListAllMyBuckets, associated with it.

  
## aws_console_launcher.py
# Copyright 2022 Ben Kehoe
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF

## timedelta_iso.py
# MIT No Attribution
#
# Copyright 2022 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#

## ddb_composite_key_escaping.py
import random
import re
import string
from typing import Iterable
import dataclasses

def escape(s: str) -> str:
    return s.replace("#", "##")

def unescape(s: str) -> str:

## get_boto3_session_with_config.py
# Copyright 2020 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

## aws_orgs_for_each_account.py
import aws_assume_role_lib # https://github.com/benkehoe/aws-assume-role-lib

account_role_name = "YOUR_ACCOUNT_ROLE_NAME_HERE" # TODO: put your role name here

management_account_session = boto3.Session()
# if you're using AWS SSO in your management account and there's a specific role for this work, you could use aws-sso-lib
# https://github.com/benkehoe/aws-sso-util/blob/master/lib/README.md
# management_account_session = aws_sso_lib.get_boto3_session(start_url, sso_region, management_account_id, management_role_name, region=sso_region)

orgs = management_account_session.client('organizations')

## package_with_single_sourced_version.py
# MIT No Attribution
#
# Copyright 2022 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#

## aws_assume_role.py
# *** WARNING ***
# This gist is no longer maintained
# It has been replaced by aws-assume-role-lib in PyPI
# Documentation at https://github.com/benkehoe/aws-assume-role-lib
# It is still a single-file library, you can find the stable version here:
# https://raw.githubusercontent.com/benkehoe/aws-assume-role-lib/stable/aws_assume_role_lib/aws_assume_role_lib.py
# (link also available in the docs)

# Copyright 2020 Ben Kehoe
#

## .pythonrc.py
# MIT No Attribution
#
# Copyright 2022 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
	# Copyright 2022 Ben Kehoe
	#
	# Licensed under the Apache License, Version 2.0 (the "License"). You
	# may not use this file except in compliance with the License. A copy of
	# the License is located at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# or in the "license" file accompanying this file. This file is
	# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
	# MIT No Attribution
	#
	# Copyright 2022 Ben Kehoe
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy of this
	# software and associated documentation files (the "Software"), to deal in the Software
	# without restriction, including without limitation the rights to use, copy, modify,
	# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
	# permit persons to whom the Software is furnished to do so.
	#
	import random
	import re
	import string
	from typing import Iterable
	import dataclasses

	def escape(s: str) -> str:
	return s.replace("#", "##")

	def unescape(s: str) -> str:
	# Copyright 2020 Ben Kehoe
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy of this
	# software and associated documentation files (the "Software"), to deal in the Software
	# without restriction, including without limitation the rights to use, copy, modify,
	# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
	# permit persons to whom the Software is furnished to do so.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
	# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
	import aws_assume_role_lib # https://github.com/benkehoe/aws-assume-role-lib

	account_role_name = "YOUR_ACCOUNT_ROLE_NAME_HERE" # TODO: put your role name here

	management_account_session = boto3.Session()
	# if you're using AWS SSO in your management account and there's a specific role for this work, you could use aws-sso-lib
	# https://github.com/benkehoe/aws-sso-util/blob/master/lib/README.md
	# management_account_session = aws_sso_lib.get_boto3_session(start_url, sso_region, management_account_id, management_role_name, region=sso_region)

	orgs = management_account_session.client('organizations')
	# * WARNING *
	# This gist is no longer maintained
	# It has been replaced by aws-assume-role-lib in PyPI
	# Documentation at https://github.com/benkehoe/aws-assume-role-lib
	# It is still a single-file library, you can find the stable version here:
	# https://raw.githubusercontent.com/benkehoe/aws-assume-role-lib/stable/aws_assume_role_lib/aws_assume_role_lib.py
	# (link also available in the docs)

	# Copyright 2020 Ben Kehoe
	#