aws-vault only runs subcommands, there's no API for other languages to use, short of running them _under_ aws-vault. Here's a workaround for Python (3.6+)
| def login(): | |
| if not shutil.which('aws-vault'): | |
| return boto3.Session() | |
| if 'AWS_SESSION_TOKEN' in os.environ: | |
| return boto3.Session() | |
| if 'AWS_ACCESS_KEY_ID' in os.environ and 'AWS_SECRET_ACCESS_KEY' in os.environ: | |
| return boto3.Session() | |
| profile=os.environ.get('AWS_PROFILE', 'default') | |
| rc = subprocess.run(['aws-vault', 'exec', profile, '--', 'python', '-c', | |
| 'import json,os; print(json.dumps({k:os.environ[k] for k in os.environ if k.startswith("AWS_")}))'], | |
| check=True, stdout=subprocess.PIPE, stderr=sys.stderr) | |
| need = json.loads(rc.stdout) | |
| # too late to put those in os.environ for our benefit, and subprocess ignores changes too | |
| # Which of these are guaranteed? We get: | |
| # AWS_VAULT AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN | |
| return boto3.Session( | |
| profile_name=profile, | |
| aws_access_key_id=need['AWS_ACCESS_KEY_ID'], | |
| aws_secret_access_key=need['AWS_SECRET_ACCESS_KEY'], | |
| aws_session_token=need['AWS_SESSION_TOKEN'], | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Note: the above is a simplified version of what I ended up using. The core issue is that AWS does not permit STS token credentials to access any IAM resources unless an MFA was used; this is an implicit policy rule and results in signature verification failures.
You can hard-require MFA for all usage which might touch IAM. You can hard-require MFA on principle. You can use
--no-sessionto avoid using temporary credentials and just export the registeredaws_access_key_id/aws_secret_access_keyvariables into environ.There's no great answer.