aws-vault only runs subcommands, there's no API for other languages to use, short of running them _under_ aws-vault. Here's a workaround for Python (3.6+)
def login(): | |
if not shutil.which('aws-vault'): | |
return boto3.Session() | |
if 'AWS_SESSION_TOKEN' in os.environ: | |
return boto3.Session() | |
if 'AWS_ACCESS_KEY_ID' in os.environ and 'AWS_SECRET_ACCESS_KEY' in os.environ: | |
return boto3.Session() | |
profile=os.environ.get('AWS_PROFILE', 'default') | |
rc = subprocess.run(['aws-vault', 'exec', profile, '--', 'python', '-c', | |
'import json,os; print(json.dumps({k:os.environ[k] for k in os.environ if k.startswith("AWS_")}))'], | |
check=True, stdout=subprocess.PIPE, stderr=sys.stderr) | |
need = json.loads(rc.stdout) | |
# too late to put those in os.environ for our benefit, and subprocess ignores changes too | |
# Which of these are guaranteed? We get: | |
# AWS_VAULT AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN | |
return boto3.Session( | |
profile_name=profile, | |
aws_access_key_id=need['AWS_ACCESS_KEY_ID'], | |
aws_secret_access_key=need['AWS_SECRET_ACCESS_KEY'], | |
aws_session_token=need['AWS_SESSION_TOKEN'], | |
) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Note: the above is a simplified version of what I ended up using. The core issue is that AWS does not permit STS token credentials to access any IAM resources unless an MFA was used; this is an implicit policy rule and results in signature verification failures.
You can hard-require MFA for all usage which might touch IAM. You can hard-require MFA on principle. You can use
--no-session
to avoid using temporary credentials and just export the registeredaws_access_key_id
/aws_secret_access_key
variables into environ.There's no great answer.