Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
aws-vault only runs subcommands, there's no API for other languages to use, short of running them _under_ aws-vault. Here's a workaround for Python (3.6+)
def login():
if not shutil.which('aws-vault'):
return boto3.Session()
if 'AWS_SESSION_TOKEN' in os.environ:
return boto3.Session()
if 'AWS_ACCESS_KEY_ID' in os.environ and 'AWS_SECRET_ACCESS_KEY' in os.environ:
return boto3.Session()
profile=os.environ.get('AWS_PROFILE', 'default')
rc = subprocess.run(['aws-vault', 'exec', profile, '--', 'python', '-c',
'import json,os; print(json.dumps({k:os.environ[k] for k in os.environ if k.startswith("AWS_")}))'],
check=True, stdout=subprocess.PIPE, stderr=sys.stderr)
need = json.loads(rc.stdout)
# too late to put those in os.environ for our benefit, and subprocess ignores changes too
# Which of these are guaranteed? We get:
# AWS_VAULT AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN
return boto3.Session(
profile_name=profile,
aws_access_key_id=need['AWS_ACCESS_KEY_ID'],
aws_secret_access_key=need['AWS_SECRET_ACCESS_KEY'],
aws_session_token=need['AWS_SESSION_TOKEN'],
)
@philpennock

This comment has been minimized.

Copy link
Owner Author

philpennock commented Feb 28, 2018

Note: the above is a simplified version of what I ended up using. The core issue is that AWS does not permit STS token credentials to access any IAM resources unless an MFA was used; this is an implicit policy rule and results in signature verification failures.

You can hard-require MFA for all usage which might touch IAM. You can hard-require MFA on principle. You can use --no-session to avoid using temporary credentials and just export the registered aws_access_key_id/aws_secret_access_key variables into environ.

There's no great answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.