Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
aws-vault only runs subcommands, there's no API for other languages to use, short of running them _under_ aws-vault. Here's a workaround for Python (3.6+)
def login():
if not shutil.which('aws-vault'):
return boto3.Session()
if 'AWS_SESSION_TOKEN' in os.environ:
return boto3.Session()
if 'AWS_ACCESS_KEY_ID' in os.environ and 'AWS_SECRET_ACCESS_KEY' in os.environ:
return boto3.Session()
profile=os.environ.get('AWS_PROFILE', 'default')
rc = subprocess.run(['aws-vault', 'exec', profile, '--', 'python', '-c',
'import json,os; print(json.dumps({k:os.environ[k] for k in os.environ if k.startswith("AWS_")}))'],
check=True, stdout=subprocess.PIPE, stderr=sys.stderr)
need = json.loads(rc.stdout)
# too late to put those in os.environ for our benefit, and subprocess ignores changes too
# Which of these are guaranteed? We get:
# AWS_VAULT AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN
return boto3.Session(
profile_name=profile,
aws_access_key_id=need['AWS_ACCESS_KEY_ID'],
aws_secret_access_key=need['AWS_SECRET_ACCESS_KEY'],
aws_session_token=need['AWS_SESSION_TOKEN'],
)
@philpennock

This comment has been minimized.

Copy link
Owner Author

@philpennock philpennock commented Feb 28, 2018

Note: the above is a simplified version of what I ended up using. The core issue is that AWS does not permit STS token credentials to access any IAM resources unless an MFA was used; this is an implicit policy rule and results in signature verification failures.

You can hard-require MFA for all usage which might touch IAM. You can hard-require MFA on principle. You can use --no-session to avoid using temporary credentials and just export the registered aws_access_key_id/aws_secret_access_key variables into environ.

There's no great answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment