Last active
November 22, 2022 19:18
-
-
Save sbutler/42837dfbc6a5ec8cb602ab6ffc2ee1e0 to your computer and use it in GitHub Desktop.
1Password credentials helper for AWS CLI/SDK
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
""" | |
``` | |
Copyright (c) 2022 University of Illinois Board of Trustees | |
All rights reserved. | |
Developed by: Technology Services | |
University of Illinois at Urbana-Champaign | |
https://techservices.illinois.edu/ | |
``` | |
Permission is hereby granted, free of charge, to any person obtaining | |
a copy of this software and associated documentation files (the | |
"Software"), to deal with the Software without restriction, including | |
without limitation the rights to use, copy, modify, merge, publish, | |
distribute, sublicense, and/or sell copies of the Software, and to | |
permit persons to whom the Software is furnished to do so, subject to | |
the following conditions: | |
* Redistributions of source code must retain the above copyright | |
notice, this list of conditions and the following disclaimers. | |
* Redistributions in binary form must reproduce the above copyright | |
notice, this list of conditions and the following disclaimers in the | |
documentation and/or other materials provided with the distribution. | |
* Neither the names of Technology Services, University of Illinois at | |
Urbana-Champaign, nor the names of its contributors may be used to | |
endorse or promote products derived from this Software without | |
specific prior written permission. | |
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | |
IN NO EVENT SHALL THE CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR | |
ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF | |
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION | |
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE SOFTWARE. | |
# Description | |
Get AWS credentials from a 1Password item and output them in a format the | |
AWS CLI can understand. | |
""" | |
from argparse import ArgumentParser | |
import json | |
import logging | |
import subprocess | |
import sys | |
OP_BIN = '/usr/local/bin/op' | |
DEFAULT_VAULT = 'Work' | |
logger = logging.getLogger(__name__) | |
def get_args(): | |
""" | |
Get the command line arguments. | |
""" | |
parser = ArgumentParser(description='Get AWS credentials from a 1Password item.') | |
parser.add_argument( | |
'--debug', '-d', | |
action='store_true', | |
help="Enable debug logging." | |
) | |
parser.add_argument( | |
'--item', '-i', | |
required=True, | |
help="The name of the item to retrieve. Must have access_key_id and secret_key_id fields." | |
) | |
parser.add_argument( | |
'--vault', | |
default=DEFAULT_VAULT, | |
help=f"Specify the 1Password vault. Default: {DEFAULT_VAULT}." | |
) | |
return parser.parse_args() | |
def get_item(item, vault): | |
""" | |
Get the item data from 1Password. | |
Args: | |
item (str): name of the item. | |
vault (str): name of the vault. | |
""" | |
cmd = [ | |
OP_BIN, 'item', 'get', | |
'--vault', vault, | |
'--format', 'json', | |
'--no-color', | |
item | |
] | |
logger.debug( | |
'Running command: %(cmd)r', | |
dict(cmd=cmd) | |
) | |
res = subprocess.run( | |
cmd, | |
stdout=subprocess.PIPE, | |
check=True, | |
text=True, | |
) | |
return json.loads(res.stdout) | |
def output_credentials(data): | |
""" | |
Output to stdout the credentials. | |
Args: | |
data (dict): item data from 1Password. | |
""" | |
fields = { | |
field['label']: field['value'] | |
for field in data['fields'] | |
if field.get('label') and field.get('value') | |
} | |
if fields.get('access_key_id'): | |
access_key_id = fields['access_key_id'] | |
elif fields.get('access key id'): | |
access_key_id = fields['access key id'] | |
else: | |
raise ValueError('access_key_id') | |
if fields.get('secret_access_key'): | |
secret_access_key = fields['secret_access_key'] | |
elif fields.get('secret access key'): | |
secret_access_key = fields['secret access key'] | |
else: | |
raise ValueError('secret_access_key') | |
json.dump( | |
dict( | |
Version=1, | |
AccessKeyId=access_key_id, | |
SecretAccessKey=secret_access_key, | |
), | |
fp=sys.stdout | |
) | |
def _main(args): | |
if args.debug: | |
logger.setLevel(logging.DEBUG) | |
data = get_item(args.item, args.vault) | |
output_credentials(data) | |
if __name__ == '__main__': | |
logging.basicConfig( | |
level=logging.WARNING, | |
stream=sys.stderr, | |
) | |
_main(get_args()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment