sh1n0b1/AssumeRole.py

## AssumeRole.py
import urllib, json
import requests # 'pip install requests'
from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto'

# Step 1: Authenticate user in your own identity system.

# Step 2: Using the access keys for an IAM user in your AWS account,
# call "AssumeRole" to get temporary access keys for the federated user

# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
# and secret access key of an IAM user or using existing temporary credentials.
# The credentials can be in EC2 instance metadata, in environment variables,
# or in a configuration file, and will be discovered automatically by the
# STSConnection() function. For more information, see the Python SDK docs:
# http://boto.readthedocs.org/en/latest/boto_config_tut.html
sts_connection = STSConnection()

assumed_role_object = sts_connection.assume_role(
    role_arn="arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/ROLE-NAME",
    role_session_name="AssumeRoleSession"
)

# Step 3: Format resulting temporary credentials into JSON
json_string_with_temp_credentials = '{'
json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
json_string_with_temp_credentials += '}'

# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
# as parameters.
request_parameters = "?Action=getSigninToken"
request_parameters += "&SessionDuration=43200"
request_parameters += "&Session=" + urllib.quote_plus(json_string_with_temp_credentials)
request_url = "https://signin.aws.amazon.com/federation" + request_parameters
r = requests.get(request_url)
# Returns a JSON document with a single element named SigninToken.
signin_token = json.loads(r.text)

# Step 5: Create URL where users can use the sign-in token to sign in to
# the console. This URL must be used within 15 minutes after the
# sign-in token was issued.
request_parameters = "?Action=login"
request_parameters += "&Issuer=Example.org"
request_parameters += "&Destination=" + urllib.quote_plus("https://console.aws.amazon.com/")
request_parameters += "&SigninToken=" + signin_token["SigninToken"]
request_url = "https://signin.aws.amazon.com/federation" + request_parameters

# Send final URL to stdout
print request_url
	import urllib, json
	import requests # 'pip install requests'
	from boto.sts import STSConnection # AWS SDK for Python (Boto) 'pip install boto'

	# Step 1: Authenticate user in your own identity system.

	# Step 2: Using the access keys for an IAM user in your AWS account,
	# call "AssumeRole" to get temporary access keys for the federated user

	# Note: Calls to AWS STS AssumeRole must be signed using the access key ID
	# and secret access key of an IAM user or using existing temporary credentials.
	# The credentials can be in EC2 instance metadata, in environment variables,
	# or in a configuration file, and will be discovered automatically by the
	# STSConnection() function. For more information, see the Python SDK docs:
	# http://boto.readthedocs.org/en/latest/boto_config_tut.html
	sts_connection = STSConnection()

	assumed_role_object = sts_connection.assume_role(
	role_arn="arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/ROLE-NAME",
	role_session_name="AssumeRoleSession"
	)

	# Step 3: Format resulting temporary credentials into JSON
	json_string_with_temp_credentials = '{'
	json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.credentials.access_key + '",'
	json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.credentials.secret_key + '",'
	json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.credentials.session_token + '"'
	json_string_with_temp_credentials += '}'

	# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
	# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
	# as parameters.
	request_parameters = "?Action=getSigninToken"
	request_parameters += "&SessionDuration=43200"
	request_parameters += "&Session=" + urllib.quote_plus(json_string_with_temp_credentials)
	request_url = "https://signin.aws.amazon.com/federation" + request_parameters
	r = requests.get(request_url)
	# Returns a JSON document with a single element named SigninToken.
	signin_token = json.loads(r.text)

	# Step 5: Create URL where users can use the sign-in token to sign in to
	# the console. This URL must be used within 15 minutes after the
	# sign-in token was issued.
	request_parameters = "?Action=login"
	request_parameters += "&Issuer=Example.org"
	request_parameters += "&Destination=" + urllib.quote_plus("https://console.aws.amazon.com/")
	request_parameters += "&SigninToken=" + signin_token["SigninToken"]
	request_url = "https://signin.aws.amazon.com/federation" + request_parameters

	# Send final URL to stdout
	print request_url