Created
April 24, 2020 16:11
-
-
Save timhughes/2391e657e36b55ca4f5ec59a1b8b7117 to your computer and use it in GitHub Desktop.
Minio STS LDAP authentication using python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# vim:fenc=utf-8 | |
# | |
# Copyright © 2020 Tim Hughes <thughes@thegoldfish.org> | |
# | |
# Distributed under terms of the MIT license. | |
""" | |
""" | |
import getpass | |
import argparse | |
import boto3 | |
import requests | |
from xml.etree import ElementTree as etree | |
class PasswordPromptAction(argparse.Action): | |
def __init__( | |
self, | |
option_strings, | |
dest=None, | |
nargs=0, | |
default=None, | |
required=False, | |
type=None, | |
metavar=None, | |
help=None, | |
): | |
super(PasswordPromptAction, self).__init__( | |
option_strings=option_strings, | |
dest=dest, | |
nargs=nargs, | |
default=default, | |
required=required, | |
metavar=metavar, | |
type=type, | |
help=help, | |
) | |
def __call__(self, parser, args, values, option_string=None): | |
password = getpass.getpass() | |
setattr(args, self.dest, password) | |
parser = argparse.ArgumentParser(description="Process some integers.") | |
parser.add_argument("-u", "--username", required=True, type=str, help="LDAP username") | |
parser.add_argument( | |
"-p", | |
"--password", | |
required=True, | |
type=str, | |
action=PasswordPromptAction, | |
help="LDAP password", | |
) | |
parser.add_argument( | |
"-e", "--endpoint", default="http://minio.localhost:9000", help="MINIO STS endpoint" | |
) | |
args = parser.parse_args() | |
username = args.username | |
password = args.password | |
endpoint = args.endpoint | |
def get_credentials(endpoint, username, password): | |
params = { | |
"Action": "AssumeRoleWithLDAPIdentity", | |
"LDAPUsername": username, | |
"LDAPPassword": password, | |
"Version": "2011-06-15", | |
} | |
r = requests.post(endpoint, params=params) | |
credentials = {} | |
content = r.content | |
root = etree.fromstring(content) | |
ns = {"ns": "https://sts.amazonaws.com/doc/2011-06-15/"} | |
et = root.find("ns:AssumeRoleWithLDAPIdentityResult/ns:Credentials", ns) | |
for el in et: | |
_, _, tag = el.tag.rpartition("}") | |
credentials[tag] = el.text | |
return credentials | |
credentials = get_credentials(endpoint, username, password) | |
print("-------------------------------------") | |
print(f"export AWS_ACCESS_KEY_ID={credentials['AccessKeyId']}") | |
print(f"export AWS_SECRET_ACCESS_KEY={credentials['SecretAccessKey']}") | |
print(f"export AWS_SESSION_TOKEN={credentials['SessionToken']}") | |
print("-------------------------------------") | |
s3_resource = boto3.resource( | |
"s3", | |
aws_access_key_id=credentials["AccessKeyId"], | |
aws_secret_access_key=credentials["SecretAccessKey"], | |
aws_session_token=credentials["SessionToken"], | |
region_name="us-west-1", | |
endpoint_url=endpoint, | |
) | |
for bucket in s3_resource.buckets.all(): | |
print(bucket.name) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment