Skip to content

Instantly share code, notes, and snippets.

@timhughes
Created April 24, 2020 16:11
Show Gist options
  • Save timhughes/2391e657e36b55ca4f5ec59a1b8b7117 to your computer and use it in GitHub Desktop.
Save timhughes/2391e657e36b55ca4f5ec59a1b8b7117 to your computer and use it in GitHub Desktop.
Minio STS LDAP authentication using python
#! /usr/bin/env python
# -*- coding: utf-8 -*-
# vim:fenc=utf-8
#
# Copyright © 2020 Tim Hughes <thughes@thegoldfish.org>
#
# Distributed under terms of the MIT license.
"""
"""
import getpass
import argparse
import boto3
import requests
from xml.etree import ElementTree as etree
class PasswordPromptAction(argparse.Action):
def __init__(
self,
option_strings,
dest=None,
nargs=0,
default=None,
required=False,
type=None,
metavar=None,
help=None,
):
super(PasswordPromptAction, self).__init__(
option_strings=option_strings,
dest=dest,
nargs=nargs,
default=default,
required=required,
metavar=metavar,
type=type,
help=help,
)
def __call__(self, parser, args, values, option_string=None):
password = getpass.getpass()
setattr(args, self.dest, password)
parser = argparse.ArgumentParser(description="Process some integers.")
parser.add_argument("-u", "--username", required=True, type=str, help="LDAP username")
parser.add_argument(
"-p",
"--password",
required=True,
type=str,
action=PasswordPromptAction,
help="LDAP password",
)
parser.add_argument(
"-e", "--endpoint", default="http://minio.localhost:9000", help="MINIO STS endpoint"
)
args = parser.parse_args()
username = args.username
password = args.password
endpoint = args.endpoint
def get_credentials(endpoint, username, password):
params = {
"Action": "AssumeRoleWithLDAPIdentity",
"LDAPUsername": username,
"LDAPPassword": password,
"Version": "2011-06-15",
}
r = requests.post(endpoint, params=params)
credentials = {}
content = r.content
root = etree.fromstring(content)
ns = {"ns": "https://sts.amazonaws.com/doc/2011-06-15/"}
et = root.find("ns:AssumeRoleWithLDAPIdentityResult/ns:Credentials", ns)
for el in et:
_, _, tag = el.tag.rpartition("}")
credentials[tag] = el.text
return credentials
credentials = get_credentials(endpoint, username, password)
print("-------------------------------------")
print(f"export AWS_ACCESS_KEY_ID={credentials['AccessKeyId']}")
print(f"export AWS_SECRET_ACCESS_KEY={credentials['SecretAccessKey']}")
print(f"export AWS_SESSION_TOKEN={credentials['SessionToken']}")
print("-------------------------------------")
s3_resource = boto3.resource(
"s3",
aws_access_key_id=credentials["AccessKeyId"],
aws_secret_access_key=credentials["SecretAccessKey"],
aws_session_token=credentials["SessionToken"],
region_name="us-west-1",
endpoint_url=endpoint,
)
for bucket in s3_resource.buckets.all():
print(bucket.name)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment