Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Python script to assume STS role and generate AWS console URL.
#!/usr/bin/env python
import getpass
import json
import requests
import sys
import urllib
import boto3
def assume_role(account_id, role_name, duration, external_id, mfa_arn, mfa_token):
role_arn = "arn:aws:iam::" + account_id + ":role/" + role_name
role_session_name = "AssumeRoleSession"
client = boto3.client('sts', 'us-west-2')
response = client.assume_role(RoleArn=role_arn,
RoleSessionName=role_session_name,
DurationSeconds=duration,
ExternalId=external_id,
SerialNumber=mfa_arn,
TokenCode=mfa_token)
tmp_credentials = {
'sessionId': response['Credentials']['AccessKeyId'],
'sessionKey': response['Credentials']['SecretAccessKey'],
'sessionToken':response['Credentials']['SessionToken']
}
return json.dumps(tmp_credentials)
def generate_federation_request_parameters(credentials_json):
request_parameters = "?Action=getSigninToken"
request_parameters += "&SessionDuration=3600"
request_parameters += "&Session=" + urllib.quote_plus(credentials_json)
return request_parameters
def generate_sign_in_token(credentials_json):
request_parameters = generate_federation_request_parameters(credentials_json)
request_url = "https://signin.aws.amazon.com/federation" + request_parameters
r = requests.get(request_url)
return json.loads(r.text)['SigninToken']
def generate_signin_request_parameters(signin_token, issuer):
request_parameters = "?Action=login"
request_parameters += "&Issuer=" + issuer
request_parameters += "&Destination=" + urllib.quote_plus("https://console.aws.amazon.com/")
request_parameters += "&SigninToken=" + signin_token
return request_parameters
def generate_signed_url(signin_token, issuer):
request_parameters = generate_signin_request_parameters(signin_token, issuer)
return "https://signin.aws.amazon.com/federation" + request_parameters
def run(account_id, role_name, mfa_arn, duration, issuer, external_id, mfa_token):
tmp_credentials = assume_role(account_id, role_name, duration, external_id, mfa_arn, mfa_token)
signin_token = generate_sign_in_token(tmp_credentials)
return generate_signed_url(signin_token, issuer)
def validate_input(argv):
if (len(argv) < 3):
return False
if (argv[1] == "") or (argv[2] == "") or (argv[3] == ""):
return False
return True
# --- Start of CLI parsing ---
if (validate_input(sys.argv) != True):
print "console.py ACCOUNT_ID ROLE_NAME MFA_ARN"
sys.exit(1)
account_id = sys.argv[1] # Account id of target account
role_name = sys.argv[2]# Name of role to assume in target account
mfa_arn = sys.argv[3] # MFA users ARN. More info: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
duration = 3600 # 1 Hour
issuer = "Example.org" # issuer name for signin url
external_id = getpass.getpass("External ID: ")
mfa_token = getpass.getpass("MFA Token: ")
try:
url = run(account_id, role_name, mfa_arn, duration, issuer, external_id, mfa_token)
print url
except Exception, e:
print("Received error:", e)
sys.exit(1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment