From 420a99c2c98467bd1e1cefb38315c3ab9f07e070 Mon Sep 17 00:00:00 2001 From: Snigdhajyoti Ghosh Date: Tue, 14 Nov 2023 23:51:08 +0530 Subject: [PATCH] fix assume role client loop with dummy credential --- aws_fusion/app.py | 1 - aws_fusion/aws/assume_role.py | 14 ++++++++++++-- .../generate_okta_device_auth_credentials.py | 2 ++ aws_fusion/commands/iam_user_credentials.py | 6 +++++- aws_fusion/okta/api.py | 5 +++-- 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/aws_fusion/app.py b/aws_fusion/app.py index e935a8a..9e7a864 100644 --- a/aws_fusion/app.py +++ b/aws_fusion/app.py @@ -1,4 +1,3 @@ -import os import argparse from importlib.metadata import version diff --git a/aws_fusion/aws/assume_role.py b/aws_fusion/aws/assume_role.py index fcb7fe9..412a244 100644 --- a/aws_fusion/aws/assume_role.py +++ b/aws_fusion/aws/assume_role.py @@ -34,7 +34,7 @@ def does_valid_token_cache_exists(self): def credential_process(self): credentials = self.__response['Credentials'] - LOG.debug(f'Giving credential as aws credential process format. The credential: {credentials}') + LOG.debug(f'Giving credential as aws credential process format') # https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html return json.dumps({ @@ -44,10 +44,20 @@ def credential_process(self): "SessionToken": credentials['SessionToken'], "Expiration": credentials['Expiration'].strftime('%Y-%m-%dT%H:%M:%S%Z') }) + + def environement_variable(self): + credentials = self.__response['Credentials'] + LOG.debug(f'Giving credential as environement variable format') + + command = '$env:' if sys.platform == 'win32' else 'export ' + + print(f'{command}AWS_ACCESS_KEY_ID="{credentials["AccessKeyId"]}"') + print(f'{command}AWS_SECRET_ACCESS_KEY="{credentials["SecretAccessKey"]}"') + print(f'{command}AWS_SESSION_TOKEN="{credentials["SessionToken"]}"') def assume_role_with_saml(self, saml_response, roles, sessoion_duration): LOG.debug(f'Started assumning role with SAML') - client = boto3.client('sts') + client = boto3.Session(aws_access_key_id='dummy', aws_secret_access_key='dummy').client('sts') selected_role = self.__role try: response = client.assume_role_with_saml( diff --git a/aws_fusion/commands/generate_okta_device_auth_credentials.py b/aws_fusion/commands/generate_okta_device_auth_credentials.py index edd7da9..e7837f5 100644 --- a/aws_fusion/commands/generate_okta_device_auth_credentials.py +++ b/aws_fusion/commands/generate_okta_device_auth_credentials.py @@ -31,4 +31,6 @@ def run(args): if args.credential_process: print(assume_role_with_cache.credential_process()) + else: + print(assume_role_with_cache.environement_variable()) \ No newline at end of file diff --git a/aws_fusion/commands/iam_user_credentials.py b/aws_fusion/commands/iam_user_credentials.py index 9da6097..768f09c 100644 --- a/aws_fusion/commands/iam_user_credentials.py +++ b/aws_fusion/commands/iam_user_credentials.py @@ -1,6 +1,7 @@ import argparse import json import keyring +import sys def setup(subparsers, parent_parser): common_parser = argparse.ArgumentParser(add_help=False) @@ -35,6 +36,9 @@ def run_get(args): "SecretAccessKey": secret_key })) else: - print(secret_key) + command = '$env:' if sys.platform == 'win32' else 'export ' + + print(f'{command}AWS_ACCESS_KEY_ID="{args.access_key}"') + print(f'{command}AWS_SECRET_ACCESS_KEY="{secret_key}"') \ No newline at end of file diff --git a/aws_fusion/okta/api.py b/aws_fusion/okta/api.py index bc88645..bc9e1b0 100644 --- a/aws_fusion/okta/api.py +++ b/aws_fusion/okta/api.py @@ -36,10 +36,11 @@ def verifiction_and_token(org_domain, oidc_client_id, device_code): while True: request = requests.post(url, headers=headers, data=payload) response = request.json() - time.sleep(5) # Check for authorization pending if request.status_code == 400 and response['error'] == 'authorization_pending': + LOG.debug('Waiting for verification') + time.sleep(5) continue # Check for successful verification @@ -47,7 +48,7 @@ def verifiction_and_token(org_domain, oidc_client_id, device_code): break # Unexpected state. Die. - print(response, file=sys.stderr) + LOG.error(response) sys.exit(1) LOG.debug('Validated device code and got access_token & id_token')