Skip to content

Commit

Permalink
Allow additional variable to control STS credential lifespan
Browse files Browse the repository at this point in the history
  • Loading branch information
irby committed Apr 24, 2024
1 parent 3204d18 commit 267fd4a
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 6 deletions.
6 changes: 6 additions & 0 deletions .env.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
AWS_MFA_DEVICE=
AWS_ROLE_ARN=
AWS_PROFILE=
AWS_SET_PROFILE=

EXPIRY_TIME_HOURS=
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# Environment variables
*.env
.env.*
!.env.template


.DS_Store

__pycache__
10 changes: 6 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,16 @@ Here is the documentation for the CLI tool:

```bash
python3 aws-session-token.py --help
usage: aws-session-token.py [-h] [-x EXPIRY] [-a ACTING_AS] [-e ENV_FILE] [-d DEVICE] [-t TOKEN] [-r ROLE_ARN] [-s] [-p PROFILE] [-v] [--version]
usage: aws-session-token.py [-h] [-x EXPIRY] [-xh EXPIRY_HOURS] [-a ACTING_AS] [-e ENV_FILE] [-d DEVICE] [-t TOKEN] [-r ROLE_ARN] [-s] [-p PROFILE] [-v] [--version]

Get AWS Session Token

options:
-h, --help show this help message and exit
-x EXPIRY, --expiry EXPIRY
Expiry time in seconds. Default: 3600
Expiry time in seconds. Can also be set as EXPIRY_TIME environment variable. Default: 3600
-xh EXPIRY_HOURS, --expiry-hours EXPIRY_HOURS
Expiry time in hours. Can also be set as EXPIRY_TIME_HOURS environment variable. Default: 1
-a ACTING_AS, --acting-as ACTING_AS
AWS profile to act as to execute STS call. Can also be set as AWS_PROFILE environment variable
-e ENV_FILE, --env-file ENV_FILE
Expand Down Expand Up @@ -66,8 +68,8 @@ AWS_SET_PROFILE=my-profile-token
## Example usage
Assuming a `.env` file has been setup with the values defined above, you can use the following command to save the credentials generated by STS to your `~/.aws/credentials` file under the profile `app-dev-token` with the MFA one-time token `123456`:
Assuming a `.env` file has been setup with the values defined above, you can use the following command to save the credentials generated by STS to your `~/.aws/credentials` file under the profile `app-dev-token` with the MFA one-time token `123456` and with a credential lifespan of `8 hours`:
```bash
python3 aws-session-token.py -e .env --save -t 123456
python3 aws-session-token.py -xh 8 -e .env --save -t 123456
```
15 changes: 13 additions & 2 deletions aws-session-token.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
from __version import __version__

parser = argparse.ArgumentParser(description='Get AWS Session Token')
parser.add_argument('-x', '--expiry', required=False, help="Expiry time in seconds. Default: 3600", default=3600, type=int)
parser.add_argument('-x', '--expiry', required=False, help="Expiry time in seconds. Can also be set as EXPIRY_TIME environment variable. Default: 3600", type=int)
parser.add_argument('-xh', '--expiry-hours', required=False, help="Expiry time in hours. Can also be set as EXPIRY_TIME_HOURS environment variable. Default: 1", type=int)
parser.add_argument('-a', '--acting-as', required=False, help="AWS profile to act as to execute STS call. Can also be set as AWS_PROFILE environment variable")
parser.add_argument('-e', '--env-file', required=False, help="Path to env file with AWS configuration.")
parser.add_argument('-d', '--device', required=False, help="MFA device identifier. Can also be set as AWS_MFA_DEVICE environment variable")
Expand All @@ -29,14 +30,24 @@
else:
dotenv.load_dotenv(config['env_file'])

if config['expiry'] is not None and config['expiry_hours'] is not None:
raise ValueError("Both expiry and expiry_hours cannot be set. Please set only one")

mfa_token = config['token']
mfa_device = config['device'] or os.getenv("AWS_MFA_DEVICE")
profile = config['profile'] or os.getenv("AWS_SET_PROFILE")
role_arn = config['role_arn'] or os.getenv("AWS_ROLE_ARN")
expiry_time = config['expiry']
save_token = config['save']

expiry_time_seconds = config['expiry'] or os.getenv("EXPIRY_TIME")
expiry_time_hours = config['expiry_hours'] or os.getenv("EXPIRY_TIME_HOURS")

expiry_time = 3600

if expiry_time_seconds is not None:
expiry_time = int(expiry_time_seconds)
elif expiry_time_hours is not None:
expiry_time = int(expiry_time_hours) * 3600

if role_arn is None:
raise KeyError("Role ARN not set. Please set AWS_ROLE_ARN environment variable or use -r/--role-arn argument")
Expand Down

0 comments on commit 267fd4a

Please sign in to comment.