This package provides an easy way to create a refreshable boto3 Session with IAM Roles Anywhere, without defining an AWS profile with relevant configuration for IAM roles anywhere.
This package implements the algorithm described here: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html.
- Python 3.8 or later
- Creation and configuration of a trust anchor. See documentation
- Valid X.509 certificate, private key, and optionally a certificate chain file associated with your trust anchor
- From PyPi
pip install iam-rolesanywhere-session
- From source
git clone https://github.com/awslabs/iam-roles-anywhere-session.git
cd iam-roles-anywhere-session
python3 -m pip install ./
For this package to work you will need to have at your disposal your certificate
and private_key
file in a PEM format.
IAMRoleAnywhereSession will take multiple arguments:
Name | Description | Type | Default value |
---|---|---|---|
profile_arn | The Amazon Resource Name (ARN) of the profile. | string | None |
role_arn | The Amazon Resource Name (ARN) of the role to assume. | string | None |
trust_anchor_arn | The Amazon Resource Name (ARN) of the trust anchor. | string | None |
certificate | The x509 certificate file, in PEM format. | path or bytes | None |
private_key | The certificate private key file, in PEM Format. | path or bytes | None |
private_key_passphrase | The passphrase use to decrypt private key file. | string | None |
region | The name of the region where you configured IAM Roles Anywhere. | string | us-east-1 |
session_duration | The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to 3600 seconds (1 hour). | int | 3600 |
service_name | An identifier for the service, used to build the botosession. | string | rolesanywhere |
endpoint | Roles Anywhere API endpoint to use | string | '{service_name}.{region_name}.amazonaws.com' |
verify | Whether to validate SSL certificates, or the path to a trusted certificate authority | bool or str | None |
proxies | Proxy endpoint(s) for use behind private networks with a proxy. | dict | {} |
proxies_config | A dictionary of additional proxy configurations. | dict | {} |
from iam_rolesanywhere_session import IAMRolesAnywhereSession
roles_anywhere_session = IAMRolesAnywhereSession(
profile_arn="arn:aws:rolesanywhere:eu-central-1:************:profile/a6294488-77cf-4d4a-8c5c-40b96690bbf0",
role_arn="arn:aws:iam::************:role/IAMRolesAnywhere-01",
trust_anchor_arn="arn:aws:rolesanywhere:eu-central-1::************::trust-anchor/4579702c-9abb-47c2-88b2-c734e0b29539",
certificate='certificate.pem',
private_key='privkey.pem',
region="eu-central-1"
).get_session()
s3 = roles_anywhere_session.client("s3")
print(s3.list_buckets())
You can find here the complete documentation with additional usage and module reference.
Contributions are very welcome. To learn more, see the Contributor Guide.
Distributed under the terms of the Apache 2