Skip to content

This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.

License

Notifications You must be signed in to change notification settings

awslabs/iam-roles-anywhere-session

IAM Roles Anywhere Session

License PyPI version Status

Code style: black pre-commit

This package provides an easy way to create a refreshable boto3 Session with IAM Roles Anywhere, without defining an AWS profile with relevant configuration for IAM roles anywhere.

This package implements the algorithm described here: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html.

Requirements

  • Python 3.8 or later
  • Creation and configuration of a trust anchor. See documentation
  • Valid X.509 certificate, private key, and optionally a certificate chain file associated with your trust anchor

Install

  • From PyPi
pip install iam-rolesanywhere-session
  • From source
git clone https://github.com/awslabs/iam-roles-anywhere-session.git
cd iam-roles-anywhere-session
python3 -m pip install ./

Configuration

For this package to work you will need to have at your disposal your certificate and private_key file in a PEM format.

IAMRoleAnywhereSession will take multiple arguments:

Name Description Type Default value
profile_arn The Amazon Resource Name (ARN) of the profile. string None
role_arn The Amazon Resource Name (ARN) of the role to assume. string None
trust_anchor_arn The Amazon Resource Name (ARN) of the trust anchor. string None
certificate The x509 certificate file, in PEM format. path or bytes None
private_key The certificate private key file, in PEM Format. path or bytes None
private_key_passphrase The passphrase use to decrypt private key file. string None
region The name of the region where you configured IAM Roles Anywhere. string us-east-1
session_duration The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to 3600 seconds (1 hour). int 3600
service_name An identifier for the service, used to build the botosession. string rolesanywhere
endpoint Roles Anywhere API endpoint to use string '{service_name}.{region_name}.amazonaws.com'
verify Whether to validate SSL certificates, or the path to a trusted certificate authority bool or str None
proxies Proxy endpoint(s) for use behind private networks with a proxy. dict {}
proxies_config A dictionary of additional proxy configurations. dict {}
from iam_rolesanywhere_session import IAMRolesAnywhereSession
roles_anywhere_session = IAMRolesAnywhereSession(
    profile_arn="arn:aws:rolesanywhere:eu-central-1:************:profile/a6294488-77cf-4d4a-8c5c-40b96690bbf0",
    role_arn="arn:aws:iam::************:role/IAMRolesAnywhere-01",
    trust_anchor_arn="arn:aws:rolesanywhere:eu-central-1::************::trust-anchor/4579702c-9abb-47c2-88b2-c734e0b29539",
    certificate='certificate.pem',
    private_key='privkey.pem',
    region="eu-central-1"
).get_session()
s3 = roles_anywhere_session.client("s3")
print(s3.list_buckets())

Documentation

You can find here the complete documentation with additional usage and module reference.

Contributing

Contributions are very welcome. To learn more, see the Contributor Guide.

License

Distributed under the terms of the Apache 2

About

This package provides an easy way to create a refreshable boto3 Session with AWS Roles Anywhere.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages