Update to boto3. Add AWS Profile support #174
Conversation
|
Thanks @acmcelwee for this - I actually had a boto3 branch I've been working on, but glad to have you knock this one out :) One question I have, since I haven't played w/ boto3's profile support: Will this break things for those folks who use environment variables? What happens when you don't have a profile setup? I know plenty of people who use the environment variables (including myself - mostly because I like keeping all my AWS credentials encrypted at rest: http://signal0.com/2013/05/14/_more__securely_storing_my_aws_credentials.html), and I wouldn't want this to be non-backwards compatible for them. I'll dive into the code a bit more today/this weekend. Thanks again! |
|
Actually - one thing that might make this easier, if my concerns are correct, is to do away with the |
|
@phobologic boto3 has a nice tiered approach to resolving credentials, where they actually read from environment variables before they resolve credentials from Regarding the |
|
Yeah - I also waffle on this because I will say that you don't necessarily have to re-export your variable every time - you'd just have to do:
We actually do this quite a bit, though using other tools. For our MFA/assumable roles, we use https://github.com/remind101/assume-role - so, for example, when I'm rolling out in prod I do:
The great thing about that is that assume-role uses the environment variables, which means it's basically usable with any tool that uses any form of boto/boto3/standard AWS functionality. The other reason I like it is because I often find myself doing work in a specific environment for a while, in which case I can:
|
…rofile functionality
|
I'd never actually used the
|
|
Awesome - yeah, this kicks ass. I'm swamped right now, but I'll try to get to reviewing this this weekend. Thanks again for all your help! |
| key = self.cfn_bucket.new_key(key_name) | ||
| key.set_contents_from_string(blueprint.rendered, encrypt_key=True) | ||
| self.s3_conn.put_object(Bucket=self.bucket_name, Key=key_name, | ||
| Body=blueprint.rendered, ServerSideEncryption='AES256') |
There was a problem hiding this comment.
I don't think this will pass pep8 - in general, can you also make lines < 80. We've kept the code base at that for the most part, despite the limit being raised to 110.
|
Other than the pep8 changes, this looks good. |
|
@phobologic - pep8 reformatting pushed |
|
Awesome, thanks @acmcelwee! |
Updating to boto3 provides support for the standard AWS multi-profile capabilities.
When I first started trying to use stacker, I spun my wheels for quite a while to figure out how to make it work with our multi-profile support. I eventually stumbled on the closed issue #106, which pointed me in the right direction, but it was certainly big hurdle that I could see stopping a lot of people from trying to pick up a new tool. All of our AWS credentials are temporary security credentials so I ended up having to refresh my credentials (with our usual tool) and then do a nasty dance along the lines of
export AWS_SECURITY_TOKEN="$(cat ~/.aws/credentials | grep aws_session_token | head -n2 | tail -n1 | awk '{print $3}')". Supporting the modern credentials management with multi-profile support would probably ease adoption going forward.