It's relatively easy to get a refreshable assume role session. It'd look like this:
defassume_role(self, role_arn, ...):
# code to set `extra_args` dict of AssumeRole parameters goes herebotocore_session=self.boto_ses._sessioncredentials=botocore_session.get_credentials()
ifnotcredentials:
# Error out now rather than wait for the new session to get usedraiseNoCredentialsErrorcredential_fetcher=AssumeRoleCredentialFetcher(
botocore_session.create_client,
credentials,
role_arn,
extra_args=extra_args
)
assumed_role_credentials=DeferredRefreshableCredentials(
credential_fetcher.fetch_credentials,
"assume-role"
)
assumed_role_botocore_session=botocore.session.get_session()
assumed_role_botocore_session._credentials=assumed_role_credentials# note that if this session's region changes, it will not cascaderegion_name=self.boto_ses.region_namereturnBotoSesManager(
botocore_session=assumed_role_botocore_session,
region_name=region_name
)
Hey @MacHu-GWU - this isn't a sample, it should be in awslabs. You should also discuss this with your upstream (Boto) so you're on the same page as they are regarding the features here.