Comments (1)
rorybakerfmr
commented on July 18, 2024
Hello, after researching this further, I no longer think this would be the preferred approach. Other users have requested the ability to reload fresh credentials from the shared credential file in boto3 and the other SDKs:
boto/botocore#2450
boto/botocore#704
aws/aws-sdk#107
Instead, following the advice of @reegnz in the linked aws-sdk issue, we can specify a credential provider in our local machine's AWS profile. The general process is:
In ~/.aws/config, set the following profile configuration (feel free to use a profile other than default):
[default]
credential_process = /path/to/my/loginscript.sh
According to https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html your credential provider must print a JSON object with the credentials to STDOUT. Our internal tool writes the credentials directly to the shared ~/.aws/credentials file and also prints a generic success message to STDOUT, so we suppress that. Additionally note that your login script will likely need its own credentials to interact with your identity provider or other authentication mechanism, so I have omitted that for security reasons. (If you want the credential_process helper to read an environment variable for this, you can add it to your environment before running dynamodump or any other AWS command, i.e. export MY_SECRET=...) We also use the AWS CLI to interact with the shared credentials file rather than trying to parse it ourselves.
loginscript.sh
#!/bin/bash
# our tool uses the 'loginloop' profile as a temp placeholder. Note that
# if this profile does not yet exist then the AWS CLI will print a message to STDERR,
# but credential_process only looks at STDOUT so no need to suppress the error
expiry_time=$(aws configure get expiry_time --profile loginloop)
# since our tool uses the shared credential file anyway, we use the loginloop profile
# as a credential cache so that we aren't requesting a new token on every invocation,
# only if the token is expired or not set. refresh the token 90 seconds before
# expiration to allow a buffer in case your toolset is slow
current_time_plus_90=$(date +%s --date="90 seconds")
if [ -z "$expiry_time" ] || [ $(date -d "$expiry_time" +%s) -le $current_time_plus_90 ]; then
# redirecting STDOUT to /dev/null so only errors are printed
customlogintool --profile loginloop --role role-to-assume > /dev/null
fi
# Get the credentials from the `~/.aws/credentials` file under the `loginloop` profile
aws_creds=$(aws configure get aws_access_key_id --profile loginloop)
aws_secret=$(aws configure get aws_secret_access_key --profile loginloop)
aws_session=$(aws configure get aws_session_token --profile loginloop)
aws_expiry=$(aws configure get expiry_time --profile loginloop)
# write the JSON output to STDOUT
cat <<EOF
{
"Version": 1,
"AccessKeyId": "${aws_creds}",
"SecretAccessKey": "${aws_secret}",
"SessionToken": "${aws_session}",
"Expiration": "${aws_expiry}"
}
EOFfrom dynamodump.
Related Issues (19)
- Support global secondary indexes HOT 1
- multiple gsi HOT 1
- Ability to Simply Create Tables
- Action Required: Fix Renovate Configuration
- Dependency Dashboard
- Restoring dynamoDB in another AWS Account HOT 5
- Ability To Specify Filename/Version/Date
- Unable to use local DynamoDB restore from C# HOT 1
- Incompatible with Localstack HOT 2
- Sync function?
- LocalSecondaryIndexes HOT 5
- I would like to write an AWS blog about this repo HOT 1
- Can not use wild card in many tables HOT 7
- Error encountered when restoring a table with Global Secondary Index using --billingMode PAY_PER_REQUEST HOT 1
- srcTable don't accept dashes
- Restoring database incorrectly processes binary objects inside maps
- Write throughput changes should override indexes as well HOT 1
- Trouble with wildcards HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dynamodump.