Check out the documentation at awsu.me!
trek10inc / awsume Goto Github PK
View Code? Open in Web Editor NEWA utility for easily assuming AWS IAM roles from the command line.
Home Page: https://awsu.me
License: MIT License
A utility for easily assuming AWS IAM roles from the command line.
Home Page: https://awsu.me
License: MIT License
Check out the documentation at awsu.me!
Hi there, I'm working on a client site with a very restrictive proxy server setup.
It's a cluster of poorly-configured BlueCoat instances and they are interfering with our traffic to AWS, and sometimes blocking the requests.
I've tried divining this with the --debug
option but it doesn't show me the URL(s) of the host(s) at AWS that it's attempting to contact, in order to do MFA/STS/role switch things.
Is there a short list of these URLs available somewhere, for proxy whitelisting?
Hi!
My ~/.aws/config
looks like this:
[profile p1]
region = eu-west-1
role_arn = arn:aws:iam::111111111111:role/XXX
source_profile = p0
mfa_serial = arn:aws:iam::222222222222:mfa/xxx
duration_seconds = 43200
role_duration = 43200
When I run awsume
, I get:
$ awsume p1
Enter MFA token:
Parameter validation failed:
Invalid type for parameter DurationSeconds, value: 43200, type: <class 'str'>, valid types: <class 'int'>
If I remove duration_seconds
from ~/.aws/config
it works.
I use the following version installed via pip
on macOS 10.14.6:
$ awsume -v
4.1.2
$ sudo easy_install pip
Searching for pip
Best match: pip 9.0.3
Processing pip-9.0.3-py2.7.egg
pip 9.0.3 is already the active version in easy-install.pth
Installing pip script to /usr/local/bin
Installing pip2.7 script to /usr/local/bin
Installing pip2 script to /usr/local/bin
Using /Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
$ pip install awsume
Collecting awsume
Using cached awsume-3.0.10.tar.gz
Collecting boto3 (from awsume)
Using cached boto3-1.6.20-py2.py3-none-any.whl
Collecting psutil (from awsume)
Using cached psutil-5.4.3.tar.gz
Collecting yapsy (from awsume)
Using cached Yapsy-1.11.223.tar.gz
Collecting future (from awsume)
Using cached future-0.16.0.tar.gz
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /Library/Python/2.7/site-packages (from boto3->awsume)
Collecting s3transfer<0.2.0,>=0.1.10 (from boto3->awsume)
Using cached s3transfer-0.1.13-py2.py3-none-any.whl
Collecting botocore<1.10.0,>=1.9.20 (from boto3->awsume)
Using cached botocore-1.9.20-py2.py3-none-any.whl
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /Library/Python/2.7/site-packages (from s3transfer<0.2.0,>=0.1.10->boto3->awsume)
Collecting python-dateutil<2.7.0,>=2.1 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Using cached python_dateutil-2.6.1-py2.py3-none-any.whl
Collecting docutils>=0.10 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Using cached docutils-0.14-py2-none-any.whl
Collecting six>=1.5 (from python-dateutil<2.7.0,>=2.1->botocore<1.10.0,>=1.9.20->boto3->awsume)
Using cached six-1.11.0-py2.py3-none-any.whl
Installing collected packages: six, python-dateutil, docutils, botocore, s3transfer, boto3, psutil, yapsy, future, awsume
Found existing installation: six 1.4.1
DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling six-1.4.1:
Exception:
Traceback (most recent call last):
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/commands/install.py", line 342, in run
prefix=options.prefix_path,
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_set.py", line 778, in install
requirement.uninstall(auto_confirm=True)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_install.py", line 754, in uninstall
paths_to_remove.remove(auto_confirm)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_uninstall.py", line 115, in remove
renames(path, new_path)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/utils/init.py", line 267, in renames
shutil.move(old, new)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 302, in move
copy2(src, real_dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 131, in copy2
copystat(src, dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 103, in copystat
os.chflags(dst, st.st_flags)
OSError: [Errno 1] Operation not permitted: '/var/folders/l_/vnj7g_9n6pz4s9r5xclyl10cdbfp4x/T/pip-xARziy-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'
$ sudo pip install awsume
The directory '/Users/jburns/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/Users/jburns/Library/Caches/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting awsume
Downloading awsume-3.0.10.tar.gz
Collecting boto3 (from awsume)
Downloading boto3-1.6.20-py2.py3-none-any.whl (128kB)
100% |████████████████████████████████| 133kB 2.2MB/s
Collecting psutil (from awsume)
Downloading psutil-5.4.3.tar.gz (412kB)
100% |████████████████████████████████| 419kB 2.5MB/s
Collecting yapsy (from awsume)
Downloading Yapsy-1.11.223.tar.gz (80kB)
100% |████████████████████████████████| 81kB 7.7MB/s
Collecting future (from awsume)
Downloading future-0.16.0.tar.gz (824kB)
100% |████████████████████████████████| 829kB 1.4MB/s
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /Library/Python/2.7/site-packages (from boto3->awsume)
Collecting s3transfer<0.2.0,>=0.1.10 (from boto3->awsume)
Downloading s3transfer-0.1.13-py2.py3-none-any.whl (59kB)
100% |████████████████████████████████| 61kB 5.0MB/s
Collecting botocore<1.10.0,>=1.9.20 (from boto3->awsume)
Downloading botocore-1.9.20-py2.py3-none-any.whl (4.1MB)
100% |████████████████████████████████| 4.1MB 334kB/s
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /Library/Python/2.7/site-packages (from s3transfer<0.2.0,>=0.1.10->boto3->awsume)
Collecting python-dateutil<2.7.0,>=2.1 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Downloading python_dateutil-2.6.1-py2.py3-none-any.whl (194kB)
100% |████████████████████████████████| 194kB 5.2MB/s
Collecting docutils>=0.10 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Downloading docutils-0.14-py2-none-any.whl (543kB)
100% |████████████████████████████████| 552kB 2.4MB/s
Collecting six>=1.5 (from python-dateutil<2.7.0,>=2.1->botocore<1.10.0,>=1.9.20->boto3->awsume)
Downloading six-1.11.0-py2.py3-none-any.whl
Installing collected packages: six, python-dateutil, docutils, botocore, s3transfer, boto3, psutil, yapsy, future, awsume
Found existing installation: six 1.4.1
DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling six-1.4.1:
Exception:
Traceback (most recent call last):
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/commands/install.py", line 342, in run
prefix=options.prefix_path,
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_set.py", line 778, in install
requirement.uninstall(auto_confirm=True)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_install.py", line 754, in uninstall
paths_to_remove.remove(auto_confirm)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_uninstall.py", line 115, in remove
renames(path, new_path)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/utils/init.py", line 267, in renames
shutil.move(old, new)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 302, in move
copy2(src, real_dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 131, in copy2
copystat(src, dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 103, in copystat
os.chflags(dst, st.st_flags)
OSError: [Errno 1] Operation not permitted: '/tmp/pip-S6cVNR-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'
When attempting to install awsume on Ubuntu 18.10 with powershell installed, the pip install command hangs while installing the awsume package. No output is shown, and the pip command has to be killed manually (Ctrl+C & Ctrl+Z are even captured and ineffective!). Without powershell installed, things work fine.
It'd be nice if there was a way to disable the shell profile hooks during install, perhaps by environment variable. I have to manually remove them every time, since they conflict with my own shell setup that manages awsume differently.
Getting this error with 3.0.9 in WSL environment (opensuse)
felipe@DESKTOP-TCPCKB9:~/Downloads$ awsume -a velocity-ipaas-nonprod
AWSume: User profile credentials will expire at: 2018-03-19 12:52:54+00:00
AWSume: Role profile credentials will expire at: 2018-03-19 11:52:55
Traceback (most recent call last):
File "/usr/bin/awsumepy", line 11, in <module>
load_entry_point('awsume==3.0.9', 'console_scripts', 'awsumepy')()
File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 1415, in main
awsume.run(command_line_arguments)
File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 1383, in run
func(self, arguments, profiles, user_session, role_session)
File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 862, in get_role_session_callback
start_auto_awsume(args, app, profiles, AWS_CREDENTIALS_FILE, user_session, role_session)
File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 892, in start_auto_awsume
write_auto_awsume_session(args.target_profile_name, auto_profile, credentials_file_path)
File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 958, in write_auto_awsume_session
LOG.debug('AutoAwsume profile: %s', json.dumps(auto_profile, indent=2))
File "/usr/lib64/python2.7/json/__init__.py", line 251, in dumps
sort_keys=sort_keys, **kw).encode(obj)
File "/usr/lib64/python2.7/json/encoder.py", line 209, in encode
chunks = list(chunks)
File "/usr/lib64/python2.7/json/encoder.py", line 434, in _iterencode
for chunk in _iterencode_dict(o, _current_indent_level):
File "/usr/lib64/python2.7/json/encoder.py", line 408, in _iterencode_dict
for chunk in chunks:
File "/usr/lib64/python2.7/json/encoder.py", line 442, in _iterencode
o = _default(o)
File "/usr/lib64/python2.7/json/encoder.py", line 184, in default
raise TypeError(repr(o) + " is not JSON serializable")
TypeError: datetime.datetime(2018, 3, 19, 12, 52, 54, tzinfo=tzutc()) is not JSON serializable
Hey guys,
I'm not sure where to send the issue but On June , I downloaded your"awsume" utility so I will be able to assume an IAM role easily through CMD and it was working fine .
Recently , I got a new machine and I downloaded your tools but it seems it's not working anymore .
My new machine is windows 10 and I believe that you guys updated the utility so I'm not sure if I'm missing something or there's something wrong .
I created same profiles I had on my old machine and i was trying to assume one of them through the following command ..:
awsume AEProfile
After that , it asks me for mfa code which I enter but then it seems like it just keep assume the source profile and not the role (Plus I noticed that after i entered mfa code , there are two sentences showed which are "User profile credentials will expire " and "Role Profile credentials will expire" .
The thing is the expiration date/time for the role is the same date/ time i ran the command at , Please find the attachment .
Then to verify which profile is being used , i ran the following command ..:
aws sts get-caller-identity but it keep giving me the source profile and not the role !
When I use awsume <name_from_credentials_file> -a , it unsets the AWS_PROFILE env. variable. it never sets it, so I have to do this by hand. is this an issue (or is it me) ?
awsume -v
4.1.3
If I specify duration_seconds
in my config file I'm always asked to enter the MFA token for this profile.
Id I do not specify duration_seconds
I only have to enter the MFA token every now and then.
I've looked a bit at the code in shell_scripts/awsume.fish
and it looks like the behavior described would export environment variables.
Could it be that awsume.fish
does not get executed in my shell when I run awsume
? A subshell running another shell (i.e. bash) would not export
variables into fish due to the nature of set
.
I could also be going about this completely wrong and fish simply needs special setup and I missed this in the documentation somewhere. But regardless I think it should work out of the box in any supported shell.
awsume -a only sets AWS_PROFILE and AWS_DEFAULT_PROFILE. I think it should also set region, if the role has the region set, else use the region in default
has the region set.
I've just updated to the latest awsume available on pip (4.1.6) and I'm seeing this error:
$ awsume platform-production-admin -a
Session token will expire at 2019-10-01 22:38:18
Role credentials will expire 2019-10-01 16:07:34
[3] 52308
Traceback (most recent call last):
File "/usr/local/bin/autoawsume", line 10, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/awsume/autoawsume/main.py", line 41, in main
earliest_expiration = min(expirations)
TypeError: can't compare offset-naive and offset-aware datetimes
After upgrading awsume from 3.2.8 to 4.1.9 my colleague and I get an error message when calling "awsume terraform":
Awsume error: Invalid profile terraform Missing keys aws_access_key_id, aws_secret_access_key
Our configuration is standard, we think:
~/.aws/config:
[default]
region = eu-central-1
output = json
[profile terraform]
region = eu-central-1
output = json
mfa_serial = arn:aws:iam:::mfa/scht
[profile DQCustOpsAdmin]
region = eu-central-1
output = json
role_arn = arn:aws:iam:::role/AdminOrganization
source_profile = default
mfa_serial = arn:aws:iam:::mfa/scht
[profile prod-admin]
region = eu-central-1
output = json
role_arn = arn:aws:iam:::role/AdminUserRole
source_profile = terraform
[profile staging-admin]
region = eu-central-1
output = json
role_arn = arn:aws:iam:::role/AdminUserRole
source_profile = terraform
with 2 different account numbers.
~/.aws/credentials:
[default]
aws_access_key_id =
aws_secret_access_key =
[profile terraform]
aws_secret_access_key =
aws_access_key_id =
with 2 different sets of keys.
~/.awsume/config.yaml:
{colors: true, fuzzy-match: false, role-duration: 0}
All this was working for months with awsume 3.2.8.
After installing awsume for the first time, auto-refresh credentials are only generated if the config files has the [default] profile at the beginning. For example:
awsume [name_of_profile] -a
This will fail silently when the aws config file looks something like this:
[name of profile]
...
[default]
...
But it will succeed when the two are reversed:
[default]
...
[name_of_profile]
...
Awesome piece of software, loving it!
It would be great if there was a way to query awsume for the current profile, so that this information could be used elsewhere (e.g. to display the current role in the shell command prompt).
Or is this already possible and I'm missing it from the documentation?
I would be convenient if awsume would also read the source profile in order to get the mfa_serial so we could define it once for and account in the source profile.
Currently we have to duplicate the serial in many [profile] sections
most of my roles/users in .aws/config
do not have region set. I expect awsume
to fall back to the [default]
region and set the AWS_REGION
env var appropriately.
Instead, the AWS_REGION remains unset.
=========================AWS Profiles========================
PROFILE TYPE SOURCE MFA? REGION
ca-master User None No ap-southeast-2
default User None No ap-southeast-2
itoc User None Yes None
itoc-preprod Role ca-master Yes ap-southeast-2
mycli User None No ap-southeast-2
myuser User None No ap-southeast-2
osssio-audit Role itoc Yes None
osssio-consbilling Role itoc Yes None
osssio-dev Role itoc Yes ap-southeast-2
osssio-ops Role itoc Yes None
osssio-prod Role itoc Yes None
osssio-qldonline Role itoc Yes None
osssio-sandpit Role itoc Yes None
osssio-staging Role itoc Yes ap-southeast-2
osssio-test Role itoc Yes ap-southeast-2
seeingmachines-preprod Role ca-master Yes ap-southeast-2
seeingmachines-prod Role ca-master Yes ap-southeast-2
Hi,
i have successfully install awsume and also configure the config & credentials file using CLI.
But when i run:
. awsume profile_name
Its asking me Enter MFA code & Enter MFA code for arn:aws:iam::101549811061:mfa/
I got the MFA code for first one, but i m blank what to do with second MFA code.
Can anyone help me, what i have done wrong here..??
Hi there,
Thanks for the great project!
Trying to install awsume on a new PC and it fails to install with two different errors. One is probably the root cause but not sure which.
The log from pip is attached:
I can see two errors (one about Visual C++ 14.0 and one about failing to run some inline python.
2019-12-05T13:39:04,744 building 'Levenshtein._levenshtein' extension
2019-12-05T13:39:04,818 error: Microsoft Visual C++ 14.0 is required. Get it with "Build Tools for Visual Studio": https://visualstudio.microsoft.com/downloads/
and
2019-12-05T13:39:05,005 Removed build tracker 'C:\\Users\\mikeq\\AppData\\Local\\Temp\\pip-req-tracker-yyh6_9_4'
2019-12-05T13:39:05,005 ERROR: Command errored out with exit status 1: 'c:\users\mikeq\appdata\local\programs\python\python38-32\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\mikeq\\AppData\\Local\\Temp\\pip-install-bq7au0w1\\python-levenshtein\\setup.py'"'"'; __file__='"'"'C:\\Users\\mikeq\\AppData\\Local\\Temp\\pip-install-bq7au0w1\\python-levenshtein\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'C:\Users\mikeq\AppData\Local\Temp\pip-record-6209qpap\install-record.txt' --single-version-externally-managed --compile Check the logs for full command output.
I have tried
Any help appreciated.
Mike.
Hello,
I have a few profiles configured two of which are called platform-production-admin
and shared-services-admin
.
Earlier today I ran . awsume shared-services-admin -a
(no issues).
A few hours later (in the same terminal window) I've typed
. awsume platform-production-admin -a
and I see this output:
$ . awsume platform-production-admin -a
Session token will expire at 2019-09-27 23:32:44
Role credentials will expire 2019-09-27 14:57:00
[3] 2930
$ Traceback (most recent call last):
File "/usr/local/bin/autoawsume", line 10, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/awsume/autoawsume/main.py", line 26, in main
subprocess.run(auto_profile.get('awsumepy_command').split(' '), stdout=subprocess.PIPE, stderr=subprocess.PIPE)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 472, in run
with Popen(*popenargs, **kwargs) as process:
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 775, in __init__
restore_signals, start_new_session)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 1522, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'shared-services-admin': 'shared-services-admin'
The traceback is automatically output into the terminal after hitting enter on the . awsume platform-production-admin -a
command.
How can I stop this from happening?
If it helps at all I'm on macOS 10.14.5, I installed Python via Homebrew and awsume
via pip
When I pip installed awsume as expected it modified my .bashrc
, however it corrupted the file as there was no newline at eof. In my case the fault is likely the previous tool that modified it but it is a common enough edge case that it should be addressed.
ps. Loving the tool, will be getting the whole team on it once this issue is fixed!
I am using awsume with multiple profiles. Some of them need MFA, some not. Also i am using awsume within virtualenv.
awsume Version:
pip show awsume
Name: awsume
Version: 2.1.5
Summary: Utility for easily assuming AWS IAM roles from the command line, now in Python!
Home-page: https://github.com/trek10inc/awsume
Author: Trek10, Inc
Author-email: [email protected]
License: MIT
Location: /Users/saruman/virtualenv/aws/lib/python3.6/site-packages
Requires: future, yapsy, python-dateutil, psutil, boto3
I am getting errors when trying to assume a role which does not need MFA. For Roles using MFA no problem occurs.
This is what i get when using a non MFA Profile:
awsume no-mfa-profile
Traceback (most recent call last):
File "/Users/saruman/virtualenv/aws/bin/awsumepy", line 11, in <module>
sys.exit(main())
File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 1127, in main
awsumeApp.run()
File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 1093, in run
awsumeUserSession = func(configProfile, credentialsProfile, awsumeUserSession, AWS_CACHE_DIRECTORY, commandLineArguments, out_data)
File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 340, in get_user_credentials
awsUserSession = get_session_token_credentials(userClient, configSection)
File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 523, in get_session_token_credentials
return getSessionTokenClient.get_session_token()
File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials
Before running the awsume command no AWS Environments (Credentials, Tokens) have been set.
(aws) saruman@Saruman:~ $ printenv | grep AWS
(aws) saruman@Saruman:~ $
This is my config:
~/.aws/credentials
[john]
aws_access_key_id = XXX
aws_secret_access_key = XXXXX
[bill]
aws_access_key_id = XXX
aws_secret_access_key = XXXXX
~/.aws/config
[profile no-mfa-profile]
output = json
region = eu-central-1
role_arn = arn:aws:iam::XXX:role/RoleName
source_profile = john
[profile mfa-profile]
output = json
region = eu-central-1
role_arn = arn:aws:iam::XXX:role/RoleName
mfa_serial = arn:aws:iam::XXX:mfa/UserName
source_profile = bill
The MFA ones work all the time. The ones without MFA fail. Using the profiles with AWS-CLI works as exspected
aws s3 ls --profile no-mfa-profile
Somebody any idea what I'm doing wrong? Thanks.
awsume -l
goes to stderr, which is a little annoying when I want to grep. It forces the command to be awsume -l 2>&1 | grep acct-name
.
Also, any chance we could get account numbers added to the listing?
I am using pyenv as my version manager. When executing awsume it will print out
$ awsume -s my-profile
User profile credentials will expire: 2018-02-02 22:25:56
Role profile credentials will expire: 2018-02-02 20:12:17+01:00
export AWS_SECRET_ACCESS_KEY=ACCESSKEY
export AWS_ACCESS_KEY_ID=KEYID
export AWS_SESSION_TOKEN=SOMESESSIONTOKEN
export AWS_SECURITY_TOKEN=SOMETOKEN
export AWS_REGION=eu-central-1
export AWS_DEFAULT_REGION=eu-central-1
export AWSUME_PROFILE=my-profile
However, when I call awsume my-profile
and then try to print out one of the variables, they are empty.
Using $(awsume -s my-profile)
instead makes it work.
I suppose this has something to do with the way pyenv handles executables. The relevant line is
exec "/home/me/.pyenv/libexec/pyenv" exec "$program" "$@"
which as far as I understand starts a subshell and prevents the variables from being exported.
Is there a way to make awsume work with pyenv or am I doing something wrong?
On windows 7 when installing using pip install awsume
install would hang, and never finish. After this it would recognize the command awsume <profile>
but would not reflect the change if you do aws sts get-caller-identity
. After looking found that .profile was missing in C:\Users<username>. After creating file, and adding alias awsume=". awsume"
it now appears to be working correctly
My colleagues and I are using version 4.1.9
(determined by awsume --version
). We're all experiencing our AWS credentials being removed.
Specifically, we have an identity
profile setup that looks like this (in ~/.aws/config
):
[profile identity]
region=eu-west-1
duration_seconds = 43200
and then additional profiles that look like this:
[profile platform-admin]
source_profile=identity
role_arn=arn:aws:iam::9999999999:role/AdminAccess
mfa_serial=arn:aws:iam::11111111111:mfa/alex
region=eu-west-1
We then run awsume like so . awsume platform-admin -a
.
However, we're all experiencing the identity
profile credentials being removed by awsume
presumably when the awsume temporary credentials are expiring
Hello!
I use awsume 3.2.9 and when I try to call some tools like awscli
and terraform
after awsume
exported env variables everything works pretty cool except of ap-east-1
region:
awscli:
aws --version
aws-cli/1.16.190 Python/3.7.4 Darwin/17.7.0 botocore/1.12.180
awsume production
aws s3 ls s3://some-bucket-in-hong-kong-region/
An error occurred (IllegalLocationConstraintException) when calling the ListObjectsV2 operation: The ap-east-1 location constraint is incompatible for the region specific endpoint this request was sent to.
aws s3 ls --region ap-east-1 s3://some-bucket-in-hong-kong-region/
An error occurred (InvalidToken) when calling the ListObjectsV2 operation: The provided token is malformed or otherwise invalid.
terraform:
awsume production
terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
Error: Error refreshing state: 1 error(s) occurred:
* provider.aws.ap-east-1: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: f366241f-a3eb-11e9-84a3-6d3d417c2079
Freshly installed awsume on MacOS Mojave.
Python version: 3.5.7
AWSume version: 4.0.4 (incidentally, I don't see this release on under the Releases)
I get an error when I try to assume a role - It seems to succeed, but in the info message that prints out the session expiration, the script errors out:
$ awsume my-profile
Enter MFA token: xxxxxxxxx
Traceback (most recent call last):
File "/usr/local/opt/pyenv/versions/3.5.7/bin/awsumepy", line 12, in <module>
sys.exit(main())
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/main.py", line 36, in main
run_awsume(sys.argv)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/main.py", line 25, in run_awsume
awsume.run(argument_list)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/app.py", line 231, in run
credentials = self.get_credentials(args, profiles)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/app.py", line 187, in get_credentials
credentials = self.plugin_manager.hook.get_credentials(config=self.config, arguments=args, profiles=profiles)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/hooks.py", line 289, in __call__
return self._hookexec(self, self.get_hookimpls(), kwargs)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/manager.py", line 87, in _hookexec
return self._inner_hookexec(hook, methods, kwargs)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/manager.py", line 81, in <lambda>
firstresult=hook.spec.opts.get("firstresult") if hook.spec else False,
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/callers.py", line 208, in _multicall
return outcome.get_result()
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/callers.py", line 80, in get_result
raise ex[1].with_traceback(ex[2])
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/callers.py", line 187, in _multicall
res = hook_impl.function(*args)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/default_plugins.py", line 389, in get_credentials
ignore_cache=arguments.force_refresh,
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/lib/aws.py", line 90, in get_session_token
safe_print('Session token will expire at {}'.format(parse_time(user_session['Expiration'])), colorama.Fore.GREEN)
File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/lib/aws.py", line 15, in parse_time
return date_time.astimezone(dateutil.tz.tzlocal()).strftime('%Y-%m-%d %H:%M:%S')
ValueError: astimezone() cannot be applied to a naive datetime
I will note that if I remove the offending call to astimezone()
from parse_time()
:
def parse_time(date_time: datetime):
return date_time.strftime('%Y-%m-%d %H:%M:%S')
it works as expected. But we do note that there are several places in the code that already call this, and when I try to remove those calls but leave it in parse_time()
, the error remains.
I'm not super familiar with the dateutil and datetime libraries, but it seems that because the astimezone()
is already called in the client code, there is not a need to call it again inparse_time()
.
awsume -r <role>
reloads credentials, but awsume -r
expects a profile name.
I think awsume -r
without a role name should reload ALL profiles that were previously executed with awsume -a <role_name>
. This way I don't have to remember which profiles I had previously configured to automatically refresh.
Moreover, I think awsume -r <rolename>
should act l like awsume -a <rolename>; awsume -r <rolename>
if awsume -a
was not run previously.
Great program! I love it and use it daily for my consulting work. Keep up the good work.
Hi
Im looking for any documentation on how to setup awsume with SAML
Thanks
Syed
I'm trying to create a saml plugin with adfs, and here's the saml response looks like:
<samlp:Response ID="..." Version="2.0" IssueInstant="2019-12-05T12:52:34.802Z"
Destination="https://signin.aws.amazon.com/saml"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://example.com/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="..." IssueInstant="2019-12-05T12:52:34.802Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://example.com/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<Subject>....</Subject>
<Conditions NotBefore="2019-12-05T12:52:34.568Z" NotOnOrAfter="2019-12-05T13:52:34.568Z">....</Conditions>
<AttributeStatement>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
<AttributeValue>neshat</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
<AttributeValue>
arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/saml/ADFS/Admin
</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
<AttributeValue>43200</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2019-12-05T12:35:27.355Z" SessionIndex="...">....</AuthnStatement>
</Assertion>
</samlp:Response>
As you can see the Attribute element that our code looks for and Attribute element and it's parent in my example don't have any explicit namespace.
Best way to do this is to ignore the namespaces, but well xml2dict doesn't have that feature, although someone made a pr but that project haven't had any activity since September, so I don't think it'd be merged anytime soon.
Traceback (most recent call last):
File "/var/lib/jenkins/.local/bin/awsumepy", line 11, in <module>
load_entry_point('awsume==3.2.9', 'console_scripts', 'awsumepy')()
File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1702, in main
awsume.run(command_line_arguments)
File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1666, in run
mix_role_and_source_profiles(profiles)
File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 291, in mix_role_and_source_profiles
merge_role_and_source_profile(profiles[profile], profiles[source_profile_name])
File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 262, in merge_role_and_source_profile
role_profile['aws_access_key_id'] = source_profile['aws_access_key_id']
KeyError: 'aws_access_key_id'
Not sure, why it isn't able to find "aws_access_key_id" key in role_profile. The credentials and config files are fine and aws-cli works on the box
Hi Team,
I have looked in to the asume documentation
https://awsu.me/
I need to know how to add the plugin and test in different environment
Hi,
I am trying to use awsume to assume a role, but it doesn't switch role when I input awsume <role_name>
.
As a workaround, I have to input awsume <role_name> -s
and then paste the output again.
Can you please help me on what am I doing wrong?
Thanks
Hello,
I know we can switch profiles with awsume profile_name
but in scripts we want to be able to use old good aws --profile profile_name command_name
too because we're working with more than one account within the same script.
.aws/config:
[default]
region = eu-west-1
output = json
mfa_serial = arn:aws:iam::111111111:mfa/username
[profile secondary]
role_arn = arn:aws:iam::222222222222:role/rolename
aws_account_id = 222222222222
region = eu-west-1
output = json
source_profile = default
# awsume
Enter MFA token: 825229
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44
# aws sts get-caller-identity
{
"UserId": "AIDAR355SJBCL57WUCIW3",
"Account": "111111111",
"Arn": "arn:aws:iam::111111111:user/username"
}
# awsume secondary
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44
AWSume: Role profile credentials will expire at: 2019-08-01 09:11:33
# aws sts get-caller-identity
{
"UserId": "AROASJBNLJ5FKMQGYZIFP:awsume-session-secondary",
"Account": "222222222222",
"Arn": "arn:aws:sts::222222222222:assumed-role/rolename/awsume-session-secondary"
}
# awsume
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44
# aws --profile secondary sts get-caller-identity
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
Is there a workaround? Using awsume profilename
in script is a bit awkwardly and I'm afraid we'll have a mess with aws-related system variables.
Thank you.
awsume
unsets AWS_REGION, but tools like ec2.py
(from Ansible) requires the region to be set. I often prefer the Environment variable AWS_REGION to --region
specified on the command line.
Since awsume
knows the Region (awsume -l
prints it) can it set AWS_REGION environment variable?
Hi I installed awsume into virtualenv and it caused unexpected problem.
I have installed own fork of pyenv
which does not need to use pyenv which
pyenv/pyenv#1185
and awsume
added this line to my .bashrc
alias awsume=". \$(pyenv which awsume)"
but since I installed awsume into venv not created by pyenv virtualenv
I do not have any shims and calling awsume
calls alias which overrides what is supposed to be called by path
when alias is called $ awsume
the result is this.
pyenv: awsume: command not found
-bash: .: filename argument required
.: usage: . filename [arguments]
the same output is given if called from venv (venv) $ awsume
results in
pyenv: awsume: command not found
-bash: .: filename argument required
.: usage: . filename [arguments]
to find out what was happening I ran type -a awsume
awsume is aliased to `. $(pyenv which awsume)'
awsume is /Users/username/.virtualenvs/venv/bin/awsume
after removing the alias
from my .bashrc
everything was fine again.
aws configure --profile myuser set region ap-southeast-2
This sets the region.
aws configure --profile myuser get region
returns ap-southeast-2
as expected.
awsume -l
does not show it.
=====================AWS Profiles=====================
PROFILE TYPE SOURCE MFA? REGION
default User None No ap-southeast-2
myuser User None No None
The default appears correctly, as expected.
when on latest MacOS when I run awsume -s I can see the list of export commands, however when I try echo $AWS_REGION (or any other they don't return any value, and aws s3 ls command isn't returning correct result. However when I copy and paste the export AWS (from the -s command) I get all working correctly.
I see awsume does not support credential_source awscli configuration option.
It is expecting role_arn and source_profile in awscli config file or else it reports "Invalid Profile"
This parameter(credential_source) cannot be provided alongside source_profile and awsume does not like if source_profile is not configured.
More details,
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
https://awsu.me/troubleshooting/#i-m-getting-an-installation-error-fatal-error-python-h-no-such-file-or-directory will not solve the issue if using python3.
yum install python3-devel
is needed if Python3. I tested with 3.7
A common issue I have is I need to unset all existing shell environment variables that a previous run of . awsume -s PROFILE
set.
Woud be nice if you could run awsume -u
and it would dump something such as:
$ awsume -u
unset AWS_SECRET_ACCESS_KEY
unset AWS_ACCESS_KEY_ID
etc...
Hi, I had trouble recently with the fact that Fore.LIGHTCYAN_EX didn't exist. Perhaps you could pick another color. I'm not sure where it went. I just substituted BLUE, and everything worked fine.
In 4.1.6 refreshing fails with the following error trace
Traceback (most recent call last):
File "/usr/local/bin/autoawsume", line 10, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/awsume/autoawsume/main.py", line 32, in main
session = awsumepy.awsume(*auto_profile.get('awsumepy_command').split(' '))
File "/usr/local/lib/python3.7/site-packages/awsume/awsumepy/awsume.py", line 16, in awsume
return app.run([profile_name] + cli_arguments)
File "/usr/local/lib/python3.7/site-packages/awsume/awsumepy/app.py", line 247, in run
credentials = self.get_credentials(args, profiles)
File "/usr/local/lib/python3.7/site-packages/awsume/awsumepy/app.py", line 186, in get_credentials
credentials = json.loads(json_input)
File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 348, in loads
return _default_decoder.decode(s)
File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Example:
bash-3.2$ awsume poc-admin
AWSume: User profile credentials will expire at: 2019-07-09 03:56:55
AWSume: Role profile credentials will expire at: 2019-07-08 17:04:42
However, I can not run any cli commands on the assumed profile. I can execute a command with --profile <profile_name> and that works fine, but awsume does not assume profile, it stays on default 'do-nothing' profile
Install successfully but on Usage with zsh:
alex@alex ~ awsume -s myprofile
.: no such file or directory: awsume
I am running 'awsume' using a shared credentials file. The config file contains profiles using a source profile in the credentials file. The source profile contains both key attributes as well as a session token as its created from a federated credential. I never have credentials stored in [default].
Issue: The session token is never exported to the shell environment.
Example: config file
[default]
region = us-east-1
[profile internal-admin]
role_arn = arn:aws:iam::<your aws account id>:role/admin-role
source_profile = joel
region = us-east-1
Example: credentials file
[default]
[joel]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = FQoGZXIvYXdzEK3//////////w==
OS: Mac High Sierra
Shell: bash / zsh
Since AWS Console now supports U2F, it would be good to have that with AWSUME, if at all possible.
$ awsume -l
Traceback (most recent call last):
File "/usr/local/bin/awsumepy", line 11, in <module>
load_entry_point('awsume==3.2.8', 'console_scripts', 'awsumepy')()
File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1668, in main
awsume.run(command_line_arguments)
File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1632, in run
mix_role_and_source_profiles(profiles)
File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 284, in mix_role_and_source_profiles
merge_role_and_source_profile(profiles[profile], profiles[source_profile_name])
File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 259, in merge_role_and_source_profile
role_profile['aws_access_key_id'] = source_profile['aws_access_key_id']
KeyError: 'aws_access_key_id'
everything else works just fine. super weird.
It would be very useful if the mfa key could optionally be supplied as an input parameter to awsume instead of relying on the input prompt.
Having such a feature would make it much easier to wrap custom functionality around awsume to allow mfa to be inserted by additional means on invocation, instead of creating an interrupting workflow.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.