awscli_bastion package

Submodules

awscli_bastion.cache module

class awscli_bastion.cache.Cache[source]

Bases: object

Manage the bastion-sts credential cache (~/.aws/cli/cache/bastion-sts.json).

delete()[source]

Deletes the cache files in the aws shared cache directory.

does_exist()[source]

Return whether or not the bastion-sts credential cache exists.

Return type:bool
Returns:Whether or not the bastion-sts credential cache exists.
get_expiration(human_readable=True)[source]

Return how much time until the bastion-sts credentials expire.

Parameters:human_readable (bool) – Whether or not to output as human readable.
Returns:How much time until the bastion-sts credentials expire.
Return type:str
is_expired()[source]

Return whether or not the bastion-sts credentials are expired.

Returns:Whether or not the bastion-sts credentials are expired.
Return type:bool
read()[source]

Reads json formatted credentials to the bastion-sts cache file.

write(creds)[source]

Writes json formatted credentials to the bastion-sts cache file.

Parameters:creds (dict) – bastion-sts short-lived credentials.

awscli_bastion.cli module

Manage the command line interface.

awscli_bastion.credentials module

class awscli_bastion.credentials.Credentials[source]

Bases: object

Manage getting and setting attributes for the aws shared credentials file.

clear(bastion='bastion')[source]

Clear sts credentials from the aws shared credentials file.

Parameters:bastion (str) – The profile containing the long-lived IAM credentials.
Returns:Whether or not any sts credentials were removed from the aws shared credentials file.
Return type:bool
get_expiration(profile='bastion-sts', human_readable=True)[source]

Return how much time until the bastion-sts credentials expire.

Parameters:human_readable (bool) – Whether or not to output as human readable.
Returns:How much time until the bastion-sts credentials expire.
Return type:str
get_mfa_serial(bastion_sts='bastion-sts')[source]

Get the mfa serial number for the bastion iam user.

Parameters:bastion_sts (str) – The profile containing the ‘mfa_serial’ attribute.
Raises:Exception – Failed to get mfa_serial from bastion_sts profile.
Returns:The identification number of the MFA device that is associated with the bastion_sts profile.
is_expired(bastion_sts='bastion-sts')[source]

Return whether or not the bastion-sts credentials are expired.

Returns:Whether or not the bastion-sts credentials are expired.
Return type:bool
set_default(profile)[source]

Set the default profile with attributes from another profile.

Parameters:profile (str) – The profile with a ‘role_arn’ attribute.
set_mfa_serial(mfa_serial=None, bastion_sts='bastion_sts')[source]

Set the ‘mfa_serial’ attribute for the given profile, typically the bastion-sts profile.

Parameters:
  • mfa_serial (str) – The identification number of the MFA device that is associated with the IAM user.
  • bastion_sts (str) – The profile that assume role profiles source.
Raises:
  • ClientError – Failed to get mfa_serial from the iam user.
  • Exception – Failed to set mfa_serial for bastion_sts profile.
write()[source]

Write credentials to the aws shared credentials file.

awscli_bastion.minimal module

If you are like me, you do not trust open-source tools and libraries to handle admin credentials for your aws accounts. awscli_bastion/minimal.py is written as a script that offers minimal bastion functionality. It is intended to be quick and easy to understand. A minimal number of python libraries are used to reduce security risks.

awscli_bastion.minimal.main()[source]

awscli_bastion.rotate module

class awscli_bastion.rotate.Rotate(deactivate=False, username=None, bastion='bastion', bastion_sts='bastion-sts', region='us-west-2', credentials=None)[source]

Bases: object

Manages the creation, verification, deletion or deactivation, replacment of aws access keys for the bastion account.

create_access_key()[source]

Create aws access key for the bastion profile.

is_active(access_key)[source]

Ensure that aws access key is active.

Parameters:access_key (str) – The aws access key to verify activation.
Returns:Whether or not the aws access key is active.
Return type:bool
retire_bastion_access_key()[source]

Retire aws access key for the bastion profile. By default, this means deletion. Specify the ‘deactivate’ class variable to deactivate.

rotate()[source]

Rotate aws access key credentials for the bastion profile.

write(access_key)[source]

Write access key to the bastion profile in the aws share credentials file.

Parameters:access_key (str) – The aws access key access key to write.

awscli_bastion.sts module

class awscli_bastion.sts.STS(bastion='bastion', bastion_sts='bastion-sts', region='us-west-2', credentials=None, cache=None)[source]

Bases: object

A small class that wraps relevant boto3 sts function calls.

assume_role(profile, duration_seconds=3600)[source]

Get the short-lived credentials from sts.assume_role().

Parameters:
  • profile (str) – The profile that contains the ‘role_arn’ and ‘source_profile’ attributes.
  • duration_seconds (str) – The duration, in seconds, that the credentials should remain valid.
Returns:

sts credentials

Return type:

dict

get_session_token(mfa_code=None, mfa_serial=None, duration_seconds=43200)[source]
Get the short-lived credentials from sts.get_session_token()
if the ‘mfa_code’ is provided. Otherwise, try to look up sts credentials from the cache.
Parameters:
  • mfa_code (str) – The value provided by the MFA device.
  • mfa_serial (str) – The identification number of the MFA device that is associated with the IAM user.
  • duration_seconds (str) – The duration, in seconds, that the credentials should remain valid.
Returns:

sts credentials

Return type:

dict

is_mfa_code_invalid(mfa_code)[source]

Module contents

Top-level package for awscli_bastion.