Support using STS session tokens in addition to keys #124
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Another method for authentication to AWS is using STS keys. This is common when using 2FA or when using an identity account that ties together other delegated accounts in AWS. Session tokens are supported by Boto, we just need to expose them to our connection methods. This PR adds support for authenticating with session tokens when using environment variables for authentication. It does that by modifying the return of `fetch_aws_secret_key` to return a tri-tuple where the 3rd item of the tuple is the contents of AWS_SECURITY_TOKEN or AWS_SESSION_TOKEN, if available in the environment. Previous versions of different AWS tooling has used AWS_SECURITY_TOKEN as the default environment variable. However, the current standard is AWS_SESSION_TOKEN. This PR will use either of them with a preference towards the AWS_SESSION_TOKEN environment variable. In the case that ~/.ec2-key-pairs or ~/.aws/credentials is being used for authentication, we just return `None` for the session token.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Another method for authentication to AWS is using STS keys. This is common when
using 2FA or when using an identity account that ties together other delegated
accounts in AWS. Session tokens are supported by Boto, we just need to expose
them to our connection methods.
This PR adds support for authenticating with session tokens when using
environment variables for authentication. It does that by modifying the return
of
fetch_aws_secret_keyto return a tri-tuple where the 3rd item of the tupleis the contents of AWS_SECURITY_TOKEN or AWS_SESSION_TOKEN, if available in the
environment.
Previous versions of different AWS tooling has used AWS_SECURITY_TOKEN as the
default environment variable. However, the current standard is
AWS_SESSION_TOKEN. This PR will use either of them with a preference towards
the AWS_SESSION_TOKEN environment variable.
In the case that ~/.ec2-key-pairs or ~/.aws/credentials is being used for
authentication, we just return
Nonefor the session token.