benkehoe / aws-export-credentials Goto Github PK

It would be nice if a command like:

aws-export-credentials \
  --debug \
  --profile $profile \
  --cache-file ~/.aws/aec/$profile.cache 

would work even if the aec directory does not exist

After merging and releasing aws/aws-cli#7398, I believe aws configure export-credentials should be the recommended solution. It would be worth to note in the README.md that aws-export-credentials is either a legacy solution (is it?) or highlight differences between these two approaches.

Any way to force an update after creds are already exported to the cred files?

I have creds with expiration time and needs to be refreshed but the tool doesn't seem to do that if cred files are already present. There is a --refresh option but i think that may be for something else.

I thought someone had opened an issue for this, but now I can't find any. I think IMDS might break without a session token, which means we would need to get temporary credentials if it's an IAM user. This would also need to be implemented on the standalone server https://github.com/benkehoe/imds-credential-server

Currently, aws-export-credentials --profile my-profile --exec aws lambda list-functions will fail because the subprocess cannot find a region to use. aws-export-credentials should determine the region, if one is set, on the session, and pass it in to the subprocess as AWS_DEFAULT_REGION.

I'm not clear if it should be included for --env or --credentials-file-profile

Needs some additional data per benkehoe/imds-credential-server#4

The proper environment variable for credential expiration is AWS_CREDENTIAL_EXPIRATION, supported in botocore, but I was unaware of that and named it AWS_CREDENTIALS_EXPIRATION. So that needs to be changed. Also update the field for the credentials file option, though that is not at all supported as far as I'm aware.

aws --profile mine sts assume-role --role-arn "arn:aws:iam::XYZ:role/ViewLogsPlease" --role-session-name ViewOne
{
    "Credentials": {
        "AccessKeyId": "REDACTED",
        "SecretAccessKey": "REDACTED",
        "SessionToken": "REDACTED",
        "Expiration": "2021-08-17T09:56:17+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROARIZSHQ5ZB4BAEOCU2:ViewOne",
        "Arn": "arn:aws:sts::XYZ:assumed-role/ViewLogsPlease/ViewOne"
    }
}

Right now, AFAICT I'm supposed to set this up manually, maddeningly

Using Python's build-in web server, we should be able to mimic the EC2 instance metadata server, which would be a convenient way of retrieving credentials for certain situations.

I have the following ~/.aws/config file on an EC2. I know it seems redundant as it isn't assuming a role, but I need the named profile for my use case:

[profile myprofile]
credential_source = Ec2InstanceMetadata
region = us-west-2
output = json

When running aws-export-credentials --credentials-file-profile myprofile I receive the following error:

Traceback (most recent call last):
  File "/home/ubuntu/.local/bin/aws-export-credentials", line 8, in <module>
    sys.exit(main())
  File "/home/ubuntu/.local/lib/python3.10/site-packages/aws_export_credentials/aws_export_credentials.py", line 269, in main
    write_values(session, args.credentials_file_profile, values)
  File "/home/ubuntu/.local/lib/python3.10/site-packages/aws_export_credentials/config_file_writer.py", line 54, in write_values
    session.get_config_variable('credentials_file'))
AttributeError: 'Session' object has no attribute 'get_config_variable'

Didn't quite grok pipx. I assumed it would install to pwd, but I think it installed into ~/.local/bin... and it still didn't find the module.

pipx run aws_export_credentials
'aws_export_credentials' executable script not found in package 'aws_export_credentials'. Available executable scripts:
aws-export-credentials

Workaround was to use python3 -m pip install --user aws-export-credentials