Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple profiles for AWS #34

Open
baltika10 opened this issue Jul 17, 2018 · 6 comments · May be fixed by #138
Open

Support multiple profiles for AWS #34

baltika10 opened this issue Jul 17, 2018 · 6 comments · May be fixed by #138

Comments

@baltika10
Copy link

baltika10 commented Jul 17, 2018
edited
Loading

Hi,
On my machine I using another AWS services, which are using different credentials.
Credentials are stored in ~/.aws/credentials which supports multiple profiles, but the tool is not able to receive the profile name (it just uses the default one).

Is it possible to add new parameter for profile name or to provide credentials as an argument?
@jamesrenaud
Copy link

Check out #1

@AlJohri AlJohri mentioned this issue Sep 1, 2018
Closed
@jonapich
Copy link

jonapich commented Sep 7, 2018
edited
Loading

I wasn't able to make it work OOTB either. It probably supports simple profiles, but it doesn't seem to support Assume Roles embedded into profiles. You gotta do the assume role yourself and then output the environment variables for aws-es-proxy to use.

Here's the script I used, hope it can be useful to someone else:

import boto3
from subprocess import run, PIPE

sts = boto3.Session(profile_name='profile_name').client('sts')
creds = sts.assume_role(RoleSessionName='anything_goes',
                        RoleArn='arn:aws:iam::ACCOUNTID:role/ROLE_TO_ASSUME',
                        DurationSeconds=4*60*60)['Credentials']

proxy_args = ['./aws-es-proxy',
              '-endpoint', 'https://my-aws-es-cluster.region.es.amazonaws.com',
              '-verbose',
              '-pretty']

proxy_enviroment = {
    'AWS_ACCESS_KEY_ID': creds['AccessKeyId'],
    'AWS_SECRET_ACCESS_KEY': creds['SecretAccessKey'],
    'AWS_SESSION_TOKEN': creds['SessionToken']
}

proxy = run(proxy_args, env=proxy_enviroment, stdout=PIPE)

@abutaha
Copy link
Owner

abutaha commented Nov 1, 2018

Hi,

The ask for a '-profile' option has been raised multiple times. I see that most of the requests come when assume role is being used. I will work on this in the coming days and find a way to better support assuming roles and using different profiles.

Thanks,

@Issif
Copy link

Issif commented Nov 30, 2018

If it can help, here a snippet from one of my tool for AWS :

	// Arguments
	region := flag.String("region", "eu-west-1", "AWS region")
	profile := flag.String("profile", "default", "Profile from ~/.aws/config")
	flag.Parse()

	// Create session (credentials from ~/.aws/config)
	sess := session.Must(session.NewSessionWithOptions(session.Options{
		SharedConfigState:       session.SharedConfigEnable,  //enable use of ~/.aws/config
		AssumeRoleTokenProvider: stscreds.StdinTokenProvider, //ask for MFA if needed
		Profile:                 string(*profile),
		Config:                  aws.Config{Region: aws.String(*region)},
	}))

Regards,

@dunindd dunindd mentioned this issue Mar 13, 2019
Open
@leptitchriss
Copy link

I wasn't able to make it work OOTB either. It probably supports simple profiles, but it doesn't seem to support Assume Roles embedded into profiles. You gotta do the assume role yourself and then output the environment variables for aws-es-proxy to use.

Here's the script I used, hope it can be useful to someone else:

import boto3
from subprocess import run, PIPE

sts = boto3.Session(profile_name='profile_name').client('sts')
creds = sts.assume_role(RoleSessionName='anything_goes',
                        RoleArn='arn:aws:iam::ACCOUNTID:role/ROLE_TO_ASSUME',
                        DurationSeconds=4*60*60)['Credentials']

proxy_args = ['./aws-es-proxy',
              '-endpoint', 'https://my-aws-es-cluster.region.es.amazonaws.com',
              '-verbose',
              '-pretty']

proxy_enviroment = {
    'AWS_ACCESS_KEY_ID': creds['AccessKeyId'],
    'AWS_SECRET_ACCESS_KEY': creds['SecretAccessKey'],
    'AWS_SESSION_TOKEN': creds['SessionToken']
}

proxy = run(proxy_args, env=proxy_enviroment, stdout=PIPE)

@jonapich I know your post is over a year old and the project has been updated since, but I'm running into a very similar problem as you dealing with Assumed Roles and have implemented a very similar solution. What happens to your process once the session token expires? I'm considering going with this approach and simply refreshing the session credentials and restarting the proxy each time but it does not seem as elegant as I would have liked.

@abutaha on a side note, the proxy credentials don't seem to pick up the AWS_SESSION_TOKEN in the ~/.aws/credentials file for the default profile. Is that something that can be added? This way we would be able to simply update the temporary credentials provided by the Assume Role call (via aws cli, boto3, or other) and the proxy would simply update itself with the new credentials without having to worry about updating environment variables for a running process.

Aside from that, thank you for your hard work, this project solves a very niche problem that I'm surprised AWS hasn't tackled themselves...

Let me know what you think!

@jonapich
Copy link

@leptitchriss I only use it once in a while in limited sessions, never had them expire.

malade ton nickname 😆

@larivierec larivierec linked a pull request Nov 21, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(aws-sdk-v2): add profile, sso support and update dependencies larivierec/aws-es-proxy
6 participants
@abutaha @Issif @jonapich @jamesrenaud @baltika10 @leptitchriss