Add utility for handling temporary boto sessions

[thomasklinger1234]

Is your feature request related to a problem? Please describe.

When using the STS AssumeRole API to perform tasks in the context of another IAM role, there is usually a lot of boilerplate code to write:

credentials = sts.assume_role(RoleArn="...", "RoleSessionName="...")["Credentials"]
ec2 = boto3.Session(aws_session_token=credentials["SessionToken"], ...).client("ec2")

This feature request is about adding a new small helper utility for switching roles during Lambda invocations easier.

Describe the solution you'd like
A contextmanager for assuming a session for given context, something like

from aws_lambda_powertools.utilities import scoped_session

with scoped_session("ec2", role_arn="<role-arn>") as ec2:
  ec2.describe_regions()

Describe alternatives you've considered

Maybe there is also the possibility to do this using a decorator but I have no good API design for that.

[heitorlessa]

hey @thomasklinger1234 thanks for raising this - I believe this solidifies the idea of having a SDK Helper utility with these and other functions.

What do you think @jplock?

Example: #1187

[lorengordon]

Fwiw, I've been using and love @benkehoe's utility https://github.com/benkehoe/aws-assume-role-lib for this kind of assume-role functionality in lambda funtions. Lot of good lessons there.

[benkehoe]

Huh, I have never though about a context manager for role assumption, though I don't see much value as there's nothing for it to do for cleanup or exception handling. The other thing that you want to avoid is doing it on a per-client (e.g., EC2) basis, this is what boto3 sessions are for (and I would suggest guiding people towards sessions rather than hiding them).
You could just import aws_assume_role_lib.assume_role() into utilities so users don't need to discover and import it separately?

[heitorlessa]

First time seeing - yet another good SDK goodie - from Ben. Glancing at the code it’s more elaborate than I suspected, this made me question v2 more broadly to better accommodate this A) Move into implicit namespace packages utilities that can be installed separately along with their deps, or as a whole suite of utilities like we do today B) Make all dependencies optional and allow bringing great stuff from Ben like this without going through the hill of microlibs (I chartered waters for me in Python) As boto surpassed 63M now it makes me worried about reaching Lambda package limit, since this project without dependencies is 1.2M only

…

On Thu, 1 Jul 2021 at 21:15, Ben Kehoe ***@***.***> wrote: Huh, I have never though about a context manager for role assumption, though I don't see much value as there's nothing for it to do for cleanup or exception handling. The other thing that you want to avoid is doing it on a per-client (e.g., EC2) basis, this is what boto3 sessions are for (and I would suggest guiding people towards sessions rather than hiding them). You could just import aws_assume_role_lib.assume_role() into utilities so users don't need to discover and import it separately? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/awslabs/aws-lambda-powertools-python/issues/477#issuecomment-872489300>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZPQBBAGIGT6NOXOWHQI5TTVS5G3ANCNFSM46RPR2EQ> .

[ran-isenberg]

@heitorlessa When we package our lambdas, we explicitly remove boto from the zip file as it's already present in the container image of Lambda. It reduced our zipped by a lot.

[lorengordon]

I wish the lambda runtimes would update their boto3/botocore libraries more often, and make it less necessary to include these in the package. Unfortunately, the versions are often quite out-of-date.

• https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
• https://github.com/boto/boto3/releases/tag/1.17.42
• https://github.com/boto/botocore/releases/tag/1.20.42

[lorengordon]

But another good reason to package them anyway is to ensure we are using the same versions we test against...

[ran-isenberg]

how do you know what version is merged and actually working? there's also the "older" boto there.

[lorengordon]

We don't use the original boto v1. The boto3 and botocore versions we use are a requirement of our lambda code, not this library. The packaging logic for the lambda function just needs to support some mechanism of specifying exact versions. We use a requirements.txt file, with Dependabot incrementing the version periodically, and CI/CD exercising the change in our test suite. Pretty straightforward.

[heitorlessa]

Thanks a lot everyone - I'm moving this to the official Roadmap to give other customers visibility, as Typescript and C# Powertools are also ramping up quickly to public beta.

Short-term plan is to create a RFC to support SDK high level utilities and gather ideas on what to include. Mid-term, we're working to document the new dynamic feature toggles utility, integrate API reference into the docs, and rewrite the docs for Data Classes and Parser to make it friendlier.

Once these are complete, or if I could get help in parallel, I'd love to have these and other high level utilities for SDK.

[anafalcao]

Hey everyone!
Closing this issue as it's been open for a while now, and we didn't have much customer feedback.
Please open a new one if it's still an issue.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.