saving progress

dlm6693 · Aug 17, 2023 · 3cff200 · 3cff200
1 parent 3d7e551
commit 3cff200
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 42 deletions.
diff --git a/botocore/credentials.py b/botocore/credentials.py
@@ -56,7 +56,7 @@
 
 logger = logging.getLogger(__name__)
 ReadOnlyCredentials = namedtuple(
-    'ReadOnlyCredentials', ['access_key', 'secret_key', 'token']
+    'ReadOnlyCredentials', ['access_key', 'secret_key', 'token', 'account_id']
 )
 
 _DEFAULT_MANDATORY_REFRESH_TIMEOUT = 10 * 60  # 10 min
@@ -337,7 +337,7 @@ def _normalize(self):
 
     def get_frozen_credentials(self):
         return ReadOnlyCredentials(
-            self.access_key, self.secret_key, self.token
+            self.access_key, self.secret_key, self.token, self.account_id
         )
 
 
@@ -384,7 +384,7 @@ def __init__(
         self._refresh_lock = threading.Lock()
         self.method = method
         self._frozen_credentials = ReadOnlyCredentials(
-            access_key, secret_key, token
+            access_key, secret_key, token, account_id
         )
         self._normalize()
 
@@ -553,7 +553,7 @@ def _protected_refresh(self, is_mandatory):
             return
         self._set_from_data(metadata)
         self._frozen_credentials = ReadOnlyCredentials(
-            self._access_key, self._secret_key, self._token
+            self._access_key, self._secret_key, self._token, self._account_id
         )
         if self._is_expired():
             # We successfully refreshed credentials but for whatever
@@ -680,6 +680,9 @@ def _make_file_safe(self, filename):
 
     def _get_credentials(self):
         raise NotImplementedError('_get_credentials()')
+
+    def _resolve_account_id(self, response=None):
+        raise NotImplementedError('_resolve_account_id()')
 
     def fetch_credentials(self):
         return self._get_cached_credentials()
@@ -699,12 +702,13 @@ def _get_cached_credentials(self):
 
         creds = response['Credentials']
         expiration = _serialize_if_needed(creds['Expiration'], iso=True)
+        account_id = self._resolve_account_id(response)
         return {
             'access_key': creds['AccessKeyId'],
             'secret_key': creds['SecretAccessKey'],
             'token': creds['SessionToken'],
             'expiry_time': expiration,
-            'account_id': response['AccountId'],
+            'account_id': account_id,
         }
 
     def _load_from_cache(self):
@@ -780,8 +784,8 @@ def _create_cache_key(self):
         argument_hash = sha1(args.encode('utf-8')).hexdigest()
         return self._make_file_safe(argument_hash)
 
-    def _generate_account_id(self, resp):
-        user_arn = resp['AssumedRoleUser']['Arn']
+    def _resolve_account_id(self, response):
+        user_arn = response['AssumedRoleUser']['Arn']
         return ArnParser().parse_arn(user_arn)['account']
 
 
@@ -844,9 +848,7 @@ def _get_credentials(self):
         """Get credentials by calling assume role."""
         kwargs = self._assume_role_kwargs()
         client = self._create_client()
-        resp = client.assume_role(**kwargs)
-        resp['AccountId'] = self._generate_account_id(resp)
-        return resp
+        return client.assume_role(**kwargs)
 
     def _assume_role_kwargs(self):
         """Get the arguments for assume role based on current configuration."""
@@ -933,9 +935,7 @@ def _get_credentials(self):
         # the token, explicitly configure the client to not sign requests.
         config = Config(signature_version=UNSIGNED)
         client = self._client_creator('sts', config=config)
-        resp = client.assume_role_with_web_identity(**kwargs)
-        resp['AccountId'] = self._generate_account_id(resp)
-        return resp
+        return client.assume_role_with_web_identity(**kwargs)
 
     def _assume_role_kwargs(self):
         """Get the arguments for assume role based on current configuration."""
@@ -1018,7 +1018,7 @@ def load(self):
             access_key=creds_dict['access_key'],
             secret_key=creds_dict['secret_key'],
             token=creds_dict.get('token'),
-            account_id=creds_dict.get('account_id'),
+            account_id=creds_dict['account_id'],
             method=self.METHOD,
         )
 
@@ -1036,6 +1036,7 @@ def _retrieve_credentials_using(self, credential_process):
             )
         parsed = botocore.compat.json.loads(stdout.decode('utf-8'))
         version = parsed.get('Version', '<Version key not provided>')
+        account_id = self._resolve_account_id(parsed)
         if version != 1:
             raise CredentialRetrievalError(
                 provider=self.METHOD,
@@ -1050,22 +1051,31 @@ def _retrieve_credentials_using(self, credential_process):
                 'secret_key': parsed['SecretAccessKey'],
                 'token': parsed.get('SessionToken'),
                 'expiry_time': parsed.get('Expiration'),
-                'account_id': parsed.get('AccountId'),
+                'account_id': account_id,
             }
         except KeyError as e:
             raise CredentialRetrievalError(
                 provider=self.METHOD,
                 error_msg=f"Missing required key in response: {e}",
             )
+
+    def _resolve_account_id(self, parsed_response):
+        account_id = parsed_response.get('AccountId')
+        if account_id:
+            return account_id
+        return self._profile_config.get('aws_account_id')
 
     @property
-    def _credential_process(self):
+    def _profile_config(self):
         if self._loaded_config is None:
             self._loaded_config = self._load_config()
-        profile_config = self._loaded_config.get('profiles', {}).get(
+        return self._loaded_config.get('profiles', {}).get(
             self._profile_name, {}
         )
-        return profile_config.get('credential_process')
+
+    @property
+    def _credential_process(self):
+        return self.profile_config.get('credential_process')
 
 
 class InstanceMetadataProvider(CredentialProvider):
@@ -1278,6 +1288,7 @@ class SharedCredentialProvider(CredentialProvider):
     # aws_security_token, but the SDKs are standardizing on aws_session_token
     # so we support both.
     TOKENS = ['aws_security_token', 'aws_session_token']
+    ACCOUNT_ID = 'aws_account_id'
 
     def __init__(self, creds_filename, profile_name=None, ini_parser=None):
         self._creds_filename = creds_filename
@@ -1304,8 +1315,9 @@ def load(self):
                     config, self.ACCESS_KEY, self.SECRET_KEY
                 )
                 token = self._get_session_token(config)
+                account_id = config.get(self.ACCOUNT_ID)
                 return Credentials(
-                    access_key, secret_key, token, method=self.METHOD
+                    access_key, secret_key, token, account_id, method=self.METHOD
                 )
 
     def _get_session_token(self, config):

diff --git a/botocore/session.py b/botocore/session.py
@@ -840,6 +840,7 @@ def create_client(
         aws_access_key_id=None,
         aws_secret_access_key=None,
         aws_session_token=None,
+        aws_account_id=None,
         config=None,
     ):
         """Create a botocore client.
@@ -945,6 +946,7 @@ def create_client(
                 access_key=aws_access_key_id,
                 secret_key=aws_secret_access_key,
                 token=aws_session_token,
+                account_id=aws_account_id,
             )
         elif self._missing_cred_vars(aws_access_key_id, aws_secret_access_key):
             raise PartialCredentialsError(

diff --git a/requirements-dev-lock.txt b/requirements-dev-lock.txt
@@ -1,6 +1,6 @@
 #
-# This file is autogenerated by pip-compile with python 3.7
-# To update, run:
+# This file is autogenerated by pip-compile with Python 3.7
+# by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements-dev-lock.txt requirements-dev.txt
 #
@@ -169,3 +169,9 @@ zipp==3.8.0 \
     --hash=sha256:56bf8aadb83c24db6c4b577e13de374ccfb67da2078beba1d037c17980bf43ad \
     --hash=sha256:c4f6e5bbf48e74f7a38e7cc5b0480ff42b0ae5178957d564d18932525d5cf099
     # via importlib-metadata
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==67.8.0 \
+    --hash=sha256:5df61bf30bb10c6f756eb19e7c9f3b473051f48db77fddbe06ff2ca307df9a6f \
+    --hash=sha256:62642358adc77ffa87233bc4d2354c4b2682d214048f500964dbe760ccedf102
+    # via -r requirements-dev.txt
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -9,3 +9,4 @@ pytest-cov==2.12.1
 pytest-xdist==2.4.0
 atomicwrites>=1.0 # Windows requirement
 colorama>0.3.0 # Windows requirement
+setuptools==67.8.0