Add temporary credentials #226
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
jamesls
added a commit
to jamesls/aws-cli
that referenced
this pull request
Nov 7, 2014
This builds on the work of several existing pull requests combining what I believe is the combination of all the suggested changes including: * Use role_arn to trigger assume role behavior. Do not require an explicit session to be created and ended (aws#667). * Cache the temporary credentials. If the credentials are not expired then we should reuse them instead of making the assume role call every time (aws#656 and boto/botocore#226). I think a strong case can be made to move this to botocore. However, the file caching makes me somewhat hesitant to move this into botocore (but I think the AssumeRoleProvider without the caching could be added to botocore). I'd like to evaluate this in the future but for now, I don't think it's unreasonable to leave this in the AWS CLI for the time being. At any rate, this is a straightforward and compatible move if we decide to do so. Also, the ability to open a browser with the currently scoped session has not been ported over. I'd like to address that in a separate pull request.
jamesls
added a commit
to jamesls/aws-cli
that referenced
this pull request
Nov 8, 2014
This builds on the work of several existing pull requests combining what I believe is the combination of all the suggested changes including: * Use role_arn to trigger assume role behavior. Do not require an explicit session to be created and ended (aws#667). * Cache the temporary credentials. If the credentials are not expired then we should reuse them instead of making the assume role call every time (aws#656 and boto/botocore#226). I think a strong case can be made to move this to botocore. However, the file caching makes me somewhat hesitant to move this into botocore (but I think the AssumeRoleProvider without the caching could be added to botocore). I'd like to evaluate this in the future but for now, I don't think it's unreasonable to leave this in the AWS CLI for the time being. At any rate, this is a straightforward and compatible move if we decide to do so. Also, the ability to open a browser with the currently scoped session has not been ported over. I'd like to address that in a separate pull request.
|
Superseded by jamesls/aws-cli@22932e5 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the low-level capability of fetching and refreshing temporary credentials. Two new methods are added to the
Sessionobject:create_temporary_credentialsis called to create a new set of temporary credentials. You pass in information about the service, operation, and kwargs you want to call to actually fetch the credentials. The call is made and the temporary credentials are cached locally. All subsequent calls to operations will use the cached temporary credentials. If the credentials are within 15 minutes of expiration, they will be refreshed automatically.delete_temporary_credentialsis called to delete the locally cached temporary credentials. Once the temporary credentials are deleted, the normal credential search path will be used to find the correct credentials to use for subsequent operations.There will be a related PR in AWS CLI to add this capability as a new command.