boto-source-profile-mfa
AWS boto helper library for reusing MFA tokens in profiles with the same source profile.
Why
We access customer accounts using "assume role" profiles, with roles that require MFA tokens. Our AWS configuration looks like this:
[profile claranet]
aws_access_key_id = ...
aws_secret_access_key = ...
[profile customer1]
external_id = ...
mfa_serial = ...
role_arn = ...
source_profile = claranet
[profile customer2]
external_id = ...
mfa_serial = ...
role_arn = ...
source_profile = claranet
[profile customer3]
external_id = ...
mfa_serial = ...
role_arn = ...
source_profile = claranet
With standard awscli and boto tooling, using each customer profile triggers an MFA prompt. There is caching for each profile, so you are not prompted for an MFA token for the same profile multiple times, but using 3 customer profiles will trigger 3 MFA prompts.
This library provides a way to have only 1 MFA prompt.
How
Standard awscli and boto tooling effectively does:
- Create session for source profile
- Assume role in customer profile with MFA
- Cache result
This library effectively does:
- Create session in source profile
- Get session token with MFA
- Cache result
- Assume role into customer profile
Setup
pip install boto_source_profile_mfa
Usage
Getting a boto3 session in Python:
from boto_source_profile_mfa import get_session
session = get_session('customer1')
s3 = session.client('s3')
print(s3.list_buckets())Set environment variables in Bash:
profile=customer1
# with exit code, better in scripts:
vars=$(awsp $profile) && export $vars
# without exit code, easier to type:
export eval $(awsp $profile)
