add way für mfa temp session
This commit is contained in:
parent
77d629fcbc
commit
f49234d1f4
3 changed files with 51 additions and 5 deletions
2
build.py
2
build.py
|
@ -27,7 +27,7 @@ use_plugin("python.distutils")
|
||||||
default_task = "publish"
|
default_task = "publish"
|
||||||
|
|
||||||
name = "ddadevops"
|
name = "ddadevops"
|
||||||
version = "0.4.0.dev13"
|
version = "0.4.0.dev15"
|
||||||
summary = "tools to support builds combining gopass, terraform, dda-pallet, aws & hetzner-cloud"
|
summary = "tools to support builds combining gopass, terraform, dda-pallet, aws & hetzner-cloud"
|
||||||
description = __doc__
|
description = __doc__
|
||||||
authors = [Author("meissa GmbH", "buero@meissa-gmbh.de")]
|
authors = [Author("meissa GmbH", "buero@meissa-gmbh.de")]
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
from python_terraform import *
|
from python_terraform import *
|
||||||
|
from boto3 import *
|
||||||
from .credential import gopass_credential_from_env_path
|
from .credential import gopass_credential_from_env_path
|
||||||
|
from .python_util import execute
|
||||||
from .devops_terraform_build import DevopsTerraformBuild
|
from .devops_terraform_build import DevopsTerraformBuild
|
||||||
|
|
||||||
|
|
||||||
|
@ -38,3 +40,47 @@ class AwsMixin(DevopsTerraformBuild):
|
||||||
tf = self.init_client()
|
tf = self.init_client()
|
||||||
tf.plan(capture_output=False, var=self.project_vars(),
|
tf.plan(capture_output=False, var=self.project_vars(),
|
||||||
var_file=self.backend_config())
|
var_file=self.backend_config())
|
||||||
|
|
||||||
|
def get_username_from_account(self, p_account_name):
|
||||||
|
login_id = execute('cat ~/.aws/accounts | grep -A 2 "\[' + p_account_name +
|
||||||
|
'\]" | grep username | awk -F= \'{print $2}\'', shell=True)
|
||||||
|
return login_id
|
||||||
|
|
||||||
|
def get_account_id_from_account(self, p_account_name):
|
||||||
|
account_id = execute('cat ~/.aws/accounts | grep -A 2 "\[' + p_account_name +
|
||||||
|
'\]" | grep account | awk -F= \'{print $2}\'', shell=True)
|
||||||
|
return account_id
|
||||||
|
|
||||||
|
def get_mfa(self, mfa_path='aws'):
|
||||||
|
mfa_token = execute('mfa otp ' + mfa_path, shell=True)
|
||||||
|
return mfa_token
|
||||||
|
|
||||||
|
def write_aws_config(self, to_profile, key, secret):
|
||||||
|
execute('aws configure --profile ' + to_profile +
|
||||||
|
' set ' + key + ' ' + secret, shell=True)
|
||||||
|
|
||||||
|
def get_mfa_session(self, to_account_suffix='dev', role='kauf_developer',
|
||||||
|
toke=None):
|
||||||
|
prefix = 'breuninger-'
|
||||||
|
from_account_name = 'breuninger-iam'
|
||||||
|
from_account_id = self.get_account_id_from_account(from_account_name)
|
||||||
|
to_account_name = prefix + to_account_suffix
|
||||||
|
to_account_id = self.get_account_id_from_account(to_account_name)
|
||||||
|
login_id = self.get_username_from_account(from_account_name)
|
||||||
|
mfa_token = self.get_mfa()
|
||||||
|
ses = Session(profile_name=from_account_name)
|
||||||
|
sts_client = ses.client('sts')
|
||||||
|
response = sts_client.assume_role(
|
||||||
|
RoleArn='arn:aws:iam::' + to_account_id + ':role/' + role,
|
||||||
|
RoleSessionName=to_account_id + '-' + to_account_suffix + '-' + role,
|
||||||
|
SerialNumber='arn:aws:iam::' + from_account_id + ':mfa/' + login_id,
|
||||||
|
TokenCode=mfa_token
|
||||||
|
)
|
||||||
|
|
||||||
|
self.write_aws_config(to_account_name, 'aws_access_key_id',
|
||||||
|
response['Credentials']['AccessKeyId'])
|
||||||
|
self.write_aws_config(to_account_name, 'aws_secret_access_key',
|
||||||
|
response['Credentials']['SecretAccessKey'])
|
||||||
|
self.write_aws_config(to_account_name, 'aws_session_token',
|
||||||
|
response['Credentials']['SessionToken'])
|
||||||
|
print('got token')
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
from subprocess import check_output
|
from subprocess import check_output
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
def execute(cmd):
|
def execute(cmd, shell=False):
|
||||||
if sys.version_info.major == 3:
|
if sys.version_info.major == 3:
|
||||||
output = check_output(cmd, encoding='UTF-8')
|
output = check_output(cmd, encoding='UTF-8', shell=shell)
|
||||||
else:
|
else:
|
||||||
output = check_output(cmd)
|
output = check_output(cmd, shell=shell)
|
||||||
return output
|
return output.rstrip()
|
||||||
|
|
||||||
def filter_none(list):
|
def filter_none(list):
|
||||||
return [x for x in list if x is not None]
|
return [x for x in list if x is not None]
|
||||||
|
|
Loading…
Reference in a new issue