boto3会话和aws_session_token管理 [英] boto3 sessions and aws_session_token management

问题描述

我正在开发处理AWS SQS队列的python软件.它使用boto3，主要是boto3.session.Session.

我已经看到此处，我们可以通过aws_session_token到Session构造函数.

在Amazon外部运行代码时，我需要定期刷新此aws_session_token，因为它仅有效一个小时.因此，我需要自己重新实例化boto3.Session.

我只是想知道AWS内部的工作方式.我是否需要通过在环境中获取新的aws_session_token来手动刷新会话?还是我的会话永远有效"/是否在内部处理，所以我不必刷新我的AWS会话?

文档对我来说似乎不清楚.

解决方案

简短答案:

AWS生成的令牌不会永远持续下去，任何使用生成的令牌创建的boto3会话也是如此.但是您可以在令牌上设置一个较长的TTL(最多此处

漫长而漫不经心的答案:

我为数十个AWS账户编写了很多自动化代码，因此我已经处理了很多东西.

这假设您正在Linux中进行开发. Windows非常相似，但有一些区别.

(至少)有三种方法来处理对您的AWS账户的远程访问:

1. 在〜/.aws/credentials文件中维护一个配置文件，其中包含您的AWS IAM用户访问密钥，并使用该配置文件运行Python脚本.

   • 所有Python脚本所需要做的就是创建一个没有参数的boto3.session.Session对象.当您不为会话实例提供令牌或配置文件名称时，boto3会通过扫描上面链接中描述的凭据优先级列表来自动查找凭据.

   • 我完全不推荐这样做，但是它可以正常工作，并让您了解如何使用AWS配置文件.这是使用您的IAM用户的API密钥进行的永久访问，并且永不过期.尽管您可以将这些密钥用于已授予IAM用户权限的任何操作，但是除了承担专门的角色来执行所有其他工作之外，您不应将它们用于其他任何用途.

2. 从命令行使用AWS CLI承担角色，将令牌加载到环境变量中，然后运行Python脚本.

   • 优势:
     • 轻松实现自动化.
     • 可以轻松设置令牌TTL.
     • 可以将令牌加载到环境变量中并立即变为 可用于您的Python脚本.
   • 缺点:
     • 仅在您的Python脚本与一个AWS账户进行交互时才实用.
     • 如果您的Python脚本的运行时间超过令牌TTL(不太可能，但并非不可能)，那么您的脚本将遇到AccessDenied错误并停止.

3. 运行Python脚本，并使其处理角色假设和令牌变戏法.

   • 优势:
     • 允许您在一个地方兼顾访问多个帐户.
     • 可以轻松设置令牌TTL.
     • 如果令牌过期，则可以捕获AccessDened异常，刷新令牌，然后继续操作.
   • 缺点:
     • 涉及维护获取访问令牌并与其创建boto会话的Python代码.当然，它不是那么多代码，而是它的静态代码，这意味着维护和混乱.

我通常更喜欢方法2，而强烈不建议使用方法1 .方法3是视情况而定.

方法1:
在命令行中，将您的AWS_PROFILE变量设置为您的配置文件名称，然后运行脚本.脚本中完成的所有操作均使用您的AWS配置文件(IAM用户访问密钥).

AWS_PROFILE=<YOUR_CREDENTIALS_PROFILE_NAME> python <PATH_TO_SCRIPT>

方法2:
在命令行中，使用您的AWS配置文件在帐户中扮演角色，然后将生成的令牌存储在环境变量中.现在，当您执行脚本时，它将自动使用这些标记:

credentials=`AWS_PROFILE=<YOUR_AWS_PROFILE_NAME> aws sts assume-role --role-arn <YOUR_AWS_ROLE_NAME> --role-session-name <SOME_SESSION_NAME> --query 'Credentials.{AKI:AccessKeyId,SAK:SecretAccessKey,ST:SessionToken}' --output text`

export AWS_ACCESS_KEY_ID=`echo ${credentials} | awk '{print $1}'`
export AWS_SECRET_ACCESS_KEY=`echo ${credentials} | awk '{print $2}'`
export AWS_SECURITY_TOKEN=`echo ${credentials} | awk '{print $3}'`
export AWS_DEFAULT_REGION=<AWS_REGION>

python <path_to_your_python_script>

注意:由于令牌已加载到环境变量中，因此在运行脚本时不应设置AWS_PROFILE.所有AWS开发工具包都会在这些环境变量中自动查找凭证令牌.您可以此处.

方法3:
在您的Python代码中，生成访问令牌，然后使用这些令牌创建会话.

 import boto3

role_info = {
    'RoleArn': 'arn:aws:iam::<AWS_ACCOUNT_NUMBER>:role/<AWS_ROLE_NAME>',
    'RoleSessionName': '<SOME_SESSION_NAME>'
}

client = boto3.client('sts')
credentials = client.assume_role(**role_info)

session = boto3.session.Session(
    aws_access_key_id=credentials['Credentials']['AccessKeyId'],
    aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
    aws_session_token=credentials['Credentials']['SessionToken']
)
 

与方法1相同地运行脚本，除了这次使用AWS_PROFILE承担角色，并且由于使用假定角色创建了会话，因此通过该角色执行了任何后续工作.

AWS_PROFILE=<YOUR_CREDENTIALS_PROFILE_NAME> python <PATH_TO_SCRIPT>

希望这会有所帮助！

I am developing python software which deals with AWS SQS queues. It uses boto3, mostly boto3.session.Session.

I have seen here that we can pass an aws_session_token to the Session constructor.

When running my code outside of Amazon, I need to periodically refresh this aws_session_token since it is only valid for an hour. So I need to reinstantiate a boto3.Session on my own.

I am just wondering how things work inside AWS. Do I need to manually refresh my sessions by getting a new aws_session_token through the environment? Or is my session valid "for ever"/is it handled internally so I don't have to refresh my AWS sessions?

The documentation seems unclear to me.

解决方案

Short answer:

AWS generated tokens do not last forever, and same goes for any boto3 session created with generated tokens. But you can set a lengthy TTL on your tokens (up to 36 hours) as long as your tokens weren't generated with the account root user. This gives you a lot of time to do what you need to do with your Python script.

AWS has several ways of handling temporary and permanent access to your account. Generally, you'll want to rely on temporary credentials, as they are safer to use and align more with best practices. Boto3 uses a prioritized list of where it scans for credentials described here

Long, rambling answer:

I write a lot of automation code for dozens of AWS accounts, so I've dealt with this stuff a lot.

This assumes you're developing in Linux. Windows is very similar, but has some differences.

There are (at least) three methods to handle remote access to your AWS account:

1. Maintain a profile in your ~/.aws/credentials file which contains your AWS IAM user access keys, and run your Python script using that profile.

   • All your Python script has to do is create a boto3.session.Session object with no parameters. When you don't provide tokens or a profile name for the session instanstiation, boto3 automatically looks for credentials by scanning through the credentials priority list described in the link above.

   • I don't recommend this at all, but it works and give you an idea of how AWS profiles are used. This is permanent access using your IAM user's API keys, which never expire. While you can use these keys for any action that your IAM user has been granted permission, you shouldn't use them for anything other than assuming specialized roles to do all other work.

2. Assume a role using the AWS CLI from the command line, load the tokens into environment variables, and then run your Python script.

   • Advantages:
     • Easily automated.
     • Can set the token TTL easily.
     • The tokens can be loaded into environment variables and become instantly available to your Python scripts.
   • Disadvantages:
     • Only practical if your Python script is interacting with one AWS account.
     • If your Python script runs longer than the token TTL (unlikely, but not impossible), then your script will hit an AccessDenied error and stop.

3. Run the Python script and have it handle role assumption and token juggling.

   • Advantages:
     • Allows your to juggle access to multiple account in one place.
     • Can set the token TTL easily.
     • If tokens expire, you can catch the AccessDened exception, refresh the tokens, and keep going.
   • Disadvantages:
     • Involves maintaining the Python code which gets the access tokens and creates boto sessions with them. Granted, it's not that much code, but its still code, which means maintenance and clutter.

I generally prefer method 2 and strongly discourage method 1. Method 3 is situational.

Method 1:
From the command line, set your AWS_PROFILE variable to your profile name and run the script. Everything done in the script with use your AWS profile (IAM user access keys).

AWS_PROFILE=<YOUR_CREDENTIALS_PROFILE_NAME> python <PATH_TO_SCRIPT>

Method 2:
From the command line, use your AWS profile to assume a role in the account, and then store the generated tokens in environment variables. Now when you execute the script, it will use those tokens automatically:

credentials=`AWS_PROFILE=<YOUR_AWS_PROFILE_NAME> aws sts assume-role --role-arn <YOUR_AWS_ROLE_NAME> --role-session-name <SOME_SESSION_NAME> --query 'Credentials.{AKI:AccessKeyId,SAK:SecretAccessKey,ST:SessionToken}' --output text`

export AWS_ACCESS_KEY_ID=`echo ${credentials} | awk '{print $1}'`
export AWS_SECRET_ACCESS_KEY=`echo ${credentials} | awk '{print $2}'`
export AWS_SECURITY_TOKEN=`echo ${credentials} | awk '{print $3}'`
export AWS_DEFAULT_REGION=<AWS_REGION>

python <path_to_your_python_script>

Note: since your tokens are loaded into environment variables, AWS_PROFILE should NOT be set when you run your script. All AWS SDKs automatically look for credential tokens in those environment variables. You can read more about them here.

Method 3:
In your Python code, generate the access tokens and then create a session with those tokens.

import boto3

role_info = {
    'RoleArn': 'arn:aws:iam::<AWS_ACCOUNT_NUMBER>:role/<AWS_ROLE_NAME>',
    'RoleSessionName': '<SOME_SESSION_NAME>'
}

client = boto3.client('sts')
credentials = client.assume_role(**role_info)

session = boto3.session.Session(
    aws_access_key_id=credentials['Credentials']['AccessKeyId'],
    aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
    aws_session_token=credentials['Credentials']['SessionToken']
)

Run your script the same as Method 1, except this time your AWS_PROFILE is used to assume the role and any subsequent work is performed through the role since the session is created with the assumed role.

AWS_PROFILE=<YOUR_CREDENTIALS_PROFILE_NAME> python <PATH_TO_SCRIPT>

Hope this helps!

这篇关于boto3会话和aws_session_token管理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！