boto3 会话和 aws_session_token 管理 [英] boto3 sessions and aws_session_token management

问题描述

我正在开发处理 AWS SQS 队列的 Python 软件.它使用boto3，主要是boto3.session.Session.

我在这里看到我们可以通过aws_session_token 到 Session 构造函数.

在 Amazon 之外运行我的代码时，我需要定期刷新此 aws_session_token，因为它仅在一个小时内有效.所以我需要自己重新实例化一个 boto3.Session.

我只是想知道 AWS 内部是如何运作的.我是否需要通过环境获取新的 aws_session_token 来手动刷新我的会话?或者我的会话是否永远"有效/是否在内部处理以便我不必刷新我的 AWS 会话?

文档对我来说似乎不清楚.

解决方案

简答:

AWS 生成的令牌不会永远持续下去，使用生成的令牌创建的任何 boto3 会话也是如此.但是你可以在你的令牌上设置一个很长的 TTL(最多 36 小时)，只要您的令牌不是由帐户 root 用户生成的.这为您提供了大量时间来完成您需要对 Python 脚本执行的操作.

AWS 有多种方式来处理对您账户的临时和永久访问.通常，您会希望依靠临时凭证，因为它们使用起来更安全并且更符合最佳实践.Boto3 使用一个优先列表，列出它在此处中描述的凭据扫描位置>

冗长而杂乱的答案:

我为数十个 AWS 账户编写了大量自动化代码，因此我处理了很多这些东西.

这假设您在 Linux 中进行开发.Windows 非常相似，但也有一些不同.

有(至少)三种方法来处理对您的 AWS 账户的远程访问:

1. 在包含您的 AWS IAM 用户访问密钥的 ~/.aws/credentials 文件中维护一个配置文件，并使用该配置文件运行您的 Python 脚本.

   • 您的 Python 脚本所要做的就是创建一个没有参数的 boto3.session.Session 对象.当您没有为会话实例提供令牌或配置文件名称时，boto3 会通过扫描上述链接中描述的凭据优先级列表来自动查找凭据.

   • 我根本不推荐这样做，但它确实有效并且让您了解如何使用 AWS 配置文件.这是使用您的 IAM 用户的 API 密钥的永久访问，该密钥永不过期.虽然您可以将这些密钥用于您的 IAM 用户已获得许可的任何操作，但您不应将它们用于除承担专门角色以执行所有其他工作之外的任何其他用途.

2. 从命令行使用 AWS CLI 担任角色，将令牌加载到环境变量中，然后运行您的 Python 脚本.

   • 优点:
     • 轻松实现自动化.
     • 可以轻松设置令牌 TTL.
     • 令牌可以加载到环境变量中并立即变为可用于您的 Python 脚本.
   • 缺点:
     • 仅当您的 Python 脚本与一个 AWS 账户交互时才实用.
     • 如果您的 Python 脚本运行时间超过令牌 TTL(不太可能，但并非不可能)，那么您的脚本将遇到 AccessDenied 错误并停止.

3. 运行 Python 脚本并让它处理角色假设和令牌杂耍.

   • 优点:
     • 允许您在一个地方同时访问多个帐户.
     • 可以轻松设置令牌 TTL.
     • 如果令牌过期，您可以捕获 AccessDened 异常，刷新令牌，然后继续.
   • 缺点:
     • 涉及维护 Python 代码，该代码获取访问令牌并与它们创建 boto 会话.当然，这不是那么多代码，但它仍然是代码，这意味着维护和混乱.

我通常更喜欢方法 2，强烈反对方法 1.方法 3 视情况而定.

方法 1:
在命令行中，将您的 AWS_PROFILE 变量设置为您的配置文件名称并运行脚本.脚本中使用您的 AWS 配置文件(IAM 用户访问密钥)完成的所有操作.

AWS_PROFILE=蟒蛇<PATH_TO_SCRIPT>

方法 2:
在命令行中，使用您的 AWS 配置文件代入账户中的角色，然后将生成的令牌存储在环境变量中.现在，当您执行脚本时，它会自动使用这些令牌:

credentials=`AWS_PROFILE=aws sts 假设角色 --role-arn --role-session-name --query 'Credentials.{AKI:AccessKeyId,SAK:SecretAccessKey,ST:SessionToken}' --output text`export AWS_ACCESS_KEY_ID=`echo ${credentials} |awk '{print $1}'`export AWS_SECRET_ACCESS_KEY=`echo ${credentials} |awk '{print $2}'`export AWS_SECURITY_TOKEN=`echo ${credentials} |awk '{print $3}'`导出 AWS_DEFAULT_REGION=python <path_to_your_python_script>

注意:由于您的令牌已加载到环境变量中，因此在运行脚本时不应设置 AWS_PROFILE.所有 AWS 开发工具包都会自动在这些环境变量中查找凭证令牌.您可以阅读有关它们的更多信息 这里.

方法 3:
在您的 Python 代码中，生成访问令牌，然后使用这些令牌创建会话.

import boto3角色信息 = {'RoleArn': 'arn:aws:iam:::role/','RoleSessionName': ''}客户端 = boto3.client('sts')凭证 = client.assume_role(**role_info)session = boto3.session.Session(aws_access_key_id=credentials['Credentials']['AccessKeyId'],aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],aws_session_token=credentials['Credentials']['SessionToken'])

按照与方法 1 相同的方式运行您的脚本，除了这次使用您的 AWS_PROFILE 代入该角色，并且任何后续工作都通过该角色执行，因为会话是使用代入的角色创建的.

AWS_PROFILE=蟒蛇<PATH_TO_SCRIPT>

希望这有帮助！

I am developing python software which deals with AWS SQS queues. It uses boto3, mostly boto3.session.Session.

I have seen here that we can pass an aws_session_token to the Session constructor.

When running my code outside of Amazon, I need to periodically refresh this aws_session_token since it is only valid for an hour. So I need to reinstantiate a boto3.Session on my own.

I am just wondering how things work inside AWS. Do I need to manually refresh my sessions by getting a new aws_session_token through the environment? Or is my session valid "for ever"/is it handled internally so I don't have to refresh my AWS sessions?

The documentation seems unclear to me.

解决方案

Short answer:

AWS generated tokens do not last forever, and same goes for any boto3 session created with generated tokens. But you can set a lengthy TTL on your tokens (up to 36 hours) as long as your tokens weren't generated with the account root user. This gives you a lot of time to do what you need to do with your Python script.

AWS has several ways of handling temporary and permanent access to your account. Generally, you'll want to rely on temporary credentials, as they are safer to use and align more with best practices. Boto3 uses a prioritized list of where it scans for credentials described here

Long, rambling answer:

I write a lot of automation code for dozens of AWS accounts, so I've dealt with this stuff a lot.

This assumes you're developing in Linux. Windows is very similar, but has some differences.

There are (at least) three methods to handle remote access to your AWS account:

1. Maintain a profile in your ~/.aws/credentials file which contains your AWS IAM user access keys, and run your Python script using that profile.

   • All your Python script has to do is create a boto3.session.Session object with no parameters. When you don't provide tokens or a profile name for the session instanstiation, boto3 automatically looks for credentials by scanning through the credentials priority list described in the link above.

   • I don't recommend this at all, but it works and give you an idea of how AWS profiles are used. This is permanent access using your IAM user's API keys, which never expire. While you can use these keys for any action that your IAM user has been granted permission, you shouldn't use them for anything other than assuming specialized roles to do all other work.

2. Assume a role using the AWS CLI from the command line, load the tokens into environment variables, and then run your Python script.

   • Advantages:
     • Easily automated.
     • Can set the token TTL easily.
     • The tokens can be loaded into environment variables and become instantly available to your Python scripts.
   • Disadvantages:
     • Only practical if your Python script is interacting with one AWS account.
     • If your Python script runs longer than the token TTL (unlikely, but not impossible), then your script will hit an AccessDenied error and stop.

3. Run the Python script and have it handle role assumption and token juggling.

   • Advantages:
     • Allows your to juggle access to multiple account in one place.
     • Can set the token TTL easily.
     • If tokens expire, you can catch the AccessDened exception, refresh the tokens, and keep going.
   • Disadvantages:
     • Involves maintaining the Python code which gets the access tokens and creates boto sessions with them. Granted, it's not that much code, but its still code, which means maintenance and clutter.

I generally prefer method 2 and strongly discourage method 1. Method 3 is situational.

Method 1:
From the command line, set your AWS_PROFILE variable to your profile name and run the script. Everything done in the script with use your AWS profile (IAM user access keys).

AWS_PROFILE=<YOUR_CREDENTIALS_PROFILE_NAME> python <PATH_TO_SCRIPT>

Method 2:
From the command line, use your AWS profile to assume a role in the account, and then store the generated tokens in environment variables. Now when you execute the script, it will use those tokens automatically:

credentials=`AWS_PROFILE=<YOUR_AWS_PROFILE_NAME> aws sts assume-role --role-arn <YOUR_AWS_ROLE_NAME> --role-session-name <SOME_SESSION_NAME> --query 'Credentials.{AKI:AccessKeyId,SAK:SecretAccessKey,ST:SessionToken}' --output text`

export AWS_ACCESS_KEY_ID=`echo ${credentials} | awk '{print $1}'`
export AWS_SECRET_ACCESS_KEY=`echo ${credentials} | awk '{print $2}'`
export AWS_SECURITY_TOKEN=`echo ${credentials} | awk '{print $3}'`
export AWS_DEFAULT_REGION=<AWS_REGION>

python <path_to_your_python_script>

Note: since your tokens are loaded into environment variables, AWS_PROFILE should NOT be set when you run your script. All AWS SDKs automatically look for credential tokens in those environment variables. You can read more about them here.

Method 3:
In your Python code, generate the access tokens and then create a session with those tokens.

import boto3

role_info = {
    'RoleArn': 'arn:aws:iam::<AWS_ACCOUNT_NUMBER>:role/<AWS_ROLE_NAME>',
    'RoleSessionName': '<SOME_SESSION_NAME>'
}

client = boto3.client('sts')
credentials = client.assume_role(**role_info)

session = boto3.session.Session(
    aws_access_key_id=credentials['Credentials']['AccessKeyId'],
    aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
    aws_session_token=credentials['Credentials']['SessionToken']
)

Run your script the same as Method 1, except this time your AWS_PROFILE is used to assume the role and any subsequent work is performed through the role since the session is created with the assumed role.

AWS_PROFILE=<YOUR_CREDENTIALS_PROFILE_NAME> python <PATH_TO_SCRIPT>

Hope this helps!

这篇关于boto3 会话和 aws_session_token 管理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！