管理aws mfa安全凭据

  1. 您所在的位置:
  2. Python中文网 >
  3. pypi >
  4. aws-mfa-spok库 >
  5. 正文

aws-mfa-spok的Python项目详细描述


aws mfa:使用多因素身份验证(mfa)时,可以轻松管理您的aws安全凭据

aws mfa在对aws帐户强制实施多因素身份验证(mfa)时,可以方便地管理aws sdk安全凭据。它自动从AWS Security Token Service获取临时凭据并更新AWS Credentials文件(位于~/.aws/credentials)的过程。管理基于mfa的凭据的传统方法要求用户编写自己的定制脚本/包装器,以便从sts获取临时凭据,并且经常手动更新aws凭据文件。

aws mfa背后的概念是有两种凭证:

  • long-term-典型的aws访问密钥,由AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY组成

  • short-term-由aws sts使用您的long-term凭据以及您的mfa设备序列号(硬件设备序列号或虚拟设备arn)和一次性令牌代码生成的一组临时凭据。您的短期凭证是正在使用的aws sdk积极使用的凭证。

如果您还没有为aws api访问启用多因素身份验证,请查看AWS article

安装:

选项1

$ pip install aws-mfa

选项2

1. Clone this repo
2. $ python setup.py install

凭据文件设置

在典型的aws凭据文件(位于~/.aws/credentials)中,凭据存储在节中,由一对方括号表示:[][default]部分存储默认凭据。您可以使用不同的配置文件名存储多组凭据。如果未指定配置文件,则始终使用[default]部分。

默认情况下,长期凭证部分由约定[<profile_name>-long-term]标识,短期凭证由典型约定[<profile_name>]标识。下面说明如何使用带有默认凭据的aws mfa配置凭据文件:

[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY

运行aws-mfa后,您的凭据文件将读取:

[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[default]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

类似地,如果使用名为development的凭据配置文件,则您的凭据文件将如下所示:

[development-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY

运行aws-mfa后,您的凭据文件将读取:

[development-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

可以通过使用--long-term-suffix--short-term-suffix命令行参数。例如,在多帐户方案中,可以有一个aws帐户 它为您的组织管理iam用户,并有其他aws帐户用于开发、登台和生产 环境。

在为每个环境运行一次aws-mfa并为--short-term-suffix设置不同的值之后,您的凭据 文件将读取:

[myorganization-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[myorganization-development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-staging]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-production]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

这允许您访问多个环境,而无需每次切换时运行aws-mfa 环境。

如果您不喜欢a long-term后缀,可以通过为--long-term-suffix传递值none来省略它。 命令行参数。在为每个环境运行一次aws-mfa之后,使用不同的 --short-term-suffix,您的凭据文件将读取:

[myorganization]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEY[myorganization-development]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-staging]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>[myorganization-production]aws_access_key_id=<POPULATED_BY_AWS-MFA>aws_secret_access_key=<POPULATED_BY_AWS-MFA>aws_security_token=<POPULATED_BY_AWS-MFA>

用法

--device arn:aws:iam::123456788990:mfa/dudeman
                        The MFA Device ARN. This value can also be provided
                        via the environment variable 'MFA_DEVICE' or the
                        ~/.aws/credentials variable 'aws_mfa_device'.
--duration DURATION     The duration, in seconds, that the temporary
                        credentials should remain valid. Minimum value: 900
                        (15 minutes). Maximum: 129600 (36 hours). Defaults to
                        43200 (12 hours), or 3600 (one hour) when using
                        '--assume-role'. This value can also be provided via
                        the environment variable 'MFA_STS_DURATION'.
--profile PROFILE       If using profiles, specify the name here. The default
                        profile name is 'default'. The value can also be
                        provided via the environment variable 'AWS_PROFILE'.
--long-term-suffix LONG_TERM_SUFFIX
                        To identify the long term credential section by
                        [<profile_name>-LONG_TERM_SUFFIX]. Use 'none' to
                        identify the long term credential section by
                        [<profile_name>]. Omit to identify the long term 
                        credential section by [<profile_name>-long-term].
--short-term-suffix SHORT_TERM_SUFFIX
                        To identify the short term credential section by
                        [<profile_name>-SHORT_TERM_SUFFIX]. Omit or use 'none'
                        to identify the short term credential section by
                        [<profile_name>].
--assume-role arn:aws:iam::123456788990:role/RoleName
                        The ARN of the AWS IAM Role you would like to assume,
                        if specified. This value can also be provided via the
                        environment variable 'MFA_ASSUME_ROLE'
--role-session-name ROLE_SESSION_NAME
                        Friendly session name required when using --assume-
                        role. By default, this is your local username.

参数优先级:命令行参数优先于环境变量。

用法示例

在运行任何使用aws sdk的脚本之前运行aws mfa

使用命令行参数:

$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00

使用环境变量:

exportMFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
$> aws-mfa --duration 1800
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00

exportMFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman
exportMFA_STS_DURATION=1800
$> aws-mfa
INFO - Using profile: default
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00

凭证仍然有效时运行aws mfa的输出:

$> aws-mfa
INFO - Using profile: default
INFO - Your credentials are still valid for1541.791134 seconds they will expire at 2015-12-21 23:07:09

使用配置文件:(配置文件允许您引用不同的凭据集,可能针对不同的用户或不同的区域)

$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development
INFO - Using profile: development
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):666666
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00

使用通过环境变量设置的配置文件AWS_PROFILE

$> exportAWS_PROFILE=development
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman
INFO - Using profile: development
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):666666
INFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00

担任一个角色:

^{公关16}$

假设角色:假设在配置中指定的角色long-term

[default-long-term]aws_access_key_id=YOUR_LONGTERM_KEY_IDaws_secret_access_key=YOUR_LONGTERM_ACCESS_KEYassume_role=arn:aws:iam::123456788990:role/some-role
$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --role-session-name some-role-session

使用配置文件担任角色:

$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development --assume-role arn:aws:iam::123456788990:role/some-role --role-session-name some-role-session
INFO - Validating credentials for profile: development with assumed role arn:aws:iam::123456788990:role/some-role
INFO - Obtaining credentials for a new role or profile.
Enter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman](renewing for1800 seconds):123456
INFO - Success! Your credentials will expire in 1800 seconds at: 2016-10-24 18:58:17+00:00

在多个帐户中担任一个角色,并且能够同时使用两个帐户(即生产和登台):

$> aws-mfa —profile myorganization --assume-role arn:aws:iam::222222222222:role/Administrator --short-term-suffix production --long-term-suffix none --role-session-name production
INFO - Validating credentials for profile: myorganization-production with assumed role arn:aws:iam::222222222222:role/Administrator
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me](renewing for3600 seconds):123456
INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:43+00:00

$> aws-mfa —profile myorganization --assume-role arn:aws:iam::333333333333:role/Administrator --short-term-suffix staging --long-term-suffix none --role-session-name staging 
INFO - Validating credentials for profile: myorganization-staging with assumed role arn:aws:iam::333333333333:role/Administrator
INFO - Your credentials have expired, renewing.
Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me](renewing for3600 seconds):123456
INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:44+00:00

$> aws s3 list-objects —bucket my-production-bucket —profile myorganization-production

$> aws s3 list-objects —bucket my-staging-bucket —profile myorganization-staging

欢迎加入QQ群-->: 979659372 Python中文网_新手群

推荐PyPI第三方库


导 航 栏

项目 链接

标 签

许可证: BSD许可证(BSD 3条款)

作者信息:: 暂无

维护者

pypi user: jasondbakerspok jasondbakerspok

最新PyPI项目

最新Python常见问题

热门话题
使用ApacheCXF和Eclipse的web服务中的java JNI问题   java如何在模式中正确声明扩展?   java Mapstruct从源对象的一组字段中准备一个列表,并将其设置为目标对象   Java:Infinite循环hasnetint()   面向对象Java装饰图案比萨面层   oop Java将常用方法放入超类   Java程序不断崩溃   使用扫描仪写入文本文件时出现java异常错误   java如何打印没有尾随逗号的地图?   使用java在中缀到后缀应用程序中获得错误输出   Java正则表达式拆分运算符的数学表达式,不包括括号中的运算符   java如何从KeyClope获取用户详细信息(不是登录用户,而是通过id获取任何用户)   java如何通过选择微调器启用或禁用editText   java jasypt有多安全?   java上传图像失败   java JDBC批量更新有什么帮助?   java如何在添加新视频文件时获取通知   java将值Bean传递给类,然后将类传递给JSP   java Primefaces Datatable在触发操作时提供空指针异常   Java:在可调整大小的组件中调整旋转形状的大小