Option to use a different aws profile than default
venkivijay opened this issue · comments
As far as I explored, there is no way to set different profile than the default one in ~/.aws
. It is expected for different profiles to be supported since Chaos Toolkit Extension for AWS uses the same approach.
def aws_client(
resource_name: str, configuration: Configuration = None, secrets: Secrets = None
):
"""
Create a boto3 client for the given resource.
You may pass the `aws_region` key in the `configuration` object to
be explicit about which region you want to use.
You may pass `aws_profile_name` value to the `configuration` object so that
we load the appropriate profile to converse with the AWS services. In that
case, make sure your local `~/aws/credentials` config is properly setup, as
per https://boto3.readthedocs.io/en/latest/guide/configuration.html#aws-config-file
Also, if you want to assume a role, you should setup that file as per
https://boto3.readthedocs.io/en/latest/guide/configuration.html#assume-role-provider
as we do not read those settings from the `secrets` object.
""" # noqa: E501
configuration = configuration or {}
aws_profile_name = configuration.get("aws_profile_name")
aws_assume_role_arn = configuration.get("aws_assume_role_arn")
params = get_credentials(secrets)
region = configuration.get("aws_region")
if not region:
logger.debug(
"The configuration key `aws_region` is not set, looking in the "
"environment instead for `AWS_REGION` or `AWS_DEFAULT_REGION`"
)
region = os.getenv("AWS_REGION", os.getenv("AWS_DEFAULT_REGION"))
if not region:
raise InterruptExecution("AWS requires a region to be set!")
if region:
logger.debug(f"Using AWS region '{region}'")
params["region_name"] = region
if boto3.DEFAULT_SESSION is None:
# we must create our own session so that we can populate the profile
# name when it is provided. Only create the default session once.
boto3.setup_default_session(profile_name=aws_profile_name, **params)
if not aws_assume_role_arn:
logger.debug(
"Client will be using profile '{}' from boto3 session".format(
aws_profile_name or "default"
)
)
return boto3.client(resource_name, **params)
else:
logger.debug(
"Fetching credentials dynamically assuming role '{}'".format(
aws_assume_role_arn
)
)
aws_assume_role_session_name = configuration.get("aws_assume_role_session_name")
if not aws_assume_role_session_name:
aws_assume_role_session_name = "ChaosToolkit"
logger.debug(
"You are missing the `aws_assume_role_session_name` "
"configuration key. A unique one was generated: '{}'".format(
aws_assume_role_session_name
)
)
client = boto3.client("sts", **params)
params = {
"RoleArn": aws_assume_role_arn,
"RoleSessionName": aws_assume_role_session_name,
}
response = client.assume_role(**params)
creds = response["Credentials"]
logger.debug(
"Temporary credentials will expire on {}".format(
creds["Expiration"].isoformat()
)
)
params = {
"aws_access_key_id": creds["AccessKeyId"],
"aws_secret_access_key": creds["SecretAccessKey"],
"aws_session_token": creds["SessionToken"],
}
if region:
params["region_name"] = region
return boto3.client(resource_name, **params)
@venkivijay thanks for the feature request! Will add support for custom AWS profiles
This is now supported in v0.1.10: https://pypi.org/project/aws-az-failure-chaostoolkit/0.1.10/