trek10inc / awsume Goto Github PK

Traceback (most recent call last):
  File "/var/lib/jenkins/.local/bin/awsumepy", line 11, in <module>
    load_entry_point('awsume==3.2.9', 'console_scripts', 'awsumepy')()
  File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1702, in main
    awsume.run(command_line_arguments)
  File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1666, in run
    mix_role_and_source_profiles(profiles)
  File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 291, in mix_role_and_source_profiles
    merge_role_and_source_profile(profiles[profile], profiles[source_profile_name])
  File "/var/lib/jenkins/.local/lib/python2.7/site-packages/awsume/awsumepy.py", line 262, in merge_role_and_source_profile
    role_profile['aws_access_key_id'] = source_profile['aws_access_key_id']
KeyError: 'aws_access_key_id'

Not sure, why it isn't able to find "aws_access_key_id" key in role_profile. The credentials and config files are fine and aws-cli works on the box

Hello,

I know we can switch profiles with awsume profile_name but in scripts we want to be able to use old good aws --profile profile_name command_name too because we're working with more than one account within the same script.

.aws/config:
[default]
region = eu-west-1
output = json
mfa_serial = arn:aws:iam::111111111:mfa/username

[profile secondary]
role_arn = arn:aws:iam::222222222222:role/rolename
aws_account_id = 222222222222
region = eu-west-1
output = json
source_profile = default

# awsume
Enter MFA token: 825229
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44

# aws sts get-caller-identity
{
    "UserId": "AIDAR355SJBCL57WUCIW3",
    "Account": "111111111",
    "Arn": "arn:aws:iam::111111111:user/username"
}

# awsume secondary
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44
AWSume: Role profile credentials will expire at: 2019-08-01 09:11:33

# aws sts get-caller-identity
{
    "UserId": "AROASJBNLJ5FKMQGYZIFP:awsume-session-secondary",
    "Account": "222222222222",
    "Arn": "arn:aws:sts::222222222222:assumed-role/rolename/awsume-session-secondary"
}

# awsume
AWSume: User profile credentials will expire at: 2019-08-01 20:10:44

# aws --profile secondary sts get-caller-identity
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Is there a workaround? Using awsume profilename in script is a bit awkwardly and I'm afraid we'll have a mess with aws-related system variables.

Thank you.

After upgrading awsume from 3.2.8 to 4.1.9 my colleague and I get an error message when calling "awsume terraform":
Awsume error: Invalid profile terraform Missing keys aws_access_key_id, aws_secret_access_key
Our configuration is standard, we think:

~/.aws/config:

[default]
region = eu-central-1
output = json

[profile terraform]
region = eu-central-1
output = json
mfa_serial = arn:aws:iam:::mfa/scht

[profile DQCustOpsAdmin]
region = eu-central-1
output = json
role_arn = arn:aws:iam:::role/AdminOrganization
source_profile = default
mfa_serial = arn:aws:iam:::mfa/scht

[profile prod-admin]
region = eu-central-1
output = json
role_arn = arn:aws:iam:::role/AdminUserRole
source_profile = terraform

[profile staging-admin]
region = eu-central-1
output = json
role_arn = arn:aws:iam:::role/AdminUserRole
source_profile = terraform

with 2 different account numbers.

~/.aws/credentials:

[default]
aws_access_key_id =
aws_secret_access_key =

[profile terraform]
aws_secret_access_key =
aws_access_key_id =

with 2 different sets of keys.

~/.awsume/config.yaml:

{colors: true, fuzzy-match: false, role-duration: 0}

All this was working for months with awsume 3.2.8.

Hi there, I'm working on a client site with a very restrictive proxy server setup.

It's a cluster of poorly-configured BlueCoat instances and they are interfering with our traffic to AWS, and sometimes blocking the requests.

I've tried divining this with the --debug option but it doesn't show me the URL(s) of the host(s) at AWS that it's attempting to contact, in order to do MFA/STS/role switch things.

Is there a short list of these URLs available somewhere, for proxy whitelisting?

$ awsume -l
Traceback (most recent call last):
  File "/usr/local/bin/awsumepy", line 11, in <module>
    load_entry_point('awsume==3.2.8', 'console_scripts', 'awsumepy')()
  File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1668, in main
    awsume.run(command_line_arguments)
  File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 1632, in run
    mix_role_and_source_profiles(profiles)
  File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 284, in mix_role_and_source_profiles
    merge_role_and_source_profile(profiles[profile], profiles[source_profile_name])
  File "/usr/local/lib/python2.7/site-packages/awsume/awsumepy.py", line 259, in merge_role_and_source_profile
    role_profile['aws_access_key_id'] = source_profile['aws_access_key_id']
KeyError: 'aws_access_key_id'

everything else works just fine. super weird.

1. MACOS 10.14.4
2. bash profile updated with awsume='. awsume'
3. When running awsume the profile defaults to the 'do-nothing' profile

Example:
bash-3.2$ awsume poc-admin
AWSume: User profile credentials will expire at: 2019-07-09 03:56:55
AWSume: Role profile credentials will expire at: 2019-07-08 17:04:42

However, I can not run any cli commands on the assumed profile. I can execute a command with --profile <profile_name> and that works fine, but awsume does not assume profile, it stays on default 'do-nothing' profile

I'm trying to create a saml plugin with adfs, and here's the saml response looks like:

<samlp:Response ID="..." Version="2.0" IssueInstant="2019-12-05T12:52:34.802Z"
                Destination="https://signin.aws.amazon.com/saml"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://example.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="..." IssueInstant="2019-12-05T12:52:34.802Z" Version="2.0"
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>http://example.com/adfs/services/trust</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
        <Subject>....</Subject>
        <Conditions NotBefore="2019-12-05T12:52:34.568Z" NotOnOrAfter="2019-12-05T13:52:34.568Z">....</Conditions>
        <AttributeStatement>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
                <AttributeValue>neshat</AttributeValue>
            </Attribute>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
                <AttributeValue>
                    arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/saml/ADFS/Admin
                </AttributeValue>
            </Attribute>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
                <AttributeValue>43200</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2019-12-05T12:35:27.355Z" SessionIndex="...">....</AuthnStatement>
    </Assertion>
</samlp:Response>

As you can see the Attribute element that our code looks for and Attribute element and it's parent in my example don't have any explicit namespace.

Best way to do this is to ignore the namespaces, but well xml2dict doesn't have that feature, although someone made a pr but that project haven't had any activity since September, so I don't think it'd be merged anytime soon.

Hi, I had trouble recently with the fact that Fore.LIGHTCYAN_EX didn't exist. Perhaps you could pick another color. I'm not sure where it went. I just substituted BLUE, and everything worked fine.

when on latest MacOS when I run awsume -s I can see the list of export commands, however when I try echo $AWS_REGION (or any other they don't return any value, and aws s3 ls command isn't returning correct result. However when I copy and paste the export AWS (from the -s command) I get all working correctly.

awsume -r <role> reloads credentials, but awsume -r expects a profile name.

I think awsume -r without a role name should reload ALL profiles that were previously executed with awsume -a <role_name>. This way I don't have to remember which profiles I had previously configured to automatically refresh.

Moreover, I think awsume -r <rolename> should act l like awsume -a <rolename>; awsume -r <rolename> if awsume -a was not run previously.

Great program! I love it and use it daily for my consulting work. Keep up the good work.

Hello,

I have a few profiles configured two of which are called platform-production-admin and shared-services-admin.

Earlier today I ran . awsume shared-services-admin -a (no issues).

A few hours later (in the same terminal window) I've typed
. awsume platform-production-admin -a
and I see this output:

$ . awsume platform-production-admin -a
Session token will expire at 2019-09-27 23:32:44
Role credentials will expire 2019-09-27 14:57:00
[3] 2930
$ Traceback (most recent call last):
  File "/usr/local/bin/autoawsume", line 10, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/awsume/autoawsume/main.py", line 26, in main
    subprocess.run(auto_profile.get('awsumepy_command').split(' '), stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 472, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 775, in __init__
    restore_signals, start_new_session)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 1522, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'shared-services-admin': 'shared-services-admin'

The traceback is automatically output into the terminal after hitting enter on the . awsume platform-production-admin -a command.

How can I stop this from happening?

If it helps at all I'm on macOS 10.14.5, I installed Python via Homebrew and awsume via pip

When I pip installed awsume as expected it modified my .bashrc, however it corrupted the file as there was no newline at eof. In my case the fault is likely the previous tool that modified it but it is a common enough edge case that it should be addressed.

ps. Loving the tool, will be getting the whole team on it once this issue is fixed!

After installing awsume for the first time, auto-refresh credentials are only generated if the config files has the [default] profile at the beginning. For example:

awsume [name_of_profile] -a

This will fail silently when the aws config file looks something like this:

[name of profile]
...
[default]
...

But it will succeed when the two are reversed:

[default]
...
[name_of_profile]
...

I am running 'awsume' using a shared credentials file. The config file contains profiles using a source profile in the credentials file. The source profile contains both key attributes as well as a session token as its created from a federated credential. I never have credentials stored in [default].

Issue: The session token is never exported to the shell environment.

Example: config file

[default]
region = us-east-1

[profile internal-admin]
role_arn = arn:aws:iam::<your aws account id>:role/admin-role
source_profile = joel
region = us-east-1

Example: credentials file

[default]

[joel]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token     = FQoGZXIvYXdzEK3//////////w==

OS: Mac High Sierra
Shell: bash / zsh

Freshly installed awsume on MacOS Mojave.

Python version: 3.5.7
AWSume version: 4.0.4 (incidentally, I don't see this release on under the Releases)

I get an error when I try to assume a role - It seems to succeed, but in the info message that prints out the session expiration, the script errors out:

$ awsume my-profile
Enter MFA token: xxxxxxxxx
Traceback (most recent call last):
  File "/usr/local/opt/pyenv/versions/3.5.7/bin/awsumepy", line 12, in <module>
    sys.exit(main())
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/main.py", line 36, in main
    run_awsume(sys.argv)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/main.py", line 25, in run_awsume
    awsume.run(argument_list)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/app.py", line 231, in run
    credentials = self.get_credentials(args, profiles)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/app.py", line 187, in get_credentials
    credentials = self.plugin_manager.hook.get_credentials(config=self.config, arguments=args, profiles=profiles)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/hooks.py", line 289, in __call__
    return self._hookexec(self, self.get_hookimpls(), kwargs)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/manager.py", line 87, in _hookexec
    return self._inner_hookexec(hook, methods, kwargs)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/manager.py", line 81, in <lambda>
    firstresult=hook.spec.opts.get("firstresult") if hook.spec else False,
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/callers.py", line 208, in _multicall
    return outcome.get_result()
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/callers.py", line 80, in get_result
    raise ex[1].with_traceback(ex[2])
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/pluggy/callers.py", line 187, in _multicall
    res = hook_impl.function(*args)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/default_plugins.py", line 389, in get_credentials
    ignore_cache=arguments.force_refresh,
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/lib/aws.py", line 90, in get_session_token
    safe_print('Session token will expire at {}'.format(parse_time(user_session['Expiration'])), colorama.Fore.GREEN)
  File "/usr/local/opt/pyenv/versions/3.5.7/lib/python3.5/site-packages/awsume/awsumepy/lib/aws.py", line 15, in parse_time
    return date_time.astimezone(dateutil.tz.tzlocal()).strftime('%Y-%m-%d %H:%M:%S')
ValueError: astimezone() cannot be applied to a naive datetime

I will note that if I remove the offending call to astimezone() from parse_time():

def parse_time(date_time: datetime):
  return date_time.strftime('%Y-%m-%d %H:%M:%S')

it works as expected. But we do note that there are several places in the code that already call this, and when I try to remove those calls but leave it in parse_time(), the error remains.

I'm not super familiar with the dateutil and datetime libraries, but it seems that because the astimezone() is already called in the client code, there is not a need to call it again inparse_time().

I've looked a bit at the code in shell_scripts/awsume.fish and it looks like the behavior described would export environment variables.

Could it be that awsume.fish does not get executed in my shell when I run awsume? A subshell running another shell (i.e. bash) would not export variables into fish due to the nature of set.

I could also be going about this completely wrong and fish simply needs special setup and I missed this in the documentation somewhere. But regardless I think it should work out of the box in any supported shell.

Hi,

i have successfully install awsume and also configure the config & credentials file using CLI.

But when i run:
. awsume profile_name

Its asking me Enter MFA code & Enter MFA code for arn:aws:iam::101549811061:mfa/

I got the MFA code for first one, but i m blank what to do with second MFA code.

Can anyone help me, what i have done wrong here..??

Hi Team,

I have looked in to the asume documentation
https://awsu.me/

I need to know how to add the plugin and test in different environment

In 4.1.6 refreshing fails with the following error trace

Traceback (most recent call last):
  File "/usr/local/bin/autoawsume", line 10, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/awsume/autoawsume/main.py", line 32, in main
    session = awsumepy.awsume(*auto_profile.get('awsumepy_command').split(' '))
  File "/usr/local/lib/python3.7/site-packages/awsume/awsumepy/awsume.py", line 16, in awsume
    return app.run([profile_name] + cli_arguments)
  File "/usr/local/lib/python3.7/site-packages/awsume/awsumepy/app.py", line 247, in run
    credentials = self.get_credentials(args, profiles)
  File "/usr/local/lib/python3.7/site-packages/awsume/awsumepy/app.py", line 186, in get_credentials
    credentials = json.loads(json_input)
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

$ sudo easy_install pip
Searching for pip
Best match: pip 9.0.3
Processing pip-9.0.3-py2.7.egg
pip 9.0.3 is already the active version in easy-install.pth
Installing pip script to /usr/local/bin
Installing pip2.7 script to /usr/local/bin
Installing pip2 script to /usr/local/bin

Using /Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
$ pip install awsume
Collecting awsume
Using cached awsume-3.0.10.tar.gz
Collecting boto3 (from awsume)
Using cached boto3-1.6.20-py2.py3-none-any.whl
Collecting psutil (from awsume)
Using cached psutil-5.4.3.tar.gz
Collecting yapsy (from awsume)
Using cached Yapsy-1.11.223.tar.gz
Collecting future (from awsume)
Using cached future-0.16.0.tar.gz
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /Library/Python/2.7/site-packages (from boto3->awsume)
Collecting s3transfer<0.2.0,>=0.1.10 (from boto3->awsume)
Using cached s3transfer-0.1.13-py2.py3-none-any.whl
Collecting botocore<1.10.0,>=1.9.20 (from boto3->awsume)
Using cached botocore-1.9.20-py2.py3-none-any.whl
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /Library/Python/2.7/site-packages (from s3transfer<0.2.0,>=0.1.10->boto3->awsume)
Collecting python-dateutil<2.7.0,>=2.1 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Using cached python_dateutil-2.6.1-py2.py3-none-any.whl
Collecting docutils>=0.10 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Using cached docutils-0.14-py2-none-any.whl
Collecting six>=1.5 (from python-dateutil<2.7.0,>=2.1->botocore<1.10.0,>=1.9.20->boto3->awsume)
Using cached six-1.11.0-py2.py3-none-any.whl
Installing collected packages: six, python-dateutil, docutils, botocore, s3transfer, boto3, psutil, yapsy, future, awsume
Found existing installation: six 1.4.1
DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling six-1.4.1:
Exception:
Traceback (most recent call last):
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/commands/install.py", line 342, in run
prefix=options.prefix_path,
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_set.py", line 778, in install
requirement.uninstall(auto_confirm=True)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_install.py", line 754, in uninstall
paths_to_remove.remove(auto_confirm)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_uninstall.py", line 115, in remove
renames(path, new_path)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/utils/init.py", line 267, in renames
shutil.move(old, new)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 302, in move
copy2(src, real_dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 131, in copy2
copystat(src, dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 103, in copystat
os.chflags(dst, st.st_flags)
OSError: [Errno 1] Operation not permitted: '/var/folders/l_/vnj7g_9n6pz4s9r5xclyl10cdbfp4x/T/pip-xARziy-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'
$ sudo pip install awsume
The directory '/Users/jburns/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/Users/jburns/Library/Caches/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting awsume
Downloading awsume-3.0.10.tar.gz
Collecting boto3 (from awsume)
Downloading boto3-1.6.20-py2.py3-none-any.whl (128kB)
100% |████████████████████████████████| 133kB 2.2MB/s
Collecting psutil (from awsume)
Downloading psutil-5.4.3.tar.gz (412kB)
100% |████████████████████████████████| 419kB 2.5MB/s
Collecting yapsy (from awsume)
Downloading Yapsy-1.11.223.tar.gz (80kB)
100% |████████████████████████████████| 81kB 7.7MB/s
Collecting future (from awsume)
Downloading future-0.16.0.tar.gz (824kB)
100% |████████████████████████████████| 829kB 1.4MB/s
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /Library/Python/2.7/site-packages (from boto3->awsume)
Collecting s3transfer<0.2.0,>=0.1.10 (from boto3->awsume)
Downloading s3transfer-0.1.13-py2.py3-none-any.whl (59kB)
100% |████████████████████████████████| 61kB 5.0MB/s
Collecting botocore<1.10.0,>=1.9.20 (from boto3->awsume)
Downloading botocore-1.9.20-py2.py3-none-any.whl (4.1MB)
100% |████████████████████████████████| 4.1MB 334kB/s
Requirement already satisfied: futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" in /Library/Python/2.7/site-packages (from s3transfer<0.2.0,>=0.1.10->boto3->awsume)
Collecting python-dateutil<2.7.0,>=2.1 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Downloading python_dateutil-2.6.1-py2.py3-none-any.whl (194kB)
100% |████████████████████████████████| 194kB 5.2MB/s
Collecting docutils>=0.10 (from botocore<1.10.0,>=1.9.20->boto3->awsume)
Downloading docutils-0.14-py2-none-any.whl (543kB)
100% |████████████████████████████████| 552kB 2.4MB/s
Collecting six>=1.5 (from python-dateutil<2.7.0,>=2.1->botocore<1.10.0,>=1.9.20->boto3->awsume)
Downloading six-1.11.0-py2.py3-none-any.whl
Installing collected packages: six, python-dateutil, docutils, botocore, s3transfer, boto3, psutil, yapsy, future, awsume
Found existing installation: six 1.4.1
DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling six-1.4.1:
Exception:
Traceback (most recent call last):
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/commands/install.py", line 342, in run
prefix=options.prefix_path,
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_set.py", line 778, in install
requirement.uninstall(auto_confirm=True)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_install.py", line 754, in uninstall
paths_to_remove.remove(auto_confirm)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/req/req_uninstall.py", line 115, in remove
renames(path, new_path)
File "/Library/Python/2.7/site-packages/pip-9.0.3-py2.7.egg/pip/utils/init.py", line 267, in renames
shutil.move(old, new)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 302, in move
copy2(src, real_dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 131, in copy2
copystat(src, dst)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/shutil.py", line 103, in copystat
os.chflags(dst, st.st_flags)
OSError: [Errno 1] Operation not permitted: '/tmp/pip-S6cVNR-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'

Hi I installed awsume into virtualenv and it caused unexpected problem.
I have installed own fork of pyenv which does not need to use pyenv which pyenv/pyenv#1185

and awsume added this line to my .bashrc
alias awsume=". \$(pyenv which awsume)"
but since I installed awsume into venv not created by pyenv virtualenv I do not have any shims and calling awsume calls alias which overrides what is supposed to be called by path
when alias is called $ awsume the result is this.

pyenv: awsume: command not found
-bash: .: filename argument required
.: usage: . filename [arguments]

the same output is given if called from venv (venv) $ awsume results in

pyenv: awsume: command not found
-bash: .: filename argument required
.: usage: . filename [arguments]

to find out what was happening I ran type -a awsume

awsume is aliased to `. $(pyenv which awsume)'
awsume is /Users/username/.virtualenvs/venv/bin/awsume

after removing the alias from my .bashrc everything was fine again.

I would be convenient if awsume would also read the source profile in order to get the mfa_serial so we could define it once for and account in the source profile.
Currently we have to duplicate the serial in many [profile] sections

awsume -v
4.1.3

If I specify duration_seconds in my config file I'm always asked to enter the MFA token for this profile.
Id I do not specify duration_seconds I only have to enter the MFA token every now and then.

My colleagues and I are using version 4.1.9 (determined by awsume --version). We're all experiencing our AWS credentials being removed.

Specifically, we have an identity profile setup that looks like this (in ~/.aws/config):

[profile identity]
region=eu-west-1
duration_seconds = 43200

and then additional profiles that look like this:

[profile platform-admin]
source_profile=identity
role_arn=arn:aws:iam::9999999999:role/AdminAccess
mfa_serial=arn:aws:iam::11111111111:mfa/alex
region=eu-west-1

We then run awsume like so . awsume platform-admin -a.

However, we're all experiencing the identity profile credentials being removed by awsume presumably when the awsume temporary credentials are expiring

When I use awsume <name_from_credentials_file> -a , it unsets the AWS_PROFILE env. variable. it never sets it, so I have to do this by hand. is this an issue (or is it me) ?

awsume unsets AWS_REGION, but tools like ec2.py (from Ansible) requires the region to be set. I often prefer the Environment variable AWS_REGION to --region specified on the command line.

Since awsume knows the Region (awsume -l prints it) can it set AWS_REGION environment variable?

Install successfully but on Usage with zsh:

alex@alex ~ awsume -s myprofile
.: no such file or directory: awsume

Since AWS Console now supports U2F, it would be good to have that with AWSUME, if at all possible.

I see awsume does not support credential_source awscli configuration option.

It is expecting role_arn and source_profile in awscli config file or else it reports "Invalid Profile"

This parameter(credential_source) cannot be provided alongside source_profile and awsume does not like if source_profile is not configured.

More details,
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

Getting this error with 3.0.9 in WSL environment (opensuse)

felipe@DESKTOP-TCPCKB9:~/Downloads$ awsume -a velocity-ipaas-nonprod
AWSume: User profile credentials will expire at: 2018-03-19 12:52:54+00:00
AWSume: Role profile credentials will expire at: 2018-03-19 11:52:55
Traceback (most recent call last):
  File "/usr/bin/awsumepy", line 11, in <module>
    load_entry_point('awsume==3.0.9', 'console_scripts', 'awsumepy')()
  File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 1415, in main
    awsume.run(command_line_arguments)
  File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 1383, in run
    func(self, arguments, profiles, user_session, role_session)
  File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 862, in get_role_session_callback
    start_auto_awsume(args, app, profiles, AWS_CREDENTIALS_FILE, user_session, role_session)
  File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 892, in start_auto_awsume
    write_auto_awsume_session(args.target_profile_name, auto_profile, credentials_file_path)
  File "/usr/lib/python2.7/site-packages/awsume/awsumepy.py", line 958, in write_auto_awsume_session
    LOG.debug('AutoAwsume profile: %s', json.dumps(auto_profile, indent=2))
  File "/usr/lib64/python2.7/json/__init__.py", line 251, in dumps
    sort_keys=sort_keys, **kw).encode(obj)
  File "/usr/lib64/python2.7/json/encoder.py", line 209, in encode
    chunks = list(chunks)
  File "/usr/lib64/python2.7/json/encoder.py", line 434, in _iterencode
    for chunk in _iterencode_dict(o, _current_indent_level):
  File "/usr/lib64/python2.7/json/encoder.py", line 408, in _iterencode_dict
    for chunk in chunks:
  File "/usr/lib64/python2.7/json/encoder.py", line 442, in _iterencode
    o = _default(o)
  File "/usr/lib64/python2.7/json/encoder.py", line 184, in default
    raise TypeError(repr(o) + " is not JSON serializable")
TypeError: datetime.datetime(2018, 3, 19, 12, 52, 54, tzinfo=tzutc()) is not JSON serializable

Hi

Im looking for any documentation on how to setup awsume with SAML

Thanks
Syed

aws configure --profile myuser set region ap-southeast-2

This sets the region.

aws configure --profile myuser get region returns ap-southeast-2 as expected.

awsume -l does not show it.

=====================AWS Profiles=====================
PROFILE             TYPE  SOURCE  MFA?  REGION
default             User  None    No    ap-southeast-2
myuser              User  None    No    None

The default appears correctly, as expected.

I am using pyenv as my version manager. When executing awsume it will print out

$ awsume -s my-profile
User profile credentials will expire: 2018-02-02 22:25:56
Role profile credentials will expire: 2018-02-02 20:12:17+01:00
export AWS_SECRET_ACCESS_KEY=ACCESSKEY
export AWS_ACCESS_KEY_ID=KEYID
export AWS_SESSION_TOKEN=SOMESESSIONTOKEN
export AWS_SECURITY_TOKEN=SOMETOKEN
export AWS_REGION=eu-central-1
export AWS_DEFAULT_REGION=eu-central-1
export AWSUME_PROFILE=my-profile

However, when I call awsume my-profile and then try to print out one of the variables, they are empty.
Using $(awsume -s my-profile) instead makes it work.
I suppose this has something to do with the way pyenv handles executables. The relevant line is

exec "/home/me/.pyenv/libexec/pyenv" exec "$program" "$@"

which as far as I understand starts a subshell and prevents the variables from being exported.

Is there a way to make awsume work with pyenv or am I doing something wrong?

Awesome piece of software, loving it!

It would be great if there was a way to query awsume for the current profile, so that this information could be used elsewhere (e.g. to display the current role in the shell command prompt).

Or is this already possible and I'm missing it from the documentation?

I am using awsume with multiple profiles. Some of them need MFA, some not. Also i am using awsume within virtualenv.

awsume Version:

pip show awsume
Name: awsume
Version: 2.1.5
Summary: Utility for easily assuming AWS IAM roles from the command line, now in Python!
Home-page: https://github.com/trek10inc/awsume
Author: Trek10, Inc
Author-email: [email protected]
License: MIT
Location: /Users/saruman/virtualenv/aws/lib/python3.6/site-packages
Requires: future, yapsy, python-dateutil, psutil, boto3

I am getting errors when trying to assume a role which does not need MFA. For Roles using MFA no problem occurs.

This is what i get when using a non MFA Profile:

awsume no-mfa-profile
Traceback (most recent call last):
  File "/Users/saruman/virtualenv/aws/bin/awsumepy", line 11, in <module>
    sys.exit(main())
  File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 1127, in main
    awsumeApp.run()
  File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 1093, in run
    awsumeUserSession = func(configProfile, credentialsProfile, awsumeUserSession, AWS_CACHE_DIRECTORY, commandLineArguments, out_data)
  File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 340, in get_user_credentials
    awsUserSession = get_session_token_credentials(userClient, configSection)
  File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/awsume/awsumepy.py", line 523, in get_session_token_credentials
    return getSessionTokenClient.get_session_token()
  File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/botocore/client.py", line 314, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/saruman/virtualenv/aws/lib/python3.6/site-packages/botocore/client.py", line 612, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

Before running the awsume command no AWS Environments (Credentials, Tokens) have been set.

(aws) saruman@Saruman:~ $ printenv | grep AWS
(aws) saruman@Saruman:~ $ 

This is my config:

~/.aws/credentials

[john]
aws_access_key_id = XXX
aws_secret_access_key = XXXXX

[bill]
aws_access_key_id = XXX
aws_secret_access_key = XXXXX

~/.aws/config

[profile no-mfa-profile]
output = json
region = eu-central-1
role_arn = arn:aws:iam::XXX:role/RoleName
source_profile = john

[profile mfa-profile]
output = json
region = eu-central-1
role_arn = arn:aws:iam::XXX:role/RoleName
mfa_serial = arn:aws:iam::XXX:mfa/UserName
source_profile = bill

The MFA ones work all the time. The ones without MFA fail. Using the profiles with AWS-CLI works as exspected

aws s3 ls --profile no-mfa-profile

Somebody any idea what I'm doing wrong? Thanks.

most of my roles/users in .aws/config do not have region set. I expect awsume to fall back to the [default] region and set the AWS_REGION env var appropriately.

Instead, the AWS_REGION remains unset.

=========================AWS Profiles========================
PROFILE                 TYPE  SOURCE     MFA?  REGION
ca-master               User  None       No    ap-southeast-2
default                 User  None       No    ap-southeast-2
itoc                    User  None       Yes   None
itoc-preprod            Role  ca-master  Yes   ap-southeast-2
mycli                   User  None       No    ap-southeast-2
myuser                  User  None       No    ap-southeast-2
osssio-audit            Role  itoc       Yes   None
osssio-consbilling      Role  itoc       Yes   None
osssio-dev              Role  itoc       Yes   ap-southeast-2
osssio-ops              Role  itoc       Yes   None
osssio-prod             Role  itoc       Yes   None
osssio-qldonline        Role  itoc       Yes   None
osssio-sandpit          Role  itoc       Yes   None
osssio-staging          Role  itoc       Yes   ap-southeast-2
osssio-test             Role  itoc       Yes   ap-southeast-2
seeingmachines-preprod  Role  ca-master  Yes   ap-southeast-2
seeingmachines-prod     Role  ca-master  Yes   ap-southeast-2

Hello!
I use awsume 3.2.9 and when I try to call some tools like awscli and terraform after awsume exported env variables everything works pretty cool except of ap-east-1 region:

awscli:

aws --version
aws-cli/1.16.190 Python/3.7.4 Darwin/17.7.0 botocore/1.12.180

awsume production

aws s3 ls s3://some-bucket-in-hong-kong-region/

An error occurred (IllegalLocationConstraintException) when calling the ListObjectsV2 operation: The ap-east-1 location constraint is incompatible for the region specific endpoint this request was sent to.

aws s3 ls --region ap-east-1 s3://some-bucket-in-hong-kong-region/

An error occurred (InvalidToken) when calling the ListObjectsV2 operation: The provided token is malformed or otherwise invalid.

terraform:

awsume production
terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


Error: Error refreshing state: 1 error(s) occurred:

* provider.aws.ap-east-1: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid
	status code: 403, request id: f366241f-a3eb-11e9-84a3-6d3d417c2079

It would be very useful if the mfa key could optionally be supplied as an input parameter to awsume instead of relying on the input prompt.

Having such a feature would make it much easier to wrap custom functionality around awsume to allow mfa to be inserted by additional means on invocation, instead of creating an interrupting workflow.

Hey guys,
I'm not sure where to send the issue but On June , I downloaded your"awsume" utility so I will be able to assume an IAM role easily through CMD and it was working fine .
Recently , I got a new machine and I downloaded your tools but it seems it's not working anymore .
My new machine is windows 10 and I believe that you guys updated the utility so I'm not sure if I'm missing something or there's something wrong .

I created same profiles I had on my old machine and i was trying to assume one of them through the following command ..:
awsume AEProfile
After that , it asks me for mfa code which I enter but then it seems like it just keep assume the source profile and not the role (Plus I noticed that after i entered mfa code , there are two sentences showed which are "User profile credentials will expire " and "Role Profile credentials will expire" .

The thing is the expiration date/time for the role is the same date/ time i ran the command at , Please find the attachment .

Then to verify which profile is being used , i ran the following command ..:
aws sts get-caller-identity but it keep giving me the source profile and not the role !

Regards,
Ahmad

When attempting to install awsume on Ubuntu 18.10 with powershell installed, the pip install command hangs while installing the awsume package. No output is shown, and the pip command has to be killed manually (Ctrl+C & Ctrl+Z are even captured and ineffective!). Without powershell installed, things work fine.

It'd be nice if there was a way to disable the shell profile hooks during install, perhaps by environment variable. I have to manually remove them every time, since they conflict with my own shell setup that manages awsume differently.

awsume -a only sets AWS_PROFILE and AWS_DEFAULT_PROFILE. I think it should also set region, if the role has the region set, else use the region in default has the region set.

On windows 7 when installing using pip install awsume install would hang, and never finish. After this it would recognize the command awsume <profile> but would not reflect the change if you do aws sts get-caller-identity. After looking found that .profile was missing in C:\Users<username>. After creating file, and adding alias awsume=". awsume" it now appears to be working correctly

Hi there,

Thanks for the great project!

Trying to install awsume on a new PC and it fails to install with two different errors. One is probably the root cause but not sure which.

The log from pip is attached:

awsume.log

I can see two errors (one about Visual C++ 14.0 and one about failing to run some inline python.

2019-12-05T13:39:04,744     building 'Levenshtein._levenshtein' extension
2019-12-05T13:39:04,818     error: Microsoft Visual C++ 14.0 is required. Get it with "Build Tools for Visual Studio": https://visualstudio.microsoft.com/downloads/

and

2019-12-05T13:39:05,005 Removed build tracker 'C:\\Users\\mikeq\\AppData\\Local\\Temp\\pip-req-tracker-yyh6_9_4'
2019-12-05T13:39:05,005 ERROR: Command errored out with exit status 1: 'c:\users\mikeq\appdata\local\programs\python\python38-32\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\mikeq\\AppData\\Local\\Temp\\pip-install-bq7au0w1\\python-levenshtein\\setup.py'"'"'; __file__='"'"'C:\\Users\\mikeq\\AppData\\Local\\Temp\\pip-install-bq7au0w1\\python-levenshtein\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record 'C:\Users\mikeq\AppData\Local\Temp\pip-record-6209qpap\install-record.txt' --single-version-externally-managed --compile Check the logs for full command output.

I have tried

• Updating pip
• Upgrading to the latest setuptools
• Installing Microsoft Visual Tools as the first error suggests

Any help appreciated.

Mike.

Hi,
I am trying to use awsume to assume a role, but it doesn't switch role when I input awsume <role_name>.
As a workaround, I have to input awsume <role_name> -s and then paste the output again.

Can you please help me on what am I doing wrong?

Thanks

awsume -l goes to stderr, which is a little annoying when I want to grep. It forces the command to be awsume -l 2>&1 | grep acct-name.

Also, any chance we could get account numbers added to the listing?

https://awsu.me/troubleshooting/#i-m-getting-an-installation-error-fatal-error-python-h-no-such-file-or-directory will not solve the issue if using python3.

yum install python3-devel is needed if Python3. I tested with 3.7

Hi!

My ~/.aws/config looks like this:

[profile p1]
region = eu-west-1
role_arn = arn:aws:iam::111111111111:role/XXX
source_profile = p0
mfa_serial = arn:aws:iam::222222222222:mfa/xxx
duration_seconds = 43200
role_duration = 43200

When I run awsume, I get:

$ awsume p1
Enter MFA token:
Parameter validation failed:
Invalid type for parameter DurationSeconds, value: 43200, type: <class 'str'>, valid types: <class 'int'>

If I remove duration_seconds from ~/.aws/config it works.

I use the following version installed via pip on macOS 10.14.6:

$ awsume -v
4.1.2

See here: https://docs.python.org/2/library/configparser.html

A common issue I have is I need to unset all existing shell environment variables that a previous run of . awsume -s PROFILE set.

Woud be nice if you could run awsume -u and it would dump something such as:

$ awsume -u
unset AWS_SECRET_ACCESS_KEY
unset AWS_ACCESS_KEY_ID
etc...

I've just updated to the latest awsume available on pip (4.1.6) and I'm seeing this error:

$ awsume platform-production-admin -a
Session token will expire at 2019-10-01 22:38:18
Role credentials will expire 2019-10-01 16:07:34
[3] 52308

Traceback (most recent call last):
  File "/usr/local/bin/autoawsume", line 10, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/awsume/autoawsume/main.py", line 41, in main
    earliest_expiration = min(expirations)
TypeError: can't compare offset-naive and offset-aware datetimes