Support role assumption & MFA prompts from profile without AWS_SESSION... env vars

[cobbr2]

In our environment, we often rely on profiles without the AWS_SESSION... environment variables, which is apparently the "new way" of doing temporary tokens in AWS-land.

So boto3 tries to prompt for my MFA, at which point athenacli gets a bit confused: it appears that athenacli and boto3 are competing for control of the terminal. I get prompted several times, and get some really lovely stack traces:

Enter MFA code for arn:aws:iam::xxxxxxxxxxxxxxx:mfa/rick.cobb: Failed to execute query.
Traceback (most recent call last):
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/athenacli/sqlexecute.py", line 78, in run
    for result in special.execute(cur, sql):
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/athenacli/packages/special/main.py", line 58, in execute
    raise CommandNotFound
athenacli.packages.special.main.CommandNotFound

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/pyathena/common.py", line 166, in _execute
    **request)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/pyathena/util.py", line 44, in retry_api_call
    return retry(func, *args, **kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/tenacity/__init__.py", line 358, in call
    do = self.iter(retry_state=retry_state)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/tenacity/__init__.py", line 319, in iter
    return fut.result()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/concurrent/futures/_base.py", line 425, in result
    return self.__get_result()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/concurrent/futures/_base.py", line 384, in __get_result
    raise self._exception
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/tenacity/__init__.py", line 361, in call
    result = fn(*args, **kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/client.py", line 610, in _make_api_call
    operation_model, request_dict)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/endpoint.py", line 116, in create_request
    operation_name=operation_model.name)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/signers.py", line 149, in sign
    auth = self.get_auth_instance(**kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/signers.py", line 229, in get_auth_instance
    frozen_credentials = self._credentials.get_frozen_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 518, in get_frozen_credentials
    self._refresh()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 413, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 429, in _protected_refresh
    metadata = self._refresh_using()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 566, in fetch_credentials
    return self._get_cached_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 697, in _get_credentials
    client = self._create_client()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 716, in _create_client
    frozen_credentials = self._source_credentials.get_frozen_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 518, in get_frozen_credentials
    self._refresh()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 413, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 429, in _protected_refresh
    metadata = self._refresh_using()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 177, in __call__
    return self._refresh()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 566, in fetch_credentials
    return self._get_cached_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 696, in _get_credentials
    kwargs = self._assume_role_kwargs()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 707, in _assume_role_kwargs
    token_code = self._mfa_prompter(prompt)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/getpass.py", line 77, in unix_getpass
    passwd = _raw_input(prompt, stream, input=input)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/getpass.py", line 148, in _raw_input
    raise EOFError

I'm currently working around this using a new feature of our development tools where we set the AWS_SESSION... env vars, which is fine, but it'd be nice to support the newer profile stuff.

[zzl0]

@cobbr2 Thanks for your feedback.

[tkang007]

Hello,
When using assume role, aws profile prepared with AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN and some more properties in the aws credential files.

Is there any way to use aws profile (not through athenaclirc file) at the athenacli command line for applying aws profile's properties ?

Thanks.

[zzl0]

@tkang007 Yes, you can specify aws profile on command line https://github.com/dbcli/athenacli/blob/master/athenacli/main.py#L613

[zzl0]

@tkang007 I haven't used AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN, I will happy to review the PR for this.

If you are interested in this, please refer to this PR #51