New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added usage of aws session token to use temporary credentials. #250
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the use case for this? I'm trying to understand how useful it would be to add it.
tests/test_settings.py
Outdated
settings.AWS_SESSION_TOKEN = "FwoGZXIvYXdzED8aDAILqEtZvcDCx+KsFCK1AUwcLbm4d+mAlRWYN+r1adKoIfwe/T117KNcql" \ | ||
"fbFFc6lgM1BQk9RepOZOyhNnx1ji12BMnA+Sc/9H1gi/QRt51U0EQVhcT7i9YZbipzrYMLpvxe0dwXwC7MTy7NQRkEMhpyXWgFw4Wz+" \ | ||
"pHdZTFI4DOEhjf/t1FcuV2jX0oS0Eqqck2YB6yY03FpQRFVFIKUFcyvt9kMP9F77iHkgnEWBxOVcfSxBHfgQDTCHCecMNDN02/u628o" \ | ||
"xK6elAYyLZu54kuwLAbe3hD2++FpbjCSF88DFWESks8o2PP489XCCCJrX/SnurGNfeWifA==" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For testing, a shorter, fake value would be sufficient instead of these very long strings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, made shorter string.
Use case for example: i want to use django-ses with temporary credenttials that i got from AssumeRole operation, and i cant do this, cause boto3.client call dont accepts session token that is required for using temporary credentials (to use temporary credentials you must provide aws_access_key_id, aws_secret_access_key and aws_session_token to boto3). This fork allows to use temporary credentials. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK the use case makes sense. Could you update the README to document this usage as well?
I published this on PyPi as 3.1.0, but for some reason it's not picking it up. Maybe they have some issues. You can check later, if you want. Thanks for your contribution! |
Correct me if I'm wrong, but this PR seems to only get halfway-there in terms of supporting temporary credentials. As the name suggests, these credentials have short lifespans and therefore need to be refreshed continually to work. This PR exposes some configs which Django reads once when the server starts. The credentials will inevitably expire, and then this package will no longer be able to open a connection. I don't necessarily think that django-ses should be responsible for refreshing credentials. I do think there should be some way of updating SESBackend's Currently, the only option I see available is to write a custom
The first is expressly warned against by Django, and the second is not ideal because we are overriding private variables (although it is the better of the two options). Perhaps there should be some exposed way of doing this? |
I'm not 100% sure that you are right, but it sounds right :) And so if you want to PR an approach that is more elegant than option 2, I'd take a look at it. I'm not actively using this on a project now, so it's tricky for me to test it, and I would trust that you'd be able to test it in a real environment for a bit before we merge it. |
@pcraciunoiu After looking at the way django-storages handles this, it seems they expose an AWS_S3_SESSION_PROFILE config. AWS profiles support temporary credentials out of the box, so my instinct is to think that doing something similar to django-storages would be the best. That is, provide an alternative means of authenticating via AWS_SES_SESSION_PROFILE. I'm not a boto/AWS expert in general, but I'd be happy to take a crack at this. |
@colehorvitz that sounds reasonable to me, I see it in use here and should be fairly straightforward I'm not an expert either, and there seem to be many ways to specify credentials! |
Allows to use temporary aws credentials with session token.