diff --git a/S3/Config.py b/S3/Config.py index c99b9f206..6242fb347 100644 --- a/S3/Config.py +++ b/S3/Config.py @@ -15,6 +15,9 @@ import io import sys import json +import time +import urllib.parse +import xml.etree.cElementTree from . import Progress from .SortedDict import SortedDict try: @@ -268,23 +271,48 @@ def role_config(self): Get credentials from IAM authentication """ try: - conn = httplib.HTTPConnection(host='169.254.169.254', timeout = 2) - conn.request('GET', "/latest/meta-data/iam/security-credentials/") - resp = conn.getresponse() - files = resp.read() - if resp.status == 200 and len(files)>1: - conn.request('GET', "/latest/meta-data/iam/security-credentials/%s" % files.decode('utf-8')) - resp=conn.getresponse() - if resp.status == 200: - resp_content = config_unicodise(resp.read()) - creds=json.loads(resp_content) - Config().update_option('access_key', config_unicodise(creds['AccessKeyId'])) - Config().update_option('secret_key', config_unicodise(creds['SecretAccessKey'])) - Config().update_option('access_token', config_unicodise(creds['Token'])) + role_arn = os.environ.get('AWS_ROLE_ARN') + web_identity_token_file = os.environ.get('AWS_WEB_IDENTITY_TOKEN_FILE') + role_session_name = 'role-session-%s' % (int(time.time())) + if web_identity_token_file: + with open(web_identity_token_file) as f: + web_identity_token = f.read() + params = { + "Action": "AssumeRoleWithWebIdentity", + "Version": "2011-06-15", + "RoleArn": role_arn, + "RoleSessionName": role_session_name, + "WebIdentityToken": web_identity_token + } + conn = httplib.HTTPSConnection(host='sts.amazonaws.com', timeout = 2) + conn.request('POST', '/?' + urllib.parse.urlencode(params)) + resp = conn.getresponse() + files = resp.read() + if resp.status == 200 and len(files)>1: + creds = parse_xml_to_dict(files) + Config().update_option('access_key', creds['AssumeRoleWithWebIdentityResult']['Credentials']['AccessKeyId']) + Config().update_option('secret_key', creds['AssumeRoleWithWebIdentityResult']['Credentials']['SecretAccessKey']) + Config().update_option('access_token', creds['AssumeRoleWithWebIdentityResult']['Credentials']['SessionToken']) else: raise IOError else: - raise IOError + conn = httplib.HTTPConnection(host='169.254.169.254', timeout = 2) + conn.request('GET', "/latest/meta-data/iam/security-credentials/") + resp = conn.getresponse() + files = resp.read() + if resp.status == 200 and len(files)>1: + conn.request('GET', "/latest/meta-data/iam/security-credentials/%s" % files.decode('utf-8')) + resp=conn.getresponse() + if resp.status == 200: + resp_content = config_unicodise(resp.read()) + creds=json.loads(resp_content) + Config().update_option('access_key', config_unicodise(creds['AccessKeyId'])) + Config().update_option('secret_key', config_unicodise(creds['SecretAccessKey'])) + Config().update_option('access_token', config_unicodise(creds['Token'])) + else: + raise IOError + else: + raise IOError except: raise