IAM Roles Anywhere Session

This package provides an easy way to create a refreshable boto3 Session with IAM Roles Anywhere, without defining an AWS profile with relevant configuration for IAM roles anywhere.

This package implements the algorithm described here: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html.

Requirements

• Python 3.8 or later
• Creation and configuration of a trust anchor. See documentation
• Valid X.509 certificate, private key, and optionally a certificate chain file associated with your trust anchor

Install

• From PyPi

bash pip install iam-rolesanywhere-session

• From source

bash git clone https://github.com/awslabs/iam-roles-anywhere-session.git cd iam-roles-anywhere-session python3 -m pip install ./

Configuration

For this package to work you will need to have at your disposal your certificate and private_key file in a PEM format.

IAMRoleAnywhereSession will take multiple arguments:

| Name | Description | Type | Default value | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------------------------- | | profilearn | The Amazon Resource Name (ARN) of the profile. | string | None | | rolearn | The Amazon Resource Name (ARN) of the role to assume. | string | None | | trustanchorarn | The Amazon Resource Name (ARN) of the trust anchor. | string | None | | certificate | The x509 certificate file, in PEM format. | path or bytes | None | | privatekey | The certificate private key file, in PEM Format. | path or bytes | None | | privatekeypassphrase | The passphrase use to decrypt private key file. | string | None | | region | The name of the region where you configured IAM Roles Anywhere. | string | us-east-1 | | sessionduration | The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to 3600 seconds (1 hour). | int | 3600 | | servicename | An identifier for the service, used to build the botosession. | string | rolesanywhere | | endpoint | Roles Anywhere API endpoint to use | string | '{servicename}.{regionname}.amazonaws.com' | | verify | Whether to validate SSL certificates, or the path to a trusted certificate authority | bool or str | None | | proxies | Proxy endpoint(s) for use behind private networks with a proxy. | dict | {} | | proxiesconfig | A dictionary of additional proxy configurations. | dict | {} |

python from iam_rolesanywhere_session import IAMRolesAnywhereSession roles_anywhere_session = IAMRolesAnywhereSession( profile_arn="arn:aws:rolesanywhere:eu-central-1:************:profile/a6294488-77cf-4d4a-8c5c-40b96690bbf0", role_arn="arn:aws:iam::************:role/IAMRolesAnywhere-01", trust_anchor_arn="arn:aws:rolesanywhere:eu-central-1::************::trust-anchor/4579702c-9abb-47c2-88b2-c734e0b29539", certificate='certificate.pem', private_key='privkey.pem', region="eu-central-1" ).get_session() s3 = roles_anywhere_session.client("s3") print(s3.list_buckets())

Documentation

You can find here the complete documentation with additional usage and module reference.

Contributing

Contributions are very welcome. To learn more, see the Contributor Guide.

License

Distributed under the terms of the Apache 2