Add concept of "assume role credentials provider" from other AWS SDK implementations
See original GitHub issueDescription
I believe Boto should support programatic configuration of an “assume role credentials provider.” In other words, it should support support a syntax similar to:
boto3.client('s3', config=Config(
role_arn='arn:aws:iam::123456789012:role/S3Access',
role_session_name='xxx'
))
With this configuration in place, the client would:
- Make requests using credentials obtained via
sts -> AssumeRole
- Transparently refresh the credentials when they expire
Rationale
I believe this should be supported because it’s already implemented in all other major AWS SDKs. Of the SDKs listed at https://aws.amazon.com/tools/, I’m seeing 6 that can do this and 2 that can’t (Python & PHP).
I want to stress that I’m not requesting this feature because it would be a good addition (although I do 😄 ), but rather, because I see it as a gap in Boto compared to all other SDKs. I think it’s reasonable to assume most developers with a background in other language SDKs would expect this to be supported.
Also worth noting: Boto does support this under the hood, as shown here, however it’s not programmatically configurable like with other SDKs (as far as I can tell).
Examples in other languages
I tried to link to official AWS documentation where possible. For the ones I couldn’t find, I paraphrased examples provided by the wonderful people of GitHub.
Go
// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN.
stsSvc := sts.NewFromConfig(cfg)
creds := stscreds.NewAssumeRoleProvider(stsSvc, "myRoleArn")
cfg.Credentials = aws.NewCredentialsCache(creds)
// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)
Java
Region region = Region.of(awsRegion);
StsClient stsClient = StsClient.builder().region(region).build();
AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
StsAssumeRoleCredentialsProvider stsARCP = StsAssumeRoleCredentialsProvider.builder()
.stsClient(stsClient)
.refreshRequest(assumeRoleRequest)
.asyncCredentialUpdateEnabled(true)
.build();
KinesisAsyncClient kinesisClient = KinesisClientUtil
.createKinesisAsyncClient(KinesisAsyncClient.builder()
.credentialsProvider(stsARCP)
.region(region));
JavaScript
AWS.config.credentials = new AWS.ChainableTemporaryCredentials({
params: {
RoleArn: 'arn:aws:iam::1234567890:role/TemporaryCredentials'
}
});
Ruby
role_credentials = Aws::AssumeRoleCredentials.new(
client: Aws::STS::Client.new,
role_arn: "linked::account::arn",
role_session_name: "session-name"
)
s3 = Aws::S3::Client.new(credentials: role_credentials)
.NET
AWSCredentials sourceCredentials = FallbackCredentialsFactory
.GetCredentials( fallbackToAnonymous: false );
AWSCredentials credentials credentials = new AssumeRoleAWSCredentials(
sourceCredentials,
roleArn: config.RoleArn,
roleSessionName: $"dotnet-dynamodb-lock"
);
AmazonDynamoDBConfig dbConfig = new AmazonDynamoDBConfig {
MaxErrorRetry = 10,
RetryMode = RequestRetryMode.Standard,
Timeout = TimeSpan.FromSeconds( 10 )
};
IAmazonDynamoDB db = new AmazonDynamoDBClient( credentials, dbConfig );
C++
credentials_provider_ =
tdb::make_shared<Aws::Auth::STSAssumeRoleCredentialsProvider>(
HERE(),
role_arn,
session_name,
external_id,
load_frequency,
nullptr);
client_ = tdb::make_shared<Aws::S3::S3Client>(
HERE(),
credentials_provider_,
*client_config_,
Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never,
use_virtual_addressing_);
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:7 (2 by maintainers)
Top GitHub Comments
@lightningboltemoji, Appreciate the thorough review, and I apologize for misstating! I’ll bring up the proposals in https://github.com/boto/botocore/issues/761 for review again.
@kdaily Thank you for the reply. Sorry to be pedantic, but I do want to respond to this -
This contradicts the official documentation (below) for all of the examples I provided. Every example is for configured-in-code, automatically-refreshing credentials. Boto does not support this, although I certainly agree it supports similar functionality, as you referenced.
Go
Java
JavaScript
Ruby
.NET
C++