AFP CLI
Overview
The AFP CLI is the command line interface to access the AWS Federation Proxy (AFP).
Its main use case is starting a new shell where your temporary AWS credentials have been exported into the environment.
Installation
The tool is hosted on PyPi and can be installed using the usual Python specific mechanisms, e.g.:
$ pip install afp-cliConfiguration
The afp command can be configured through yaml files in
the following directories:
/etc/afp-cli/*.yaml(global configuration)$HOME/.afp-cli/*.yaml(per-user configuration)
The yaml files are read in lexical order and merged via yamlreader. The following configuration options are supported:
api_url: <api-url>Defaults to lookup a FQDN of a host namedafpvia DNS and construct the server url from it:https://{FQDN}/afp-api/latestThe specified url must contain full server url (not just the FQDN). This option always takes precedence overserverserver: <server>The AFP server to use. No default value. If not overridden byapi_url(see above),api_urlwill becomehttp://<server>//afp-api/latestuser: <username>Defaults to the currently logged in user-namepassword-provider: <provider>Viable options are:prompt(default) to prompt for the password during every interaction with the AFP server orkeyringto use the Pythonkeyringmodule. For more info about using thekeyringmodule, see below.
Example:
user: myuser
api_url: https://afp-server.my.domain/afp-api/latest
password-provider: keyringUsage
Get Help Text
$ afp [-h | --help]List Available Account Names and Roles
For the currently logged-in user:
$ afpThe same for another user:
$ afp --user=usernameOutput format:
<accountname> <role1>,<role2>,...,<roleN>
Example output:
abc_account some_role_in_abc_account xyz_account some_role_in_yxz_account,another_role_in_xyz
Obtain AWS Credentials
This starts a subshell in which the credentials have been exported into the
environment. Use the exit command or press CTRL+D to terminate the
subshell.
Use credentials for currently logged in user and specified account and role:
$ afp accountname rolenameUse credentials for the currently logged in user for the first role:
$ afp accountnameAs above, but specifying a different user:
$ afp --user=username accountname rolenameSpecify the URL of the AFP server, overriding any config file:
$ afp --api-url=https://afp-server.my.domain/afp-api/latestShow and Export
In case you don't want to start a subshell or are using something other than
bash, you can use --show or --export to display the credentials. You
can use the usual UNIX tools to add/remove them from your environment.
--show will just show them and --export will show them in a format
suitable for an export into your environment, i.e. prefixed with export for
UNIX and set for Windows.
$ afp --show <myaccount> [<myrole>]
Password for myuser:
AWS_VALID_SECONDS='600'
AWS_SESSION_TOKEN='XXX'
AWS_SECURITY_TOKEN='XXX'
AWS_SECRET_ACCESS_KEY='XXX'
AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
AWS_ACCESS_KEY_ID='XXX'$ afp --export <myaccount> [<myrole>]
Password for myuser:
export AWS_VALID_SECONDS='600'
export AWS_SESSION_TOKEN='XXX'
export AWS_SECURITY_TOKEN='XXX'
export AWS_SECRET_ACCESS_KEY='XXX'
export AWS_EXPIRATION_DATE='1970-01-01T01:00:00Z'
export AWS_ACCESS_KEY_ID='XXX'The following examples work in zsh, to add and remove them from your environment:
Adding credentials:
$ eval $(afp --export <accountname>)Removing them again:
$ env | grep AWS | cut -f 1 -d'=' | while read line ; do ; unset $line ; done ;Write to AWS Credentials File
The AWS tools read credentials specified with aws configure from a local
file named credentials in a folder named .aws in your home directory.
The afp-cli tool can write your temporary credentials to this file.
$ afp --write <myaccount> [<myrole>]Configuration Settings and Precedence
Please read the section on Configuration Settings and Precedence from the AWS documentation.
Interface with the System Keyring
Starting with version 1.3.0, experimental support for the Python keyring
module has been implemented. This has
been tested with the Gnome Keyring and Max OS X Keychain but supposedly also
works with Windows Credential Vault. You can configure this feature using the
config file as shown above or with a command-line switch.
Example command-line:
$ afp --password-provider keyring
No password found in keychain, please enter it now to store it.
Password for user:You will be prompted for your password the first time. Note
that if you fail to enter the password correctly, the incorrect version will be
stored. Note further that if you are using the Gnome-Keychain you can use the
tool seahorse to update and delete saved passwords, in this case for the
service afp.
Keyring on MacOS X
On some MacOS systems, storing the password works fine, but fetching it fails with Can't fetch password from system. This is due to a change in the 'keyring' module, introduced in version 9.0. As a workaround, downgrade to the previous version with pip install keyring==8.7
Keyring with Gnome-Keychain
There is an intricate caveat when using the keyring module with
Gnome-Keychain. But before discussing this, it is important to mention that
the keyring module uses another module, namely secretstorage under the
hood.
In order for the keyring module to correctly use the Gnome Keychain the
Python module PyGObject aka gi
is required. As stated on the project website: "PyGObject is a Python extension
module that gives clean and consistent access to the entire GNOME software
platform through the use of GObject Introspection." Now, unfortunately, even
though this project is available on PyPi it can not be installed from there
using pip due to issues with the build system. It is however available as a
system package for Ubuntu distributions as python-gi.
Long story short, in order to use the keyring module from afp-cli you need to have
the gi module available to your Python interpreter. You can achieve this,
for example, by doing a global install of afp-cli using something like
sudo pip install afp-cli or install it into a virtual environment that uses
the system site packages because it has been created with the
--system-site-packages flag. In case the gi module is not available and
you try to use the keyring module anyway, afp-cli will exit with an
appropriate error message. Lastly, if in doubt, you can use the --debug
switch to check at runtime which backend was selected.
License
Copyright 2015,2016 Immobilien Scout GmbH
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
See Also
See Hologram for another solution that brings temporary AWS credentials onto developer desktops.