boto3 icon indicating copy to clipboard operation
boto3 copied to clipboard
verified publisher icon boto

Conveniece function for STS Assume Role to return new session or client or resource

Open mdavis-xyz opened this issue 4 years ago • 2 comments

If a user wants to call STS Assume Role and then do a boto call with those new credentials, there's a bit of boilerplate code.

I would like a nicer way to do this. Yes it's only saving a few lines of code, but the same is true of all boto3.resource() vs boto3.client().

Usage today

    response = boto3.client('sts').assume_role(
        RoleArn=role,
        RoleSessionName=sesh,
        DurationSeconds=900 # minimum allowed
    )

    session = boto3.Session(
        aws_access_key_id=response['Credentials']['AccessKeyId'],
        aws_secret_access_key=response['Credentials']['SecretAccessKey'],
        aws_session_token=response['Credentials']['SessionToken']
    )
    
    s3 = session.resource('s3')
    s3.Object(bucket, path).put(...)

Desired Usage

Client

client = boto3.resource('sts').assume_role(...).client('sqs')

Resource

table = boto3.resource('sts').assume_role(...).resource('dynamodb').Table()

Context Manager

with boto3.resource('sts').assume_role(...):
    # default session is now assumed session
    s3 = session.resource('s3')
    client = boto3.client('dynamodb')

mdavis-xyz avatar Jul 09 '21 05:07 mdavis-xyz

Hi @mdavis-xyz,

Thanks for the feature request! I think this is a good idea— I'll review with the team to get their thoughts.

stobrien89 avatar Jul 12 '21 16:07 stobrien89

This idea is good, assuming role in Boto is very common and currently this require repeating the same extra boilerplate and renewal management. This can be easily be improved.

I propose this interface :

session = boto3.Session(role_arn=role, session_name=sesh, session_duration_seconds=900)
    
s3 = session.resource('s3')

OR:

session = boto3.Session(assume_role=dict(
    RoleArn=role,
    RoleSessionName=sesh,
    DurationSeconds=900
))
    
s3 = session.resource('s3')

So, the idea is to use the boto3.Session object directly. This allow to use the Session object as normal and keep all the other code identical.

The session should automatically assume the role if role_arn/assume_role is specified. Other arguments from sts.assume_role are identical.

The assume_role dict argument may be more flexible, and may support options to use sts.assume_role_with_saml and sts.assume_role_with_web_identity.

The Session object may also provides a session_renew= boolean argument, if set to True, the assumed session is renewed automatically on expiration.

JGoutin avatar Jan 13 '23 10:01 JGoutin

Is this change still possible given the recent scope reduction of boto3 by the maintainers, to stop working on higher level abstractions and helpful utilities?

mdavis-xyz avatar Feb 17 '23 06:02 mdavis-xyz

Hi, thanks for this feature request. After speaking with the team, this is not something we plan to do in the near future. Closing as not planned.

RyanFitzSimmonsAK avatar May 28 '24 21:05 RyanFitzSimmonsAK

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar May 28 '24 21:05 github-actions[bot]