altimeter.aws.auth package

Submodules

altimeter.aws.auth.accessor module

An Accessor consists of a list of MultiHopAccessors. It provides a method get_session which will iterate through the MultiHopAccessors until a session can be obtained to a target account.

class Accessor(**data)

Bases: altimeter.core.base_model.BaseImmutableModel

An Accessor consists of a list of MultiHopAccessors. It provides a method get_session which will iterate through the MultiHopAccessors until a session can be obtained to a target account. If an Accessor has no MultiHopAccessors it simply uses the local session to attempt to access the account. If the session does not match the requested target account id, ValueError is thrown.

Parameters

  • multi_hop_accessors – List of MultiHopAccessors

  • credentials_cache – AWSCredentialsCache

cache_creds: bool
credentials_cache: altimeter.aws.auth.cache.AWSCredentialsCache
classmethod from_file(filepath, cache_creds=True)

Create an Accessor from json content in a file

Parameters

filepath (Path) – Path to json accessor definition

Return type

Accessor

Returns

Accessor

get_session(account_id, region_name=None)

Get a boto3 session for a given account.

Parameters

  • account_id (str) – target account id

  • region_name (Optional[str]) – session region name

Return type

Session

Returns

boto3.Session object

multi_hop_accessors: List[altimeter.aws.auth.multi_hop_accessor.MultiHopAccessor]

altimeter.aws.auth.cache module

Classes for caching AWS credentials

class AWSCredentials(**data)

Bases: altimeter.core.base_model.BaseImmutableModel

Represents a set of AWS Credentials

Parameters

  • access_key_id – AWS access key id

  • secret_access_key – AWS secret access key

  • session_token – AWS session token

  • expiration – Session expiration as an epoch timestamp int

access_key_id: str
expiration: int
get_session(region_name=None)

Build a boto3.Session using these credentials

Return type

Session

is_expired()

Determine if this cache value is within 60 seconds of expiry

Return type

bool

Returns

True if this session is value is expired, else False.

secret_access_key: str
session_token: str
class AWSCredentialsCache(**data)

Bases: altimeter.core.base_model.BaseImmutableModel

An AWSCredentialsCache is a cache for AWSCredentials.

static build_cache_key(account_id, role_name, role_session_name)
Return type

str

cache: Dict[str, altimeter.aws.auth.cache.AWSCredentials]
get(account_id, role_name, role_session_name, region_name=None)

Get a boto3 Session from AWSCredentials in the cache. Return None if no matching AWSCredentials were found.

Parameters

  • account_id (str) – session account id

  • role_name (str) – session role name

  • role_session_name (str) – session role session name

  • region_name (Optional[str]) – session region_name

Return type

Optional[Session]

Returns

boto3.Session from credentials if cached, else None.

put(credentials, account_id, role_name, role_session_name)

Put an AWSCredentials object into the cache.

Parameters

  • credentials (AWSCredentials) – credentials to cache

  • account_id (str) – session account id

  • role_name (str) – session role name

  • role_session_name (str) – session role session name

Return type

None

altimeter.aws.auth.exceptions module

Exceptions for access related errors.

exception AccountAuthException

Bases: altimeter.core.exceptions.AltimeterException

Exception indicating auth was unable to be obtained to an account.

altimeter.aws.auth.multi_hop_accessor module

A MultiHopAccessor contains a list of AccessSteps defining how to gain access to an account via role assumption(s).

class AccessStep(**data)

Bases: altimeter.core.base_model.BaseImmutableModel

Represents a single access step to get to an account.

Parameters

  • role_name – role name for this step

  • account_id – account_id for this step. If empty this step is assumed to be the last in a chain of multiple AccessSteps

  • external_id – external_id to use for access (if needed).

account_id: Optional[str]
external_id: Optional[str]
role_name: str
classmethod substitute_external_id_from_env(external_id)
Return type

Optional[str]

class MultiHopAccessor(**data)

Bases: altimeter.core.base_model.BaseImmutableModel

A MultiHopAccessor contains a list of AccessSteps defining how to gain access to an account via role assumption(s).

Parameters

  • role_session_name – role session name to use for session creation.

  • access_steps – list of AccessSteps defining how to access a final destination account.

access_steps: List[altimeter.aws.auth.multi_hop_accessor.AccessStep]
get_session(account_id, region_name=None, credentials_cache=None)

Get a session for an account_id by iterating through the AccessStep`s of this :class:.MultiHopAccessor`.

Parameters

  • account_id (str) – account to access

  • region_name (Optional[str]) – region to use during session creation.

Return type

Session

Returns

boto3 Session for accessing account_id

role_session_name: str
classmethod valid_access_steps(access_steps)
Return type

List[AccessStep]

Module contents