Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--access-key=xxx and --secret-key=yyy options #2

Closed
simonw opened this issue Nov 2, 2021 · 6 comments
Closed

--access-key=xxx and --secret-key=yyy options #2

simonw opened this issue Nov 2, 2021 · 6 comments
Labels
enhancement New feature or request

Comments

@simonw
Copy link
Owner

simonw commented Nov 2, 2021

These will be used by all of the commands, as an optional alternative to the boto3 default (see #1 (comment))
@simonw simonw added the enhancement New feature or request label Nov 2, 2021
@simonw simonw changed the title --access-key=xxx and --access-secret=yyy options --access-key=xxx and --secret-key=yyy options Nov 2, 2021
@simonw
Copy link
Owner Author

simonw commented Nov 2, 2021

Example code is here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#passing-credentials-as-parameters

client = boto3.client(
    's3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token=SESSION_TOKEN
)

Since access_key_id and secret_access_key are a bit verbose (and the _id suffix always confuses me) I'm going with --access-key and --secret-key instead.

simonw added a commit that referenced this issue Nov 3, 2021
@simonw
Added configuration section
e68dd22 
Relates to the not-yet-implemented #2.
@simonw
Copy link
Owner Author

simonw commented Nov 3, 2021

Being able to configure the endpoint_url would be useful too - that way this could be used against compatible systems such as Wasabi.

@simonw
Copy link
Owner Author

simonw commented Nov 3, 2021

I'm going to add four common options:

  • --access-key
  • --secret-key
  • --session-token
  • --endpoint-url

@simonw
Copy link
Owner Author

simonw commented Nov 3, 2021

Quick test, using credentials created for a --read-only user:

% s3-credentials create static.niche-museums.com --read-only
Created user: s3.read-only.static.niche-museums.com with permissions boundary: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Attached policy s3.read-only.static.niche-museums.com to user s3.read-only.static.niche-museums.com
Created access key for user: s3.read-only.static.niche-museums.com
{
    "UserName": "s3.read-only.static.niche-museums.com",
    "AccessKeyId": "AKIAWXFXAIOZOPREKLM6",
    "Status": "Active",
    "SecretAccessKey": "...",
    "CreateDate": "2021-11-03 18:53:05+00:00"
}
% s3-credentials whoami --access-key AKIAWXFXAIOZOPREKLM6 --secret-key ...
Traceback (most recent call last):
  ...
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::462092780466:user/s3.read-only.static.niche-museums.com is not authorized to perform: iam:GetUser on resource: user s3.read-only.static.niche-museums.com
% s3-credentials delete-user s3.read-only.static.niche-museums.com                                             
User: s3.read-only.static.niche-museums.com
  Deleted policy: s3.read-only.static.niche-museums.com
  Deleted access key: AKIAWXFXAIOZOPREKLM6
  Deleted user
% s3-credentials whoami --access-key AKIAWXFXAIOZOPREKLM6 --secret-key ...
Traceback (most recent call last):
  ...
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the GetUser operation: The security token included in the request is invalid.

This looks good to me.

@simonw
Copy link
Owner Author

simonw commented Nov 3, 2021

Help text looks like this now:

% s3-credentials create --help
Usage: s3-credentials create [OPTIONS] BUCKETS...

  Create and return new AWS credentials for specified S3 buckets

Options:
  --username TEXT                 Username to create or existing user to use
  -c, --create-bucket             Create buckets if they do not already exist
  --read-only                     Only allow reading from the bucket
  --write-only                    Only allow writing to the bucket
  --policy POLICY                 Path to a policy.json file, or literal JSON
                                  string - $!BUCKET_NAME!$ will be replaced
                                  with the name of the bucket
  --bucket-region TEXT            Region in which to create buckets
  --silent                        Don't show performed steps
  --user-permissions-boundary TEXT
                                  Custom permissions boundary to use for
                                  created users, or 'none' to create without.
                                  Defaults to limiting to S3 based on --read-
                                  only and --write-only options.
  --access-key TEXT               AWS access key ID
  --secret-key TEXT               AWS secret access key
  --session-token TEXT            AWS session token
  --endpoint-url TEXT             Custom endpoint URL
  --help                          Show this message and exit.
% s3-credentials whoami --help
Usage: s3-credentials whoami [OPTIONS]

  Identify currently authenticated user

Options:
  --access-key TEXT     AWS access key ID
  --secret-key TEXT     AWS secret access key
  --session-token TEXT  AWS session token
  --endpoint-url TEXT   Custom endpoint URL
  --help                Show this message and exit.

@simonw simonw closed this as completed in 41bcc8c Nov 3, 2021
@simonw
Copy link
Owner Author

simonw commented Nov 3, 2021

Documentation:

simonw added a commit that referenced this issue Nov 4, 2021
@simonw
Release 0.4
b861f4a 
Refs #2, #11, #14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw