boto3-refresh-session 1.3.11__py3-none-any.whl → 7.0.1__py3-none-any.whl

boto3_refresh_session/custom.py

@@ -1,108 +0,0 @@
-from __future__ import annotations
-
-__all__ = ["CustomRefreshableSession"]
-
-from typing import Any, Callable
-
-from .exceptions import BRSError
-from .session import BaseRefreshableSession
-
-
-class CustomRefreshableSession(BaseRefreshableSession, method="custom"):
-    """A :class:`boto3.session.Session` object that automatically refreshes temporary credentials
-    returned by a custom credential getter provided by the user. Useful for users with highly
-    sophisticated or idiosyncratic authentication flows.
-
-    Parameters
-    ----------
-    custom_credentials_method: Callable
-        Required. Accepts a callable object that returns temporary AWS security credentials. That
-        object must return a dictionary containing 'access_key', 'secret_key', 'token', and
-        'expiry_time' when called.
-    custom_credentials_method_args : dict[str, Any], optional
-        Optional keyword arguments for the function passed to the ``custom_credentials_method``
-        parameter.
-    defer_refresh : bool, optional
-        If ``True`` then temporary credentials are not automatically refreshed until
-        they are explicitly needed. If ``False`` then temporary credentials refresh
-        immediately upon expiration. It is highly recommended that you use ``True``.
-        Default is ``True``.
-
-    Other Parameters
-    ----------------
-    kwargs : dict
-        Optional keyword arguments for the :class:`boto3.session.Session` object.
-
-    Examples
-    --------
-    Write (or import) the callable object for obtaining temporary AWS security credentials.
-
-    >>> def your_custom_credential_getter(your_param, another_param):
-    >>>     ...
-    >>>     return {
-    >>>         'access_key': ...,
-    >>>         'secret_key': ...,
-    >>>         'token': ...,
-    >>>         'expiry_time': ...,
-    >>>     }
-
-    Pass that callable object to ``RefreshableSession``.
-
-    >>> sess = RefreshableSession(
-    >>>     method='custom',
-    >>>     custom_credentials_method=your_custom_credential_getter,
-    >>>     custom_credentials_method_args=...,
-    >>> )
-    """
-
-    def __init__(
-        self,
-        custom_credentials_method: Callable,
-        custom_credentials_method_args: dict[str, Any] | None = None,
-        defer_refresh: bool | None = None,
-        **kwargs,
-    ):
-        super().__init__(**kwargs)
-
-        self._custom_get_credentials = custom_credentials_method
-        self._custom_get_credentials_args = (
-            custom_credentials_method_args
-            if custom_credentials_method_args is not None
-            else {}
-        )
-
-        self._refresh_using(
-            credentials_method=self._get_credentials,
-            defer_refresh=defer_refresh is not False,
-            refresh_method="custom",
-        )
-
-    def _get_credentials(self) -> dict[str, str]:
-        credentials = self._custom_get_credentials(
-            **self._custom_get_credentials_args
-        )
-        required_keys = {"access_key", "secret_key", "token", "expiry_time"}
-
-        if missing := required_keys - credentials.keys():
-            raise BRSError(
-                f"The dict returned by custom_credentials_method is missing these key-value pairs: "
-                f"{', '.join(repr(param) for param in missing)}. "
-            )
-
-        return credentials
-
-    def get_identity(self) -> dict[str, str]:
-        """Returns metadata about the custom credential getter.
-
-        Returns
-        -------
-        dict[str, str]
-            Dict containing information about the custom credential getter.
-        """
-
-        source = getattr(
-            self._custom_get_credentials,
-            "__name__",
-            repr(self._custom_get_credentials),
-        )
-        return {"method": "custom", "source": repr(source)}

boto3_refresh_session/ecs.py

@@ -1,109 +0,0 @@
-from __future__ import annotations
-
-__all__ = ["ECSRefreshableSession"]
-
-import os
-
-import requests
-
-from .exceptions import BRSError
-from .session import BaseRefreshableSession
-
-_ECS_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
-_ECS_CREDENTIALS_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI"
-_ECS_AUTHORIZATION_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN"
-_DEFAULT_ENDPOINT_BASE = "http://169.254.170.2"
-
-
-class ECSRefreshableSession(BaseRefreshableSession, method="ecs"):
-    """A boto3 session that automatically refreshes temporary AWS credentials
-    from the ECS container credentials metadata endpoint.
-
-    Parameters
-    ----------
-    defer_refresh : bool, optional
-        If ``True`` then temporary credentials are not automatically refreshed until
-        they are explicitly needed. If ``False`` then temporary credentials refresh
-        immediately upon expiration. It is highly recommended that you use ``True``.
-        Default is ``True``.
-
-    Other Parameters
-    ----------------
-    kwargs : dict
-        Optional keyword arguments passed to :class:`boto3.session.Session`.
-    """
-
-    def __init__(self, defer_refresh: bool | None = None, **kwargs):
-        super().__init__(**kwargs)
-
-        self._endpoint = self._resolve_endpoint()
-        self._headers = self._build_headers()
-        self._http = self._init_http_session()
-
-        self._refresh_using(
-            credentials_method=self._get_credentials,
-            defer_refresh=defer_refresh is not False,
-            refresh_method="ecs-container-metadata",
-        )
-
-    def _resolve_endpoint(self) -> str:
-        uri = os.environ.get(_ECS_CREDENTIALS_FULL_URI) or os.environ.get(
-            _ECS_CREDENTIALS_RELATIVE_URI
-        )
-        if not uri:
-            raise BRSError(
-                "Neither AWS_CONTAINER_CREDENTIALS_FULL_URI nor "
-                "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. "
-                "Are you running inside an ECS container?"
-            )
-        if uri.startswith("http://") or uri.startswith("https://"):
-            return uri
-        return f"{_DEFAULT_ENDPOINT_BASE}{uri}"
-
-    def _build_headers(self) -> dict[str, str]:
-        token = os.environ.get(_ECS_AUTHORIZATION_TOKEN)
-        if token:
-            return {"Authorization": f"Bearer {token}"}
-        return {}
-
-    def _init_http_session(self) -> requests.Session:
-        session = requests.Session()
-        session.headers.update(self._headers)
-        return session
-
-    def _get_credentials(self) -> dict[str, str]:
-        try:
-            response = self._http.get(self._endpoint, timeout=3)
-            response.raise_for_status()
-        except requests.RequestException as exc:
-            raise BRSError(
-                f"Failed to retrieve ECS credentials from {self._endpoint}"
-            ) from exc
-
-        credentials = response.json()
-        required = {
-            "AccessKeyId",
-            "SecretAccessKey",
-            "SessionToken",
-            "Expiration",
-        }
-        if not required.issubset(credentials):
-            raise BRSError(f"Incomplete credentials received: {credentials}")
-        return {
-            "access_key": credentials.get("AccessKeyId"),
-            "secret_key": credentials.get("SecretAccessKey"),
-            "token": credentials.get("SessionToken"),
-            "expiry_time": credentials.get("Expiration"),  # already ISO8601
-        }
-
-    @staticmethod
-    def get_identity() -> dict[str, str]:
-        """Returns metadata about ECS.
-
-        Returns
-        -------
-        dict[str, str]
-            Dict containing metadata about ECS.
-        """
-
-        return {"method": "ecs", "source": "ecs-container-metadata"}

boto3_refresh_session/sts.py

@@ -1,85 +0,0 @@
-from __future__ import annotations
-
-__all__ = ["STSRefreshableSession"]
-
-from typing import Any
-
-from .exceptions import BRSWarning
-from .session import BaseRefreshableSession
-
-
-class STSRefreshableSession(BaseRefreshableSession, method="sts"):
-    """A :class:`boto3.session.Session` object that automatically refreshes temporary AWS
-    credentials using an IAM role that is assumed via STS.
-
-    Parameters
-    ----------
-    assume_role_kwargs : dict
-        Required keyword arguments for :meth:`STS.Client.assume_role` (i.e. boto3 STS client).
-    defer_refresh : bool, optional
-        If ``True`` then temporary credentials are not automatically refreshed until
-        they are explicitly needed. If ``False`` then temporary credentials refresh
-        immediately upon expiration. It is highly recommended that you use ``True``.
-        Default is ``True``.
-    sts_client_kwargs : dict, optional
-        Optional keyword arguments for the :class:`STS.Client` object. Do not provide
-        values for ``service_name`` as they are unnecessary. Default is None.
-
-    Other Parameters
-    ----------------
-    kwargs : dict
-        Optional keyword arguments for the :class:`boto3.session.Session` object.
-    """
-
-    def __init__(
-        self,
-        assume_role_kwargs: dict,
-        defer_refresh: bool | None = None,
-        sts_client_kwargs: dict | None = None,
-        **kwargs,
-    ):
-        super().__init__(**kwargs)
-        defer_refresh = defer_refresh is not False
-        self.assume_role_kwargs = assume_role_kwargs
-
-        if sts_client_kwargs is not None:
-            # overwriting 'service_name' in case it appears in sts_client_kwargs
-            if "service_name" in sts_client_kwargs:
-                BRSWarning(
-                    "'sts_client_kwargs' cannot contain values for 'service_name'. Reverting to service_name = 'sts'."
-                )
-                del sts_client_kwargs["service_name"]
-            self._sts_client = self.client(
-                service_name="sts", **sts_client_kwargs
-            )
-        else:
-            self._sts_client = self.client(service_name="sts")
-
-        # mounting refreshable credentials
-        self._refresh_using(
-            credentials_method=self._get_credentials,
-            defer_refresh=defer_refresh,
-            refresh_method="sts-assume-role",
-        )
-
-    def _get_credentials(self) -> dict[str, str]:
-        temporary_credentials = self._sts_client.assume_role(
-            **self.assume_role_kwargs
-        )["Credentials"]
-        return {
-            "access_key": temporary_credentials.get("AccessKeyId"),
-            "secret_key": temporary_credentials.get("SecretAccessKey"),
-            "token": temporary_credentials.get("SessionToken"),
-            "expiry_time": temporary_credentials.get("Expiration").isoformat(),
-        }
-
-    def get_identity(self) -> dict[str, Any]:
-        """Returns metadata about the identity assumed.
-
-        Returns
-        -------
-        dict[str, Any]
-            Dict containing caller identity according to AWS STS.
-        """
-
-        return self._sts_client.get_caller_identity()

boto3_refresh_session-1.3.11.dist-info/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2025 Mike Letts
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

boto3_refresh_session-1.3.11.dist-info/METADATA

@@ -1,178 +0,0 @@
-Metadata-Version: 2.3
-Name: boto3-refresh-session
-Version: 1.3.11
-Summary: A simple Python package for refreshing the temporary security credentials in a boto3.session.Session object automatically.
-License: MIT
-Keywords: boto3,botocore,aws
-Author: Mike Letts
-Author-email: lettsmt@gmail.com
-Maintainer: Michael Letts
-Maintainer-email: lettsmt@gmail.com
-Requires-Python: >=3.10
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Requires-Dist: boto3
-Requires-Dist: botocore
-Project-URL: Documentation, https://michaelthomasletts.github.io/boto3-refresh-session/index.html
-Project-URL: Repository, https://github.com/michaelthomasletts/boto3-refresh-session
-Description-Content-Type: text/markdown
-
-<div align="center">
-  <img src="https://raw.githubusercontent.com/michaelthomasletts/boto3-refresh-session/refs/heads/main/doc/brs.png" />
-</div>
-
-</br>
-
-<div align="center"><em>
-  A simple Python package for refreshing the temporary security credentials in a <code>boto3.session.Session</code> object automatically.
-</em></div>
-
-</br>
-
-<div align="center">
-
-  <a href="https://pypi.org/project/boto3-refresh-session/">
-    <img src="https://img.shields.io/pypi/v/boto3-refresh-session?color=%23FF0000FF&logo=python&label=Latest%20Version" alt="PyPI - Version"/>
-  </a>
-
-  <a href="https://pypi.org/project/boto3-refresh-session/">
-    <img src="https://img.shields.io/pypi/pyversions/boto3-refresh-session?style=pypi&color=%23FF0000FF&logo=python&label=Compatible%20Python%20Versions" alt="Python Version"/>
-  </a>
-
-  <a href="https://github.com/michaelthomasletts/boto3-refresh-session/actions/workflows/push.yml">
-    <img src="https://img.shields.io/github/actions/workflow/status/michaelthomasletts/boto3-refresh-session/push.yml?logo=github&color=%23FF0000FF&label=Build" alt="Workflow"/>
-  </a>
-
-  <a href="https://github.com/michaelthomasletts/boto3-refresh-session/commits/main">
-    <img src="https://img.shields.io/github/last-commit/michaelthomasletts/boto3-refresh-session?logo=github&color=%23FF0000FF&label=Last%20Commit" alt="GitHub last commit"/>
-  </a>
-
-  <a href="https://github.com/michaelthomasletts/boto3-refresh-session/stargazers">
-    <img src="https://img.shields.io/github/stars/michaelthomasletts/boto3-refresh-session?style=flat&logo=github&labelColor=555&color=FF0000&label=Stars" alt="Stars"/>
-  </a>
-
-  <a href="https://pepy.tech/project/boto3-refresh-session">
-    <img src="https://img.shields.io/badge/downloads-62.9K-red?logo=python&color=%23FF0000&label=Downloads" alt="Downloads"/>
-  </a>
-
-  <a href="https://michaelthomasletts.github.io/boto3-refresh-session/index.html">
-    <img src="https://img.shields.io/badge/Official%20Documentation-📘-FF0000?style=flat&labelColor=555&logo=readthedocs" alt="Documentation Badge"/>
-  </a>
-
-  <a href="https://github.com/michaelthomasletts/boto3-refresh-session">
-    <img src="https://img.shields.io/badge/Source%20Code-💻-FF0000?style=flat&labelColor=555&logo=github" alt="Source Code Badge"/>
-  </a>
-
-  <a href="https://michaelthomasletts.github.io/boto3-refresh-session/qanda.html">
-    <img src="https://img.shields.io/badge/Q%26A-❔-FF0000?style=flat&labelColor=555&logo=vercel&label=Q%26A" alt="Q&A Badge"/>
-  </a>
-
-  <a href="https://medium.com/@lettsmt/you-shouldnt-have-to-think-about-refreshing-aws-credentials-214f7cbbd83b">
-    <img src="https://img.shields.io/badge/Medium%20Article-📘-FF0000?style=flat&labelColor=555&logo=readthedocs" alt="Medium Article"/>
-  </a>    
-
-</div>
-
-## Features
-
-- Drop-in replacement for `boto3.session.Session`
-- Supports automatic credential refresh methods for various AWS services:
-  - STS
-  - ECS
-- Supports custom authentication methods for complicated authentication flows
-- Natively supports all parameters supported by `boto3.session.Session`
-- Tested, documented, and published to PyPI
-- Future releases will include support for EC2, IoT, SSO, and OIDC
-
-## Recognition, Adoption, and Testimonials
-
-[Featured in TL;DR Sec.](https://tldrsec.com/p/tldr-sec-282)
-
-[Featured in CloudSecList.](https://cloudseclist.com/issues/issue-290)
-
-Recognized during AWS Community Day Midwest on June 5th, 2025.
-
-A testimonial from a Cyber Security Engineer at a FAANG company:
-
-> _Most of my work is on tooling related to AWS security, so I'm pretty choosy about boto3 credentials-adjacent code. I often opt to just write this sort of thing myself so I at least know that I can reason about it. But I found boto3-refresh-session to be very clean and intuitive [...] We're using the RefreshableSession class as part of a client cache construct [...] We're using AWS Lambda to perform lots of operations across several regions in hundreds of accounts, over and over again, all day every day. And it turns out that there's a surprising amount of overhead to creating boto3 clients (mostly deserializing service definition json), so we can run MUCH more efficiently if we keep a cache of clients, all equipped with automatically refreshing sessions._
-
-## Installation
-
-```bash
-pip install boto3-refresh-session
-```
-
-## Usage (STS)
-
-```python
-import boto3_refresh_session as brs
-
-# you can pass all of the params normally associated with boto3.session.Session
-profile_name = "<your-profile-name>"
-region_name = "us-east-1"
-...
-
-# as well as all of the params associated with STS.Client.assume_role
-assume_role_kwargs = {
-  "RoleArn": "<your-role-arn>",
-  "RoleSessionName": "<your-role-session-name>",
-  "DurationSeconds": "<your-selection>",
-  ...
-}
-
-# as well as all of the params associated with STS.Client, except for 'service_name'
-sts_client_kwargs = {
-  "region_name": region_name,
-  ...
-}
-
-# basic initialization of boto3.session.Session
-session = brs.RefreshableSession(
-  assume_role_kwargs=assume_role_kwargs, # required
-  sts_client_kwargs=sts_client_kwargs,
-  region_name=region_name,
-  profile_name=profile_name,
-  ...
-)
-```
-
-## Usage (ECS)
-
-```python
-session = RefreshableSession(
-  method="ecs", 
-  region_name=region_name, 
-  profile_name=profile_name,
-  ...
-)
-```
-
-## Usage (Custom)
-
-If you have a highly sophisticated, novel, or idiosyncratic authentication flow not included in boto3-refresh-session then you will need to provide your own custom temporary credentials callable object. `RefreshableSession` accepts custom credentials callable objects, as shown below.
-
-```python
-# create (or import) your custom credential method
-def your_custom_credential_getter(...):
-    ...
-    return {
-        "access_key": ...,
-        "secret_key": ...,
-        "token": ...,
-        "expiry_time": ...,
-    }
-
-# and pass it to RefreshableSession
-session = RefreshableSession(
-    method="custom",
-    custom_credentials_method=your_custom_credential_getter,
-    custom_credentials_method_args=...,
-    region_name=region_name,
-    profile_name=profile_name,
-    ...
-)
-```

boto3_refresh_session-1.3.11.dist-info/NOTICE

@@ -1,12 +0,0 @@
-boto3-refresh-session  
-Copyright 2024 Michael Letts
-
-boto3-refresh-session (BRS) includes software designed and developed by Michael Letts (the author).
-
-Although the author was formerly employed by Amazon, this project was conceived, designed, developed, and released independently after that period of employment. It is not affiliated with or endorsed by Amazon Web Services (AWS), Amazon, or any contributors to boto3 or botocore, regardless of their employment status.
-
-Developers are welcome and encouraged to modify and adapt this software to suit their needs — this is in fact already common practice among some of the largest users of BRS.
-
-If you find boto3-refresh-session (BRS) helpful in your work, a note of thanks or a mention in your project’s documentation or acknowledgments is appreciated — though not required under the terms of the MIT License.
-
-Licensed under the MIT License. See the LICENSE file for details.

boto3_refresh_session-1.3.11.dist-info/RECORD

@@ -1,11 +0,0 @@
-boto3_refresh_session/__init__.py,sha256=DohG-bMPXA_oNxVdsxqkhkP2WTht4ZhPYZnvr2TOHnk,246
-boto3_refresh_session/custom.py,sha256=L3kQ_6e-lmIGgm1GHLngOqJOzeS-oDFoVCPTkva0-PA,3760
-boto3_refresh_session/ecs.py,sha256=WIC5mlbcEnM1oo-QXmmtiw2mjFDn01hBfcFh67ku42A,3713
-boto3_refresh_session/exceptions.py,sha256=qcFzdIuK5PZirs77H_Kb64S9QFb6cn2OJtirjvaRLiY,972
-boto3_refresh_session/session.py,sha256=u1gSsYH3OpcbIurMS2nstPbQtOO-S9GZsuk_yhjEqAI,5304
-boto3_refresh_session/sts.py,sha256=paIgbmn9a3cATNX-6AEGxnSGNZnX1pj4rRQmh8gQSKs,3132
-boto3_refresh_session-1.3.11.dist-info/LICENSE,sha256=I3ZYTXAjbIly6bm6J-TvFTuuHwTKws4h89QaY5c5HiY,1067
-boto3_refresh_session-1.3.11.dist-info/METADATA,sha256=uAQ4YUTH7odAThp-TeiUizKkJMGHmM9ERtcx86atqOU,7052
-boto3_refresh_session-1.3.11.dist-info/NOTICE,sha256=1s8r33qbl1z0YvPB942iWgvbkP94P_e8AnROr1qXXuw,939
-boto3_refresh_session-1.3.11.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
-boto3_refresh_session-1.3.11.dist-info/RECORD,,