boto3-refresh-session 1.3.4__py3-none-any.whl → 1.3.6__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- boto3_refresh_session/__init__.py +1 -1
- {boto3_refresh_session-1.3.4.dist-info → boto3_refresh_session-1.3.6.dist-info}/METADATA +41 -39
- {boto3_refresh_session-1.3.4.dist-info → boto3_refresh_session-1.3.6.dist-info}/RECORD +6 -6
- {boto3_refresh_session-1.3.4.dist-info → boto3_refresh_session-1.3.6.dist-info}/LICENSE +0 -0
- {boto3_refresh_session-1.3.4.dist-info → boto3_refresh_session-1.3.6.dist-info}/NOTICE +0 -0
- {boto3_refresh_session-1.3.4.dist-info → boto3_refresh_session-1.3.6.dist-info}/WHEEL +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.3
|
|
2
2
|
Name: boto3-refresh-session
|
|
3
|
-
Version: 1.3.
|
|
3
|
+
Version: 1.3.6
|
|
4
4
|
Summary: A simple Python package for refreshing the temporary security credentials in a boto3.session.Session object automatically.
|
|
5
5
|
License: MIT
|
|
6
6
|
Keywords: boto3,botocore,aws
|
|
@@ -100,35 +100,33 @@ A testimonial from a Cyber Security Engineer at a FAANG company:
|
|
|
100
100
|
|
|
101
101
|
> _Most of my work is on tooling related to AWS security, so I'm pretty choosy about boto3 credentials-adjacent code. I often opt to just write this sort of thing myself so I at least know that I can reason about it. But I found boto3-refresh-session to be very clean and intuitive [...] We're using the RefreshableSession class as part of a client cache construct [...] We're using AWS Lambda to perform lots of operations across several regions in hundreds of accounts, over and over again, all day every day. And it turns out that there's a surprising amount of overhead to creating boto3 clients (mostly deserializing service definition json), so we can run MUCH more efficiently if we keep a cache of clients, all equipped with automatically refreshing sessions._
|
|
102
102
|
|
|
103
|
-
The following line plot illustrates the adoption of BRS over the last three months in terms of average daily downloads over a rolling seven day window.
|
|
104
|
-
|
|
105
103
|
## Installation
|
|
106
104
|
|
|
107
105
|
```bash
|
|
108
106
|
pip install boto3-refresh-session
|
|
109
107
|
```
|
|
110
108
|
|
|
111
|
-
## Usage
|
|
109
|
+
## Usage (STS)
|
|
112
110
|
|
|
113
111
|
```python
|
|
114
112
|
import boto3_refresh_session as brs
|
|
115
113
|
|
|
116
|
-
# you can pass all of the params associated with boto3.session.Session
|
|
117
|
-
profile_name =
|
|
118
|
-
region_name =
|
|
114
|
+
# you can pass all of the params normally associated with boto3.session.Session
|
|
115
|
+
profile_name = "<your-profile-name>"
|
|
116
|
+
region_name = "us-east-1"
|
|
119
117
|
...
|
|
120
118
|
|
|
121
119
|
# as well as all of the params associated with STS.Client.assume_role
|
|
122
120
|
assume_role_kwargs = {
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
121
|
+
"RoleArn": "<your-role-arn>",
|
|
122
|
+
"RoleSessionName": "<your-role-session-name>",
|
|
123
|
+
"DurationSeconds": "<your-selection>",
|
|
126
124
|
...
|
|
127
125
|
}
|
|
128
126
|
|
|
129
127
|
# as well as all of the params associated with STS.Client, except for 'service_name'
|
|
130
128
|
sts_client_kwargs = {
|
|
131
|
-
|
|
129
|
+
"region_name": region_name,
|
|
132
130
|
...
|
|
133
131
|
}
|
|
134
132
|
|
|
@@ -140,37 +138,41 @@ session = brs.RefreshableSession(
|
|
|
140
138
|
profile_name=profile_name,
|
|
141
139
|
...
|
|
142
140
|
)
|
|
143
|
-
|
|
144
|
-
# now you can create clients, resources, etc. without worrying about expired temporary
|
|
145
|
-
# security credentials
|
|
146
|
-
s3 = session.client(service_name='s3')
|
|
147
|
-
buckets = s3.list_buckets()
|
|
148
141
|
```
|
|
149
142
|
|
|
150
|
-
##
|
|
151
|
-
|
|
152
|
-
Long-running data pipelines, security tooling, ETL jobs, and cloud automation scripts frequently interact with the AWS API using boto3 — and often run into the same problem:
|
|
153
|
-
|
|
154
|
-
**Temporary credentials expire.**
|
|
155
|
-
|
|
156
|
-
When that happens, engineers typically fall back on one of two strategies:
|
|
157
|
-
|
|
158
|
-
- Wrapping AWS calls in try/except blocks that catch ClientError exceptions
|
|
159
|
-
- Writing ad hoc logic to refresh credentials using botocore credentials internals
|
|
160
|
-
|
|
161
|
-
Both approaches are fragile, tedious to maintain, and error-prone at scale.
|
|
162
|
-
|
|
163
|
-
Over the years, I noticed that every company I worked for — whether a scrappy startup or FAANG — ended up with some variation of the same pattern:
|
|
164
|
-
a small in-house module to manage credential refresh, written in haste, duplicated across services, and riddled with edge cases. Things only
|
|
165
|
-
got more strange and difficult when I needed to run things in parallel.
|
|
143
|
+
## Usage (ECS)
|
|
166
144
|
|
|
167
|
-
|
|
145
|
+
```python
|
|
146
|
+
session = RefreshableSession(
|
|
147
|
+
method="ecs",
|
|
148
|
+
region_name=region_name,
|
|
149
|
+
profile_name=profile_name,
|
|
150
|
+
...
|
|
151
|
+
)
|
|
152
|
+
```
|
|
168
153
|
|
|
169
|
-
|
|
170
|
-
- Extensible
|
|
171
|
-
- Integrated with boto3 idioms
|
|
172
|
-
- Equipped with automatic documentation and CI tooling
|
|
154
|
+
## Usage (Custom)
|
|
173
155
|
|
|
174
|
-
|
|
156
|
+
If you have a highly sophisticated, novel, or idiosyncratic authentication flow not included in boto3-refresh-session then you will need to provide your own custom temporary credentials method. `RefreshableSession` accepts custom credentials methods, as shown below.
|
|
175
157
|
|
|
176
|
-
|
|
158
|
+
```python
|
|
159
|
+
# create (or import) your custom credential method
|
|
160
|
+
def your_custom_credential_getter(...):
|
|
161
|
+
...
|
|
162
|
+
return {
|
|
163
|
+
"access_key": ...,
|
|
164
|
+
"secret_key": ...,
|
|
165
|
+
"token": ...,
|
|
166
|
+
"expiry_time": ...,
|
|
167
|
+
}
|
|
168
|
+
|
|
169
|
+
# and pass it to RefreshableSession
|
|
170
|
+
session = RefreshableSession(
|
|
171
|
+
method="custom",
|
|
172
|
+
custom_credentials_method=your_custom_credential_getter,
|
|
173
|
+
custom_credentials_methods_args=...,
|
|
174
|
+
region_name=region_name,
|
|
175
|
+
profile_name=profile_name,
|
|
176
|
+
...
|
|
177
|
+
)
|
|
178
|
+
```
|
|
@@ -1,11 +1,11 @@
|
|
|
1
|
-
boto3_refresh_session/__init__.py,sha256=
|
|
1
|
+
boto3_refresh_session/__init__.py,sha256=944rMVW-eSGvXJhL0-LFD1qSsN1e604qkP6dst8D_-4,200
|
|
2
2
|
boto3_refresh_session/custom.py,sha256=ZnN94A69Eku9L-kHZ7JJxn_aWbrt6mJDWOIEWrJrIcY,3229
|
|
3
3
|
boto3_refresh_session/ecs.py,sha256=WIC5mlbcEnM1oo-QXmmtiw2mjFDn01hBfcFh67ku42A,3713
|
|
4
4
|
boto3_refresh_session/exceptions.py,sha256=qcFzdIuK5PZirs77H_Kb64S9QFb6cn2OJtirjvaRLiY,972
|
|
5
5
|
boto3_refresh_session/session.py,sha256=ak8lvgoHMObaJgL4c80ih4bptRHS3ASojnaWdbxn5kA,5246
|
|
6
6
|
boto3_refresh_session/sts.py,sha256=paIgbmn9a3cATNX-6AEGxnSGNZnX1pj4rRQmh8gQSKs,3132
|
|
7
|
-
boto3_refresh_session-1.3.
|
|
8
|
-
boto3_refresh_session-1.3.
|
|
9
|
-
boto3_refresh_session-1.3.
|
|
10
|
-
boto3_refresh_session-1.3.
|
|
11
|
-
boto3_refresh_session-1.3.
|
|
7
|
+
boto3_refresh_session-1.3.6.dist-info/LICENSE,sha256=I3ZYTXAjbIly6bm6J-TvFTuuHwTKws4h89QaY5c5HiY,1067
|
|
8
|
+
boto3_refresh_session-1.3.6.dist-info/METADATA,sha256=noSVW3kcFe92PA5JXoM1qwIt3xgrtVePNNIJiPwDjX4,7034
|
|
9
|
+
boto3_refresh_session-1.3.6.dist-info/NOTICE,sha256=1s8r33qbl1z0YvPB942iWgvbkP94P_e8AnROr1qXXuw,939
|
|
10
|
+
boto3_refresh_session-1.3.6.dist-info/WHEEL,sha256=b4K_helf-jlQoXBBETfwnf4B04YC67LOev0jo4fX5m8,88
|
|
11
|
+
boto3_refresh_session-1.3.6.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|