Amazon Web Services provides a Python SDK called boto3 to programmatically perform actions to our AWS cloud resources such as EC2 instances and S3 buckets. This means that we can build an external front-end application that users interact with (instead of giving access to AWS), and then build the back-end integration with AWS using the SDK. To allow our app to access AWS, we will need the following information from our AWS account:
- IAM User access key and secret key – This can be set in the .aws/creds file in your machine
- Role ARN – This is the Role that has policies attached that allow access to needed AWS resources. When creating this role, follow the best practice of limiting the operations that can be performed by a user on a specific resource. Also, make sure that the IAM user that the app will log in with has the permission to assume the Role.
- MFA id and MFA Token – (if the IAM user has MFA enabled) To check the MFA ARN, go to IAM -> Users -> MFA ARN. The MFA Token is a valid 6-digit code that an authenticator like Google Authenticator will give you when you set up MFA.
The concept is that we will use AWS Security Token Service (STS) to give us temporary security credentials to access AWS resources that the specified Role allows us access to. Given the Role and MFA, STS will return an access key, a secret key, and a session token.
Thus, in our code, we’ll gather the inputs like the following. You can do this in any other way (such as fetching data from environment variables), but this way is we can simplify this step:
role_arn = input('Role ARN: ') mfa_id = input('Your MFA ID: ') mfa_token = input('MFA Token Code (from authenticator): ')
We then import boto3 (run pip install boto3 if it cannot find the library on first run) and create an sts client, which gives access to the assume_role API to which we pass the role ARN and MFA details.
import boto3 client = boto3.client('sts') role = client.assume_role( RoleArn=role_arn, RoleSessionName='AnArbitraryName', DurationSeconds=3600, SerialNumber=mfa_id, TokenCode=mfa_token )
Assume_role will return the temporary credentials that we need to access resources. To get the credential details, do the following:
credentials = role['Credentials'] aws_access_key_id = credentials['AccessKeyId'] aws_secret_access_key = credentials['SecretAccessKey'] aws_session_token = credentials['SessionToken']
aws_access_key_id, aws_secret_access_key, and aws_session_token are then the credential details that we need to for programmatically accessing AWS resources such as S3 bucket. To check if the credentials work, try a simple operation on your S3 buckets in your account, like the list_buckets API.
region = input('Region name: ') s3 = boto3.client(service_name="s3", region_name=region, aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, aws_session_token=aws_session_token ) response = s3.list_buckets() print("S3 Response: ", response)
When you see your S3 buckets in the response, then it means you are authenticated into AWS through the temporary credentials that were given to you.