iotbotocredentialprovider

AWS IoT Credential Provider: create boto sessions which obtain and renew credentials from an AWS IoT device certificate

Dependencies

This depends upon devices which were provisioned via iotdeviceprovisioner and have a properly configured /AWSIoT directory with a certificate, private key, and metadata.json file created.

IoT Documentation

https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html

Using

import iotbotocredentialprovider.AWS

session = iotbotocredentialprovider.AWS.get_boto3_session(region_name="us-east-2")

s3_client = session.client('s3')
s3_client.list_buckets()

Using the metadata server - method 1 with docker bridge networks

docker build -t metadata-server metadata-container

docker network create --driver bridge metadata_network --subnet 169.254.169.0/16

# adjust arguments appropriately if you want to use this as a service
docker run -v /AWSIoT:/AWSIoT --restart unless-stopped --detach --net=metadata_network \
    --ip=169.254.169.254 metadata-server:latest

Using the metadata server - method 2 with ip tables

Configure iptables

/sbin/iptables -t nat -A OUTPUT -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 127.0.0.1:51680
/sbin/iptables -t nat -A OUTPUT -p tcp -d 169.254.170.2   --dport 80 -j DNAT --to-destination 127.0.0.1:51680

if you have docker

/sbin/iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j REDIRECT --to-ports 51680 -i docker0
/sbin/iptables -t nat -I PREROUTING -p tcp -d 169.254.170.2 --dport 80 -j REDIRECT --to-ports 51680 -i docker0

Start the server

Create a script/service which runs this:

python /usr/local/bin/fakemetadata-server.py

Use your aws tools

Example:

aws s3 ls s3://

Thank you for offering great package! and I will advise people using it.

I also found this package trying to implement CredentialProvider using AWS IoT "Assume Role".
Thank you very much.

I will write advice for people who use this package from now on.

iot_metadata_path

Let's specify the full path of the directory. The default is /AWSIoT

In this directory, you need to put the following three files.

${iot_metadata_path}/metadata.json
${iot_metadata_path}/${metadata-certificate_id}.pem
${iot_metadata_path}/${metadata-certificate_id}.privatekey

It differs from the file name downloaded on the AWS IoT screen. Mapping is as follows

9999999999-certificate.pem.crt => 9999999999.pem
9999999999-private.pem.key    => 9999999999.privatekey

When credential id is set to "9999999999"

metadata.json

It has the following format.
"account_id" is used only for log output at the present time.
"region" is not used at the present time.

{
    "account_id": "xxxxxxxxxx",
    "certificate_id": "9999999999",
    "credential_endpoint": "https://xxxxxxxxxx.credentials.iot.ap-northeast-1.amazonaws.com",
    "device_name": "xxxxxxxxxx",
    "region": "ap-northeast-1",
    "role_alias_name": "xxxxxxxx-role-alias"
}

insert_before

Calling iotbotocredentialprovider.AWS.get_boto3_session
Add iotbotocredentialprovider to the provider list of CredentialResolver.
At that time, add it just before the method name of the same provider as the value specified by the "insertbefore" argument.
The default for insertbefore is "iam-role".

The default provider list for boto 3 is as follows.

index	provider name	method name
1	env_provider	'env'
2	assume_role_provider	'assume-role'
3	SharedCredentialProvider	'shared-credentials-file'
4	ProcessProvider	'custom-process'
5	ConfigProvider	'config-file'
6	OriginalEC2Provider	'ec2-credentials-file'
7	BotoProvider	'boto-config'
8	container_provider	'container-role'

9	instance_metadata_provider	'iam-role'

By default, 'iam-role' of instance_metadata_provider is used by default.
Therefore, if nothing is set, it will be added between the 8th and 9th.

If you want to read iotbotocredentialprovider with the highest priority, you need to set env in the insert_before argument.

simple sample code

With this code, AssumeRole is executed in AWS IoT in about 50 minutes, and the AWS Client can be called permanently.

import boto3
import botocore
import iotbotocredentialprovider.AWS
import datetime

session = iotbotocredentialprovider.AWS.get_boto3_session(iot_metadata_path="/AWSIoTcertification/", region_name="ap-northeast-1", insert_before="env")

while True:
    print(datetime.datetime.now())
    print(session.client('sts').get_caller_identity())
    print(session.get_credentials().access_key)
    print(session.get_credentials().secret_key)
    print(session.get_credentials().token)
    print(session.get_credentials()._expiry_time)
    print(session.get_credentials()._seconds_remaining())
    time.sleep(10)

craighagan / iotbotocredentialprovider Goto Github PK