U M8c-E@sddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z ddlmZddlmZmZddlZddlZddlmZddlmZmZdd lmZdd lmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$dd l%m&Z&dd l'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.e/e0Z1e d dddgZ2dZ3dZ4dRddZ5GdddZ6ddZ7ddZ8ddZ9dSddZ:d d!Z;d"d#ZGd(d)d)e>Z?Gd*d+d+e?Z@Gd,d-d-ZAGd.d/d/eAZBGd0d1d1eBZCGd2d3d3eBZDGd4d5d5ZEGd6d7d7eEZFGd8d9d9eEZGGd:d;d;eEZHGdd?d?eEZJGd@dAdAeEZKGdBdCdCeEZLGdDdEdEeEZMGdFdGdGeEZNGdHdIdIZOGdJdKdKeEZPGdLdMdMZQGdNdOdOeAZRGdPdQdQeEZSdS)TN) namedtuple)deepcopy)sha1parse)tzlocaltzutc)UNSIGNED)compat_shell_split total_seconds)Config) ConfigNotFoundCredentialRetrievalErrorInfiniteLoopConfigErrorInvalidConfigErrorMetadataRetrievalErrorPartialCredentialsErrorRefreshWithMFAUnsupportedErrorUnauthorizedSSOTokenErrorUnknownCredentialError)SSOTokenProvider)ContainerMetadataFetcherFileWebIdentityTokenLoaderInstanceMetadataFetcher JSONFileCacheSSOTokenLoaderparse_key_val_fileresolve_imds_endpoint_modeReadOnlyCredentials access_key secret_keytokeniXc sdp d}d}d}ddk }dttd}|dkrVi}t}t} tt|| |dd } t ||d } t fd d t |||t || | g| d } || g} | j||d}tt| | g}| ||}|r||tdt|d}|S)zCreate a default credential resolver. This creates a pre-configured credential resolver that includes the default lookup chain for credentials. profiledefaultZmetadata_service_timeoutZmetadata_service_num_attemptsNec2_metadata_service_endpoint)r%Z"ec2_metadata_service_endpoint_modeZec2_credential_refresh_window)timeout num_attempts user_agentconfig)iam_role_fetcher)cache region_namecsjSN) full_configsessionr/8/tmp/pip-unpacked-wheel-ozje0y8b/botocore/credentials.pyjz,create_credential_resolver..) load_configclient_creatorr+ profile_namecredential_sourcerprofile_provider_builderr7disable_env_varszWSkipping environment variable credential check because profile name was explicitly set. providers)get_config_variableZinstance_variablesgetr!_DEFAULT_ADVISORY_REFRESH_TIMEOUT EnvProviderContainerProviderInstanceMetadataProviderrr(ProfileProviderBuilderAssumeRoleProvider_get_client_creatorCanonicalNameCredentialSourcerr=OriginalEC2Provider BotoProviderremoveloggerdebugCredentialResolver)r1r+r,r7Zmetadata_timeoutr'r;Z imds_configZ env_providerZcontainer_providerZinstance_metadata_providerr9assume_role_providerZ pre_profileprofile_providersZ post_profiler=resolverr/r0r2create_credential_resolverAsv         rQc@sLeZdZdZdddZdddZdd Zd d Zd d ZddZ ddZ dS)rDaThis class handles the creation of profile based providers. NOTE: This class is only intended for internal use. This class handles the creation and ordering of the various credential providers that primarly source their configuration from the shared config. This is needed to enable sharing between the default credential chain and the source profile chain created by the assume role provider. NcCs||_||_||_||_dSr-)_session_cache _region_name_sso_token_cache)selfr1r+r,Zsso_token_cacher/r/r2__init__szProfileProviderBuilder.__init__FcCs.|||||||||||gSr-)_create_web_identity_provider_create_sso_provider"_create_shared_credential_provider_create_process_provider_create_config_providerrVr7r;r/r/r2r=sz ProfileProviderBuilder.providerscst|fdddS)NcsjjSr-rRr.r/rVr/r2r3r4zAProfileProviderBuilder._create_process_provider..)r7r5)ProcessProviderrVr7r/r_r2r[s z/ProfileProviderBuilder._create_process_providercCs|jd}t||dS)NZcredentials_file)r7creds_filename)rRr>SharedCredentialProvider)rVr7Zcredential_filer/r/r2rZs  z9ProfileProviderBuilder._create_shared_credential_providercCs|jd}t||dS)N config_file)r7config_filename)rRr>ConfigProvider)rVr7rdr/r/r2r\s  z.ProfileProviderBuilder._create_config_providercs&tfddtjjj||dS)NcsjjSr-r^r/r_r/r2r3r4zFProfileProviderBuilder._create_web_identity_provider..)r5r6r+r7r;)!AssumeRoleWithWebIdentityProviderrFrRrTrSr]r/r_r2rXs z4ProfileProviderBuilder._create_web_identity_providercs*tfddjj|jjtjdS)NcsjjSr-r^r/r_r/r2r3r4z=ProfileProviderBuilder._create_sso_provider..)r5r6r7r+ token_cachetoken_provider) SSOProviderrR create_clientrSrUrrar/r_r2rYs z+ProfileProviderBuilder._create_sso_provider)NNN)F) __name__ __module__ __qualname____doc__rWr=r[rZr\rXrYr/r/r/r2rDs   rDcCst|}|Sr-)rQload_credentials)r1rPr/r/r2get_credentialssrqcCstjtSr-)datetimenowrr/r/r/r2 _local_nowsrtcCst|tjr|St|Sr-) isinstancerrr)valuer/r/r2_parse_if_neededs rwFcCs&t|tjr"|r|S|dS|S)Nz%Y-%m-%dT%H:%M:%S%Z)rurr isoformatstrftime)rvisor/r/r2_serialize_if_neededs   r{csfdd}|S)Ncs"di}|jf|j|f|S)Nr,)updaterk)Z service_namekwargsZcreate_client_kwargsr,r1r/r2r6s z+_get_client_creator..client_creatorr/)r1r,r6r/r~r2rFsrFcsfdd}|S)Ncs6jf}|d}|d|d|dt|ddS)N Credentials AccessKeyIdSecretAccessKey SessionToken Expirationrr r! expiry_time) assume_roler{)response credentialsclientparamsr/r2refreshs  z-create_assume_role_refresher..refreshr/)rrrr/rr2create_assume_role_refreshers rcCsGddd}||S)Nc@seZdZddZddZdS)z/create_mfa_serial_refresher.._RefreshercSs||_d|_dS)NF)_refresh_has_been_called)rVrr/r/r2rWsz8create_mfa_serial_refresher.._Refresher.__init__cSs|jr td|_|SNT)rrrr_r/r/r2__call__sz8create_mfa_serial_refresher.._Refresher.__call__N)rlrmrnrWrr/r/r/r2 _Refreshersrr/)Zactual_refreshrr/r/r2create_mfa_serial_refreshersrc@s*eZdZdZd ddZddZddZdS) rap Holds the credentials needed to authenticate requests. :param str access_key: The access key part of the credentials. :param str secret_key: The secret key part of the credentials. :param str token: The security token, valid only for session credentials. :param str method: A string which identifies where the credentials were found. NcCs0||_||_||_|dkrd}||_|dS)Nexplicit)rr r!method _normalize)rVrr r!rr/r/r2rW4szCredentials.__init__cCs$tj|j|_tj|j|_dSr-)botocorecompatensure_unicoderr r_r/r/r2r?szCredentials._normalizecCst|j|j|jSr-)rrr r!r_r/r/r2get_frozen_credentialsIs z"Credentials.get_frozen_credentials)NN)rlrmrnrorWrrr/r/r/r2r)s  rc@seZdZdZeZeZefddZ ddZ e ddZ e dd Zejd d Ze d d Zejd d Ze ddZejddZddZd"ddZddZddZddZeddZddZd d!ZdS)#RefreshableCredentialsa@ Holds the credentials needed to authenticate requests. In addition, it knows how to refresh itself. :param str access_key: The access key part of the credentials. :param str secret_key: The secret key part of the credentials. :param str token: The security token, valid only for session credentials. :param function refresh_using: Callback function to refresh the credentials. :param str method: A string which identifies where the credentials were found. :param function time_fetcher: Callback function to retrieve current time. cCsN||_||_||_||_||_||_t|_||_ t ||||_ | dSr-) _refresh_using _access_key _secret_key_token _expiry_time _time_fetcher threadingLock _refresh_lockrr_frozen_credentialsr)rVrr r!r refresh_usingr time_fetcherr/r/r2rWds  zRefreshableCredentials.__init__cCs$tj|j|_tj|j|_dSr-)rrrrrr_r/r/r2r{sz!RefreshableCredentials._normalizecCs.||d|d|d||d||d}|S)Nrr r!r)rr r!rrr)_expiry_datetime)clsmetadatarrinstancer/r/r2create_from_metadatas z+RefreshableCredentials.create_from_metadatacCs||jSzWarning: Using this property can lead to race conditions if you access another property subsequently along the refresh boundary. Please use get_frozen_credentials instead. )rrr_r/r/r2rsz!RefreshableCredentials.access_keycCs ||_dSr-)rrVrvr/r/r2rscCs||jSr)rrr_r/r/r2r sz!RefreshableCredentials.secret_keycCs ||_dSr-)rrr/r/r2r scCs||jSr)rrr_r/r/r2r!szRefreshableCredentials.tokencCs ||_dSr-)rrr/r/r2r!scCs|j|}t|Sr-)rrr )rVdeltar/r/r2_seconds_remainingsz)RefreshableCredentials._seconds_remainingNcCs:|jdkrdS|dkr|j}||kr,dStddS)aCheck if a refresh is needed. A refresh is needed if the expiry time associated with the temporary credentials is less than the provided ``refresh_in``. If ``time_delta`` is not provided, ``self.advisory_refresh_needed`` will be used. For example, if your temporary credentials expire in 10 minutes and the provided ``refresh_in`` is ``15 * 60``, then this function will return ``True``. :type refresh_in: int :param refresh_in: The number of seconds before the credentials expire in which refresh attempts should be made. :return: True if refresh needed, False otherwise. NFz!Credentials need to be refreshed.T)r_advisory_refresh_timeoutrrKrLrV refresh_inr/r/r2refresh_neededs   z%RefreshableCredentials.refresh_neededcCs |jddS)Nr)r)rr_r/r/r2 _is_expiredsz"RefreshableCredentials._is_expiredc Cs||jsdS|jdr`z4||js2W$dS||j}|j|dWdS|jXnD||jr|j,||jsW5QRdS|jddW5QRXdS)NF) is_mandatoryT)rrracquirerelease_mandatory_refresh_timeout_protected_refresh)rVZis_mandatory_refreshr/r/r2rs"      zRefreshableCredentials._refreshcCsz |}Wn8tk rD|r$dnd}tjd|dd|r>YdSX||t|j|j|j|_ | rd}t|t |dS)N mandatoryZadvisoryzARefreshing temporary credentials failed during %s refresh period.Texc_infozLCredentials were refreshed, but the refreshed credentials are still expired.) r ExceptionrKwarning_set_from_datarrrrrr RuntimeError)rVrrZ period_namemsgr/r/r2rs.    z)RefreshableCredentials._protected_refreshcCst|Sr-r)Ztime_strr/r/r2r!sz'RefreshableCredentials._expiry_datetimecsddddg}s|}nfdd|D}|rHd}t|j|d|d d|_d|_d|_td|_t d |j| dS) Nrr r!rcsg|]}|kr|qSr/r/).0kdatar/r2 *sz9RefreshableCredentials._set_from_data..z7Credential refresh failed, response did not contain: %s, provider error_msgz(Retrieved credentials will expire at: %s) rrjoinrr r!rrrKrLr)rVrZ expected_keysZ missing_keysmessager/rr2r%s&     z%RefreshableCredentials._set_from_datacCs||jS)aReturn immutable credentials. The ``access_key``, ``secret_key``, and ``token`` properties on this class will always check and refresh credentials if needed before returning the particular credentials. This has an edge case where you can get inconsistent credentials. Imagine this: # Current creds are "t1" tmp.access_key ---> expired? no, so return t1.access_key # ---- time is now expired, creds need refreshing to "t2" ---- tmp.secret_key ---> expired? yes, refresh and return t2.secret_key This means we're using the access key from t1 with the secret key from t2. To fix this issue, you can request a frozen credential object which is guaranteed not to change. The frozen credentials returned from this method should be used immediately and then discarded. The typical usage pattern would be:: creds = RefreshableCredentials(...) some_code = SomeSignerObject() # I'm about to sign the request. # The frozen credentials are only used for the # duration of generate_presigned_url and will be # immediately thrown away. request = some_code.sign_some_request( with_credentials=creds.get_frozen_credentials()) print("Signed request:", request) )rrr_r/r/r2r<s"z-RefreshableCredentials.get_frozen_credentials)N)rlrmrnror@r"_DEFAULT_MANDATORY_REFRESH_TIMEOUTrrtrWr classmethodrpropertyrsetterr r!rrrrr staticmethodrrrr/r/r/r2rOs:          "' rcs.eZdZdZefddZdfdd ZZS)DeferredRefreshableCredentialszyRefreshable credentials that don't require initial credentials. refresh_using will be called upon first access. cCs>||_d|_d|_d|_d|_||_t|_||_ d|_ dSr-) rrrrrrrrrrr)rVrrrr/r/r2rWhs z'DeferredRefreshableCredentials.__init__Ncs|jdkrdSt|Sr)rsuperrr __class__r/r2rss z-DeferredRefreshableCredentials.refresh_needed)N)rlrmrnrortrWr __classcell__r/r/rr2rbs rc@sZeZdZdZdddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ dS)CachedCredentialFetcherr"NcCs4|dkr i}||_||_|dkr*|j}||_dSr-)rS_create_cache_key _cache_keyDEFAULT_EXPIRY_WINDOW_SECONDS_expiry_window_seconds)rVr+expiry_window_secondsr/r/r2rW|s z CachedCredentialFetcher.__init__cCs tddS)Nz_create_cache_key()NotImplementedErrorr_r/r/r2rsz)CachedCredentialFetcher._create_cache_keycCs$|ddtjjd}|ddS)N:_/)replaceospathsep)rVfilenamer/r/r2_make_file_safesz'CachedCredentialFetcher._make_file_safecCs tddS)Nz_get_credentials()rr_r/r/r2_get_credentialssz(CachedCredentialFetcher._get_credentialscCs|Sr-)_get_cached_credentialsr_r/r/r2fetch_credentialssz)CachedCredentialFetcher.fetch_credentialscCs`|}|dkr$|}||n td|d}t|ddd}|d|d|d |d S) zGet up-to-date credentials. This will check the cache for up-to-date credentials, calling assume role if none are available. Nz*Credentials for role retrieved from cache.rrT)rzrrrr)_load_from_cacher_write_to_cacherKrLr{)rVrcreds expirationr/r/r2rs  z/CachedCredentialFetcher._get_cached_credentialscCs8|j|jkr4t|j|j}||s*|StddS)Nz6Credentials were found in cache, but they are expired.)rrSrrrKrL)rVrr/r/r2rs  z(CachedCredentialFetcher._load_from_cachecCst||j|j<dSr-)rrSr)rVrr/r/r2rsz'CachedCredentialFetcher._write_to_cachecCs(t|dd}t|t}||jkS)z!Check if credentials are expired.rr)rwr rtr)rVrZend_timesecondsr/r/r2rsz#CachedCredentialFetcher._is_expired)NN) rlrmrnrrWrrrrrrrrr/r/r/r2rys  rcs.eZdZdfdd ZddZddZZS) BaseAssumeRoleCredentialFetcherNcsf||_||_|dkri|_n t||_|j|jd<|jd|_d|_|jsT|t ||dS)NZRoleArnRoleSessionNameF) _client_creatorZ _role_arn_assume_kwargsrr?_role_session_name_using_default_session_name_generate_assume_role_namerrW)rVr6role_arn extra_argsr+rrr/r2rWs  z(BaseAssumeRoleCredentialFetcher.__init__cCs(dtt|_|j|jd<d|_dS)Nzbotocore-session-%srT)inttimerrrr_r/r/r2rs z:BaseAssumeRoleCredentialFetcher._generate_assume_role_namecCsZt|j}|jr|d=d|kr0t|d|d<tj|dd}t|d}| |S)Create a predictable cache key for the current configuration. The cache key is intended to be compatible with file names. rPolicyT) sort_keysutf-8) rrrjsonloadsdumpsrencode hexdigestrrVargsZ argument_hashr/r/r2rs z1BaseAssumeRoleCredentialFetcher._create_cache_key)NNN)rlrmrnrWrrrr/r/rr2rs rcs6eZdZd fdd ZddZddZdd ZZS) AssumeRoleCredentialFetcherNcs8||_||_|jdkrtj|_tj|||||ddS)a :type client_creator: callable :param client_creator: A callable that creates a client taking arguments like ``Session.create_client``. :type source_credentials: Credentials :param source_credentials: The credentials to use to create the client for the call to AssumeRole. :type role_arn: str :param role_arn: The ARN of the role to be assumed. :type extra_args: dict :param extra_args: Any additional arguments to add to the assume role request using the format of the botocore operation. Possible keys include, but may not be limited to, DurationSeconds, Policy, SerialNumber, ExternalId and RoleSessionName. :type mfa_prompter: callable :param mfa_prompter: A callable that returns input provided by the user (i.e raw_input, getpass.getpass, etc.). :type cache: dict :param cache: An object that supports ``__getitem__``, ``__setitem__``, and ``__contains__``. An example of this is the ``JSONFileCache`` class in aws-cli. :type expiry_window_seconds: int :param expiry_window_seconds: The amount of time, in seconds, Nrr+r)_source_credentials _mfa_promptergetpassrrW)rVr6source_credentialsrr mfa_prompterr+rrr/r2rWs) z$AssumeRoleCredentialFetcher.__init__cCs|}|}|jf|S)'Get credentials by calling assume role.)_assume_role_kwargs_create_clientr)rVr}rr/r/r2r*sz,AssumeRoleCredentialFetcher._get_credentialscCsTt|j}|d}|dk r6d|}||}||d<|d}|dk rP||d<|S)AGet the arguments for assume role based on current configuration. SerialNumberNzEnter MFA code for %s: Z TokenCodeDurationSeconds)rrr?r )rVassume_role_kwargs mfa_serialpromptZ token_codeduration_secondsr/r/r2r0s    z/AssumeRoleCredentialFetcher._assume_role_kwargscCs"|j}|jd|j|j|jdS)z2Create an STS client using the source credentials.sts)aws_access_key_idaws_secret_access_keyaws_session_token)r rrrr r!)rVZfrozen_credentialsr/r/r2rBs z*AssumeRoleCredentialFetcher._create_client)NNNN)rlrmrnrWrrrrr/r/rr2rs6rcs.eZdZdfdd ZddZddZZS) *AssumeRoleWithWebIdentityCredentialFetcherNcs ||_tj|||||ddS)aG :type client_creator: callable :param client_creator: A callable that creates a client taking arguments like ``Session.create_client``. :type web_identity_token_loader: callable :param web_identity_token_loader: A callable that takes no arguments and returns a web identity token str. :type role_arn: str :param role_arn: The ARN of the role to be assumed. :type extra_args: dict :param extra_args: Any additional arguments to add to the assume role request using the format of the botocore operation. Possible keys include, but may not be limited to, DurationSeconds, Policy, SerialNumber, ExternalId and RoleSessionName. :type cache: dict :param cache: An object that supports ``__getitem__``, ``__setitem__``, and ``__contains__``. An example of this is the ``JSONFileCache`` class in aws-cli. :type expiry_window_seconds: int :param expiry_window_seconds: The amount of time, in seconds, rN)_web_identity_token_loaderrrW)rVr6web_identity_token_loaderrrr+rrr/r2rWPs$z3AssumeRoleWithWebIdentityCredentialFetcher.__init__cCs,|}ttd}|jd|d}|jf|S)r)signature_versionrr))rr r rZassume_role_with_web_identity)rVr}r)rr/r/r2r~s z;AssumeRoleWithWebIdentityCredentialFetcher._get_credentialscCst|j}|}||d<|S)rZWebIdentityToken)rrr)rVrZidentity_tokenr/r/r2rs z>AssumeRoleWithWebIdentityCredentialFetcher._assume_role_kwargs)NNN)rlrmrnrWrrrr/r/rr2rMs . rc@s.eZdZdZdZdddZddZddZdS) CredentialProviderNcCs ||_dSr-r0)rVr1r/r/r2rWszCredentialProvider.__init__cCsdS)a~ Loads the credentials from their source & sets them on the object. Subclasses should implement this method (by reading from disk, the environment, the network or wherever), returning ``True`` if they were found & loaded. If not found, this method should return ``False``, indictating that the ``CredentialResolver`` should fall back to the next available method. The default implementation does nothing, assuming the user has set the ``access_key/secret_key/token`` themselves. :returns: Whether credentials were found & set :rtype: Credentials Tr/r_r/r/r2loadszCredentialProvider.loadc GsHg}|D]:}z|||Wqtk r@t|j|dYqXq|S)NrZcred_var)appendKeyErrorrMETHOD)rVmappingZ key_namesfoundZkey_namer/r/r2_extract_creds_from_mappingsz.CredentialProvider._extract_creds_from_mapping)N)rlrmrnr&CANONICAL_NAMErWr"r)r/r/r/r2r!s  r!c@s:eZdZdZejfddZddZddZe dd Z d S) r`zcustom-processcCs||_||_d|_||_dSr-) _profile_name _load_config_loaded_config_popen)rVr7r5popenr/r/r2rWszProcessProvider.__init__csdjdkrdS}|ddk rDt|fddjSt|d|d|djdS)Nrcs Sr-)_retrieve_credentials_usingr/credential_processrVr/r2r3r4z&ProcessProvider.load..rr r!)rr r!r)_credential_processr0r?rrr&r)rVZ creds_dictr/r1r2r"s   zProcessProvider.loadc Cst|}|j|tjtjd}|\}}|jdkrFt|j|ddt j j |d}| dd}|dkrt|jd|d dz$|d |d | d | d dWStk r}zt|jd|dW5d}~XYnXdS)N)stdoutstderrrrrVersionzzUnsupported version 'z8' for credential process provider, supported versions: 1rrrrrz"Missing required key in response: )r r. subprocessPIPE communicate returncoderr&decoderrrrr?r%) rVr2Z process_listpr4r5parsedversioner/r/r2r0s<    z+ProcessProvider._retrieve_credentials_usingcCs6|jdkr||_|jdi|ji}|dS)Nprofilesr2)r-r,r?r+)rVprofile_configr/r/r2r3s  z#ProcessProvider._credential_processN) rlrmrnr&r8PopenrWr"r0rr3r/r/r/r2r`s #r`c@s$eZdZdZdZddZddZdS)rCziam-roleZEc2InstanceMetadatacCs ||_dSr-) _role_fetcher)rVr*r/r/r2rW sz!InstanceMetadataProvider.__init__cCs>|j}|}|sdStd|dtj||j|jd}|S)Nz#Found credentials from IAM Role: %s role_namerr)rDZretrieve_iam_role_credentialsrKinforrr&)rVfetcherrrr/r/r2r"szInstanceMetadataProvider.loadN)rlrmrnr&r*rWr"r/r/r/r2rC srCc@sJeZdZdZdZdZdZddgZdZdd d Z d d Z d dZ ddZ dS)rAenv EnvironmentZAWS_ACCESS_KEY_IDZAWS_SECRET_ACCESS_KEYZAWS_SECURITY_TOKENZAWS_SESSION_TOKENZAWS_CREDENTIAL_EXPIRATIONNcCs$|dkrtj}||_|||_dS)a :param environ: The environment variables (defaults to ``os.environ`` if no value is provided). :param mapping: An optional mapping of variable names to environment variable names. Use this if you want to change the mapping of access_key->AWS_ACCESS_KEY_ID, etc. The dict can have up to 3 keys: ``access_key``, ``secret_key``, ``session_token``. N)renviron_build_mapping_mapping)rVrKr'r/r/r2rW0s zEnvProvider.__init__cCsi}|dkr6|j|d<|j|d<|j|d<|j|d<nd|d|j|d<|d|j|d<|d|j|d<t|dts|dg|d<|d|j|d<|S)Nrr r!r) ACCESS_KEY SECRET_KEYTOKENS EXPIRY_TIMEr?rulist)rVr'Z var_mappingr/r/r2rL@s,    zEnvProvider._build_mappingcCs|j|jdd}|rtd|}|dd}|d}|dk rnt|}t|d|d|d |||jd St |d|d|d |jd SdSdS) zK Search for credentials in explicit environment variables. rz+Found credentials in environment variables.F)require_expiryrNr r!)rrr) rKr?rMrKrG_create_credentials_fetcherrrr&r)rVrrHrrr/r/r2r"Xs.   zEnvProvider.loadcs(|j|j|jdfdd }|S)NTcsi}dd}|s(tdd||d<dd}|sTtdd||d<d|d<dD] }|d}|rl||d<qqld|d<dd}|r||d<|r|stdd|S)NrrSr#r r!r)r?r)rTrrr Z token_env_varr!rrKr'rr/r2r~s>  zBEnvProvider._create_credentials_fetcher..fetch_credentials)T)rMr&rK)rVrr/rWr2rVys #z'EnvProvider._create_credentials_fetcher)NN) rlrmrnr&r*rNrOrPrQrWrLr"rVr/r/r/r2rA&s !rAc@s2eZdZdZdZdZdZdZd ddZd d Z dS) rHzec2-credentials-fileZ Ec2ConfigAWS_CREDENTIAL_FILEZAWSAccessKeyIdZ AWSSecretKeyNcCs*|dkrtj}|dkrt}||_||_dSr-)rrKr_environ_parser)rVrKparserr/r/r2rWs zOriginalEC2Provider.__init__cCshd|jkr`tj|jd}||}|j|krdtd||j}||j}t |||j dSndSdS)zN Search for a credential file used by original EC2 CLI tools. rXz)Found credentials in AWS_CREDENTIAL_FILE.rUN) rYrr expanduserrZrNrKrGrOrr&)rV full_pathrrr r/r/r2r"s      zOriginalEC2Provider.load)NN) rlrmrnr&r*Z CRED_FILE_ENVrNrOrWr"r/r/r/r2rHs rHc@s>eZdZdZdZdZdZddgZddd Zd d Z d d Z dS)rczshared-credentials-fileZSharedCredentialsrraws_security_tokenrNcCs2||_|dkrd}||_|dkr(tjj}||_dS)Nr$)_creds_filenamer+r configloaderraw_config_parse _ini_parser)rVrbr7 ini_parserr/r/r2rWsz!SharedCredentialProvider.__init__cCsz||j}Wntk r&YdSX|j|kr||j}|j|krtd|j|||j|j\}}| |}t ||||j dSdS)Nz0Found credentials in shared credentials file: %srU) rbr_r r+rNrKrGr)rO_get_session_tokenrr&)rVZavailable_credsr)rr r!r/r/r2r"s.    zSharedCredentialProvider.loadcCs$|jD]}||kr||SqdSr-rP)rVr)Z token_envvarr/r/r2rds z+SharedCredentialProvider._get_session_token)NN) rlrmrnr&r*rNrOrPrWr"rdr/r/r/r2rcs rcc@sBeZdZdZdZdZdZdZddgZdd d Z d d Z d dZ dS)rfz0INI based config provider with profile sections.z config-fileZ SharedConfigrrr^rNcCs&||_||_|dkrtjj}||_dS)a :param config_filename: The session configuration scoped to the current profile. This is available via ``session.config``. :param profile_name: The name of the current profile. :param config_parser: A config parser callable. N)_config_filenamer+rr`r5_config_parser)rVrer7Z config_parserr/r/r2rWs zConfigProvider.__init__cCsz||j}Wntk r&YdSX|j|dkr|d|j}|j|krtd|j|||j|j\}}| |}t ||||j dSndSdS)zr If there is are credentials in the configuration associated with the session, use those. NrAz$Credentials found in config file: %srU) rgrfr r+rNrKrGr)rOrdrr&)rVr.rBrr r!r/r/r2r"s0  zConfigProvider.loadcCs$|jD]}||kr||SqdSr-re)rVrBZ token_namer/r/r2rd+s z!ConfigProvider._get_session_token)N) rlrmrnror&r*rNrOrPrWr"rdr/r/r/r2rfs rfc@s:eZdZdZdZdZddgZdZdZd d d Z d d Z dS)rIz boto-configZ Boto2ConfigZ BOTO_CONFIGz /etc/boto.cfgz~/.botorrNcCs.|dkrtj}|dkrtjj}||_||_dSr-)rrKrr`rarYrb)rVrKrcr/r/r2rW:s zBotoProvider.__init__c Cs|j|jkr|j|jg}n|j}|D]|}z||}Wntk rPYq&YnXd|kr&|d}|j|kr&td||||j|j \}}t |||j dSq&dS)z; Look for credentials in boto config file. rz)Found credentials in boto config file: %srUN) BOTO_CONFIG_ENVrYDEFAULT_CONFIG_FILENAMESrbr rNrKrGr)rOrr&)rVZpotential_locationsrr)rrr r/r/r2r"Bs2   zBotoProvider.load)NN) rlrmrnr&r*rhrirNrOrWr"r/r/r/r2rI1s rIc@seZdZdZdZdZdZdZejddfddZ dd Z d d Z d d Z ddZ ddZddZddZddZddZddZddZddZdS) rE assume-roleNrweb_identity_token_filer"cCs>||_||_||_||_||_i|_||_||_|jg|_dS)a :type load_config: callable :param load_config: A function that accepts no arguments, and when called, will return the full configuration dictionary for the session (``session.full_config``). :type client_creator: callable :param client_creator: A factory function that will create a client when called. Has the same interface as ``botocore.session.Session.create_client``. :type cache: dict :param cache: An object that supports ``__getitem__``, ``__setitem__``, and ``__contains__``. An example of this is the ``JSONFileCache`` class in the CLI. :type profile_name: str :param profile_name: The name of the profile. :type prompter: callable :param prompter: A callable that returns input provided by the user (i.e raw_input, getpass.getpass, etc.). :type credential_sourcer: CanonicalNameCredentialSourcer :param credential_sourcer: A credential provider that takes a configuration, which is used to provide the source credentials for the STS call. N) r+r,rr+ _prompterr-_credential_sourcer_profile_provider_builder_visited_profiles)rVr5r6r+r7Zprompterr8r9r/r/r2rWms+zAssumeRoleProvider.__init__cCs@||_|jdi}||ji}||r<||jSdSNrA)r,r-r?r+_has_assume_role_config_vars_load_creds_via_assume_role)rVrAr#r/r/r2r"s   zAssumeRoleProvider.loadcCs|j|ko|j|kSr-)ROLE_CONFIG_VARWEB_IDENTITY_TOKE_FILE_VARrVr#r/r/r2rqs z/AssumeRoleProvider._has_assume_role_config_varsc Cs||}|||}i}|d}|dk r4||d<|d}|dk rN||d<|d}|dk rh||d<|d}|dk r||d<t|j||d ||j|jd } | j} |dk rt| } t |j | t d S) Nrole_session_namer external_idZ ExternalIdrrrrr)r6r rrr r+)rrr) _get_role_config_resolve_source_credentialsr?rrrlr+rrrr&rt) rVr7 role_configr rrvrwrrrHZ refresherr/r/r2rrsD     z.AssumeRoleProvider._load_creds_via_assume_rolec Cs|jdi}||}|d}|d}|d}|d}|d}|d} |d} |||| ||d } | d k rzt| | d<Wntk rYnX|d k r|d k rtd |d nB|d kr|d krt|jd dn"|d k r|||n |||| S)z?Retrieves and validates the role configuration for the profile.rAsource_profilercredential_sourcerrwrvr)rrwrrvr{r|NzDThe profile "%s" contains both source_profile and credential_source.rz#source_profile or credential_sourcer#) r-r?r ValueErrorrrr&_validate_credential_source_validate_source_profile) rVr7rAr#r{rr|rrwrvrrzr/r/r2rxsH        z#AssumeRoleProvider._get_role_configcCsJ|jdkr"td|d|dd|j|sFtd|d|dddS)NzThe credential_source "z" is specified in profile "z)", but no source provider was configured.r}zThe credential source "z" referenced in profile "z" is not valid.)rmr is_supported)rVZparent_profiler|r/r/r2rs  z.AssumeRoleProvider._validate_credential_sourcecCst||||gSr-)any_has_static_credentialsrqrur/r/r2_source_profile_has_credentials+s z2AssumeRoleProvider._source_profile_has_credentialscCsv|jdi}||kr.td|d|dd||}||jkrDdS||krZt||jd||srt||jddS)NrAzThe source_profile "z" referenced in the profile "z" does not exist.r})r{Zvisited_profiles)r-r?rrorr)rVZparent_profile_nameZsource_profile_namerAr{r/r/r2r3s$  z+AssumeRoleProvider._validate_source_profilecsddg}tfdd|DS)Nrrc3s|]}|kVqdSr-r/)rZ static_keyr#r/r2 [sz=AssumeRoleProvider._has_static_credentials..)r)rVr#Z static_keysr/rr2rYsz*AssumeRoleProvider._has_static_credentialscCs<|d}|dk r|||S|d}|j|||S)Nr|r{)r? _resolve_credentials_from_sourceror$!_resolve_credentials_from_profile)rVrzr7r|r{r/r/r2ry]s  z.AssumeRoleProvider._resolve_source_credentialscCs|jdi}||}||r0|js0||S||sD||s|jj|dd}t|}|}|dkr~d}t ||d|S| |S)NrATr:z.The source profile "%s" must have credentials.r}) r-r?rrn(_resolve_static_credentials_from_profilerqr=rMrprrr)rVr7rAr#rOZ profile_chainr error_messager/r/r2rhs4 z4AssumeRoleProvider._resolve_credentials_from_profilec CsXzt|d|d|ddWStk rR}zt|jt|dW5d}~XYnXdS)Nrrr)rr r!r#)rr?r%rr&str)rVr#r@r/r/r2rsz;AssumeRoleProvider._resolve_static_credentials_from_profilecCs(|j|}|dkr$t|d|d|S)NzBNo credentials found in credential_source referenced in profile %sr)rmr r)rVr|r7rr/r/r2rsz3AssumeRoleProvider._resolve_credentials_from_source)rlrmrnr&r*rsrtZEXPIRY_WINDOW_SECONDSr rWr"rqrrrxrrrrryrrrr/r/r/r2rE^s* > ,1& ! rEc@sReZdZdZdZddddZddd Zd d Zd d ZddZ ddZ ddZ dS)rgzassume-role-with-web-identityNZAWS_WEB_IDENTITY_TOKEN_FILEZAWS_ROLE_SESSION_NAMEZ AWS_ROLE_ARN)rkrvrFcCs:||_||_||_||_d|_||_|dkr0t}||_dSr-)r+r,rr+_profile_config_disable_env_varsr_token_loader_cls)rVr5r6r7r+r;Ztoken_loader_clsr/r/r2rWs z*AssumeRoleWithWebIdentityProvider.__init__cCs|Sr-)_assume_role_with_web_identityr_r/r/r2r"sz&AssumeRoleWithWebIdentityProvider.loadcCs:|jdkr.|}|di}||ji|_|j|Srp)rr,r?r+)rVkey loaded_configrAr/r/r2_get_profile_configs   z5AssumeRoleWithWebIdentityProvider._get_profile_configcCs2|jr dS|j|}|r.|tjkr.tj|SdSr-)r_CONFIG_TO_ENV_VARr?rrK)rVrZenv_keyr/r/r2_get_env_configs   z1AssumeRoleWithWebIdentityProvider._get_env_configcCs ||}|dk r|S||Sr-)rr)rVrZ env_valuer/r/r2 _get_configs z-AssumeRoleWithWebIdentityProvider._get_configcCs||d}|sdS||}|d}|s8d}t|di}|d}|dk rV||d<t|j||||jd}t|j|jdS) NrkrzThe provided profile or the current environment is configured to assume role with web identity but has no role ARN configured. Ensure that the profile has the role_arnconfiguration set or the AWS_ROLE_ARN env var is set.r}rvr)r6rrrr+rF) rrrrrr+rr&r)rVZ token_path token_loaderrrrrvrHr/r/r2rs0      z@AssumeRoleWithWebIdentityProvider._assume_role_with_web_identity)NFN) rlrmrnr&r*rrWr"rrrrr/r/r/r2rgs  rgc@s<eZdZddZddZddZddZd d Zd d Zd S)rGcCs ||_dSr- _providersrVr=r/r/r2rWsz'CanonicalNameCredentialSourcer.__init__cCs|dd|jDkS)aLValidates a given source name. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: bool :returns: True if the credential provider is supported, False otherwise. cSsg|] }|jqSr/)r*rr=r/r/r2rsz?CanonicalNameCredentialSourcer.is_supported..r)rV source_namer/r/r2rs z+CanonicalNameCredentialSourcer.is_supportedcCs$||}t|tr|S|S)aLoads source credentials based on the provided configuration. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: Credentials ) _get_providerrurMrpr")rVrsourcer/r/r2r s  z1CanonicalNameCredentialSourcer.source_credentialscCsV||}|dkr@|d}|dk r@|dkr4|St||gS|dkrRt|d|S)a#Return a credential provider by its canonical name. :type canonical_name: str :param canonical_name: The canonical name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. )Z sharedconfigZsharedcredentialsrjNname)_get_provider_by_canonical_namelower_get_provider_by_methodrMr)rVcanonical_namerrNr/r/r2rs     z,CanonicalNameCredentialSourcer._get_providercCs2|jD]&}|j}|r||kr|SqdS)zReturn a credential provider by its canonical name. This function is strict, it does not attempt to address compatibility issues. N)rr*r)rVrrrr/r/r2rDs z>CanonicalNameCredentialSourcer._get_provider_by_canonical_namecCs"|jD]}|j|kr|SqdS)z0Return a credential provider by its METHOD name.N)rr&)rVrrr/r/r2rPs  z6CanonicalNameCredentialSourcer._get_provider_by_methodN) rlrmrnrWrr rrrr/r/r/r2rGs  & rGc@sReZdZdZdZdZdZdZdddZd d Z d d Z d dZ ddZ ddZ dS)rBzcontainer-roleZ EcsContainerZ&AWS_CONTAINER_CREDENTIALS_RELATIVE_URIZ"AWS_CONTAINER_CREDENTIALS_FULL_URIZ!AWS_CONTAINER_AUTHORIZATION_TOKENNcCs,|dkrtj}|dkrt}||_||_dSr-)rrKrrY_fetcher)rVrKrHr/r/r2rW^s zContainerProvider.__init__cCs$|j|jks|j|jkr |SdSr-)ENV_VARrY ENV_VAR_FULL_retrieve_or_failr_r/r/r2r"fszContainerProvider.loadcCsn|r|j|j|j}n |j|j}|}|||}|}t|d|d|d|j t |d|dS)Nrr r!r)rr r!rrr) _provided_relative_urirfull_urlrYrr_build_headers_create_fetcherrr&rw)rVfull_uriheadersrHrr/r/r2rls   z#ContainerProvider._retrieve_or_failcCs"|j|j}|dk rd|iSdS)N Authorization)rYr?ENV_VAR_AUTH_TOKEN)rVZ auth_tokenr/r/r2r}sz ContainerProvider._build_headerscsfdd}|S)Nc sxzjjd}WnDtk rX}z&tjd|ddtjt|dW5d}~XYnX|d|d|d|d d S) N)rz'Error retrieving container metadata: %sTrrrrTokenrr)rZretrieve_full_urirrKrLrr&r)rr@rrrVr/r2 fetch_credss( z6ContainerProvider._create_fetcher..fetch_credsr/)rVrrrr/rr2rsz!ContainerProvider._create_fetchercCs |j|jkSr-)rrYr_r/r/r2rsz(ContainerProvider._provided_relative_uri)NN)rlrmrnr&r*rrrrWr"rrrrr/r/r/r2rBWs rBc@sDeZdZddZddZddZddZd d Zd d Zd dZ dS)rMcCs ||_dS)zQ :param providers: A list of ``CredentialProvider`` instances. Nr<rr/r/r2rWszCredentialResolver.__init__cCsLzdd|jD|}Wntk r8t|dYnX|j||dS)a= Inserts a new instance of ``CredentialProvider`` into the chain that will be tried before an existing one. :param name: The short name of the credentials you'd like to insert the new credentials before. (ex. ``env`` or ``config``). Existing names & ordering can be discovered via ``self.available_methods``. :type name: string :param cred_instance: An instance of the new ``Credentials`` object you'd like to add to the chain. :type cred_instance: A subclass of ``Credentials`` cSsg|] }|jqSr/r&rr/r/r2rsz4CredentialResolver.insert_before..rN)r=indexr~rinsertrVrZcredential_provideroffsetr/r/r2 insert_befores z CredentialResolver.insert_beforecCs ||}|j|d|dS)a9 Inserts a new type of ``Credentials`` instance into the chain that will be tried after an existing one. :param name: The short name of the credentials you'd like to insert the new credentials after. (ex. ``env`` or ``config``). Existing names & ordering can be discovered via ``self.available_methods``. :type name: string :param cred_instance: An instance of the new ``Credentials`` object you'd like to add to the chain. :type cred_instance: A subclass of ``Credentials`` r7N)_get_provider_offsetr=rrr/r/r2 insert_afters zCredentialResolver.insert_aftercCs6dd|jD}||krdS||}|j|dS)z Removes a given ``Credentials`` instance from the chain. :param name: The short name of the credentials instance to remove. :type name: string cSsg|] }|jqSr/rrr/r/r2rsz-CredentialResolver.remove..N)r=rpop)rVrZavailable_methodsrr/r/r2rJs  zCredentialResolver.removecCs|j||S)zReturn a credential provider by name. :type name: str :param name: The name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. )r=rrVrr/r/r2 get_providers zCredentialResolver.get_providercCs<zdd|jD|WStk r6t|dYnXdS)NcSsg|] }|jqSr/rrr/r/r2rsz;CredentialResolver._get_provider_offset..r)r=rr~rrr/r/r2rsz'CredentialResolver._get_provider_offsetcCs6|jD]*}td|j|}|dk r|SqdS)zw Goes through the credentials chain, returning the first ``Credentials`` that could be loaded. zLooking for credentials via: %sN)r=rKrLr&r")rVrrr/r/r2rps   z#CredentialResolver.load_credentialsN) rlrmrnrWrrrJrrrpr/r/r/r2rMs rMcs:eZdZdZd fdd ZddZddZd d ZZS) SSOCredentialFetcherz%Y-%m-%dT%H:%M:%SZNc sB||_||_||_||_||_||_| |_| |_t ||dSr-) r _sso_region _role_name _account_id _start_url _token_loader_token_provider_sso_session_namerrW) rV start_url sso_regionrE account_idr6rr+rrisso_session_namerr/r2rWs zSSOCredentialFetcher.__init__cCsV|j|jd}|jr |j|d<n |j|d<tj|ddd}t|d}| |S)r)roleName accountIdZ sessionNameZstartUrlT),r)r separatorsr) rrrrrrrrrrrr/r/r2rs  z&SSOCredentialFetcher._create_cache_keycCs$|d}tj|t}||jS)Ng@@)rr fromtimestamprry_UTC_DATE_FORMAT)rVZ timestamp_msZtimestamp_seconds timestampr/r/r2_parse_timestamp0sz%SSOCredentialFetcher._parse_timestampcCstt|jd}|jd|d}|jr8|j}|j}n||j d}|j |j |d}z|j f|}Wn|j jk rtYnX|d}d|d|d|d ||d d d }|S) z4Get credentials by calling SSO get role credentials.)rr,ssor  accessToken)rrrZroleCredentialsZ accessKeyIdZsecretAccessKeyZ sessionTokenr)rrrr)Z ProviderTyper)r r rrrZ load_tokenZget_frozen_tokenr!rrrrZget_role_credentials exceptionsZUnauthorizedExceptionrr)rVr)rZinitial_token_datar!r}rrr/r/r2r6s4     z%SSOCredentialFetcher._get_credentials)NNNNN) rlrmrnrrWrrrrr/r/rr2rs rc@s\eZdZdZejejddddZdZ dZ e e Z ddd Z d d Z d d ZddZdS)rjr~z.awsr+) sso_role_namesso_account_id) sso_start_urlrNcCsF|dkrt|j}||_||_|dkr*i}||_||_||_||_dSr-)r_SSO_TOKEN_CACHE_DIR _token_cacherr+r,rr+)rVr5r6r7r+rhrir/r/r2rWls  zSSOProvider.__init__c s|}|di}|j}||ji|di}tfdd|jDrPdS||\}}i}g}|j|} | D]$} | |kr|| || <qv|| qv|rd|} t d|| fd|S)NrA sso_sessionsc3s|]}|kVqdSr-r/)rcrBr/r2rsz/SSOProvider._load_sso_config..rzSThe profile "%s" is configured to use SSO but is missing required configuration: %sr}) r,r?r+all_PROFILE_REQUIRED_CONFIG_VARS_resolve_sso_session_reference_ALL_REQUIRED_CONFIG_VARSr$rr) rVrrAr7rZresolved_configZ extra_reqsr)Zmissing_config_varsZall_required_configs config_varmissingr/rr2_load_sso_configs8      zSSOProvider._load_sso_configc Cs|d}|dkr|dfS||kr8d|d}t|d|}||}|D]F\}}||||krd|d||d|d }t|d|||<qP|d fS) N sso_sessionr/z+The specified sso-session does not exist: ""r}zThe value for z" is inconsistent between profile (z) and sso-session (z).)r)r?rcopyitems) rVrBrrrr)r1rvalr/r/r2rs     z*SSOProvider._resolve_sso_session_referencecCsx|}|sdS|d|d|d|d|jt|jd|jd}d|kr^|d|d<|j|d <tf|}t|j|j d S) Nrrrr)r+)rrrErr6rr+rrrirF) rrrrr+rrrr&r)rVZ sso_configZfetcher_kwargsZ sso_fetcherr/r/r2r"s&     zSSOProvider.load)NNN)rlrmrnr&rrr\rrrZ_SSO_REQUIRED_CONFIG_VARSrrWrrr"r/r/r/r2rjZs  $rj)NN)F)Trrr rloggingrr8rr collectionsrrrhashlibrZdateutil.parserrZ dateutil.tzrrZbotocore.compatrZbotocore.configloaderr r r Zbotocore.configr Zbotocore.exceptionsr rrrrrrrrZbotocore.tokensrZbotocore.utilsrrrrrrr getLoggerrlrKrrr@rQrDrqrtrwr{rFrrrrrrrrrr!r`rCrArHrcrfrIrErgrGrBrMrrjr/r/r/r2s      , $  ]I  &E5Z C.K~#.<-JYXEdZ