|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Introducing opinel: Scout2's favorite tool" |
| 4 | +date: 2015-08-03 11:08 |
| 5 | +post_author: Loïc Simon |
| 6 | +categories: AWS |
| 7 | +tags: iSEC |
| 8 | +--- |
| 9 | + |
| 10 | +With boto3 being stable and generally available<sup>[1]</sup>, I took the opportunity |
| 11 | +to migrate Scout2 and AWS-recipes to boto3. As part of that migration |
| 12 | +effort, I decided to publish the formerly-known-as AWSUtils repository -- used |
| 13 | +by Scout2 and AWS-recipes -- as a python package required by these tools, |
| 14 | +rather than requiring users to work with Git submodules. I've also added more |
| 15 | +flexibility when working with MFA-protected API calls and improved versioning |
| 16 | +across the project. |
| 17 | + |
| 18 | +### opinel |
| 19 | + |
| 20 | +To avoid name conflicts, I decided to rename the shared AWSUtils code to a |
| 21 | +less misleading name: opinel. The opinel package is published on [PyPI](https://pypi.python.org/pypi/opinel), and thus can |
| 22 | +be installed using pip and easy\_install. The corresponding source code is still |
| 23 | +open-sourced on Github at [https://github.com/iSECPartners/opinel](https://github.com/iSECPartners/opinel). |
| 24 | +As a result, Scout2 and AWS-recipes have been modified to list opinel as a |
| 25 | +requirement, which significantly simplifies installation and management of this |
| 26 | +shared code. |
| 27 | + |
| 28 | +### Support for Python 2.7 and 3.x |
| 29 | + |
| 30 | +Because boto3 supports both Python2 and Python3, I decided to make sure that |
| 31 | +the code built on top of that package has similar properties. As a result, |
| 32 | +the latest versions of Scout2 and AWS-recipes support Python 2.7 and 3.x. |
| 33 | +Note that opinel will **NOT** work with Python 2.6. |
| 34 | + |
| 35 | +### Modification of the MFA workflow |
| 36 | + |
| 37 | +As requested by a user of AWS-recipes<sup>[2]</sup>, I modified the workflow when |
| 38 | +using MFA-protected API access to no longer store the long-lived credentials |
| 39 | +in a separate file. As a result, the *.aws/credentials.no-mfa* file is no |
| 40 | +longer supported and all credentials are stored in the standard AWS credentials |
| 41 | +file under *.aws/credentials*. Usage of the existing tools remains unchanged, |
| 42 | +but the long-lived credentials are now accessible via a new profile name: |
| 43 | +*profile\_name-nomfa*. This allows users to work with both STS and long-lived |
| 44 | +credentials if need be. |
| 45 | + |
| 46 | +If you already had configured your environment to work with MFA-protected API |
| 47 | +access, you will need to copy your long-lived credentials back to the |
| 48 | +*.aws/credentials* file. This can be done with a simple command such as the |
| 49 | +following: |
| 50 | + |
| 51 | + cat ~/.aws/credentials.no-mfa | sed -e 's/]$/-nomfa]/g' >> ~/.aws/credentials |
| 52 | + |
| 53 | +### Support to use assumed-role credentials |
| 54 | + |
| 55 | +With this new workflow implemented, I created a new recipe that allows |
| 56 | +configuration of role-credentials in the *.aws/credentials* file. When the following |
| 57 | +command is run, it uses the credentials associated with the *isecpartners* |
| 58 | +profile to request role credentials for the IAM-Scout2 role. The role |
| 59 | +credentials are then written in the *.aws/credentials* file in a new profile |
| 60 | +named *isecpartners-Scout2*, which is the profile name appended by the role |
| 61 | +session name. |
| 62 | + |
| 63 | + $ ./aws_recipes_assume_role.py --profile isecpartners --role-arn arn:aws:iam::AWS_ACCOUNT_ID:role/IAM-Scout2 --role-session-name Scout2 |
| 64 | + |
| 65 | +Users can then use their favorite tools that support profiles. For example, |
| 66 | +Scout2 could be run with the following command line: |
| 67 | + |
| 68 | + $ ./Scout2.py --profile isecpartners-Scout2 |
| 69 | + |
| 70 | +Note that this recipe supports MFA if the assumed role requires it: |
| 71 | + |
| 72 | + * If you never configured your environment to work with MFA, you can provide your MFA serial number (ARN) and current token code as arguments. |
| 73 | + * If you already configured your environment to work with MFA and stored your MFA serial in the *.aws/credentials* file, you just need to pass your token code as an additional argument. |
| 74 | + * Finally, if you already initiated an STS session, you do not need to provide a new token code and can run the command as above. |
| 75 | + |
| 76 | +### Conclusion |
| 77 | + |
| 78 | +With the release of opinel, I hope to simplify distribution and management of |
| 79 | +the code shared between Scout2 and AWS-recipes. Additionally, I |
| 80 | +significantly modified the workflow and credentials storage when working with |
| 81 | +MFA-protected API calls, which allows users to use both their long-lived and STS |
| 82 | +credentials. |
| 83 | + |
| 84 | +[1]: https://aws.amazon.com/about-aws/whats-new/2015/06/boto3-aws-sdk-for-python-version-3-is-now-generally-available |
| 85 | + |
| 86 | +[2]: https://github.com/iSECPartners/opinel/issues/4 |
0 commit comments