Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support role assumption & MFA prompts from profile without AWS_SESSION... env vars #34

Open
cobbr2 opened this issue Dec 6, 2018 · 4 comments
Labels
enhancement New feature or request P3 Low priority

Comments

@cobbr2
Copy link

cobbr2 commented Dec 6, 2018

In our environment, we often rely on profiles without the AWS_SESSION... environment variables, which is apparently the "new way" of doing temporary tokens in AWS-land.

So boto3 tries to prompt for my MFA, at which point athenacli gets a bit confused: it appears that athenacli and boto3 are competing for control of the terminal. I get prompted several times, and get some really lovely stack traces:

Enter MFA code for arn:aws:iam::xxxxxxxxxxxxxxx:mfa/rick.cobb: Failed to execute query.
Traceback (most recent call last):
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/athenacli/sqlexecute.py", line 78, in run
    for result in special.execute(cur, sql):
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/athenacli/packages/special/main.py", line 58, in execute
    raise CommandNotFound
athenacli.packages.special.main.CommandNotFound

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/pyathena/common.py", line 166, in _execute
    **request)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/pyathena/util.py", line 44, in retry_api_call
    return retry(func, *args, **kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/tenacity/__init__.py", line 358, in call
    do = self.iter(retry_state=retry_state)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/tenacity/__init__.py", line 319, in iter
    return fut.result()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/concurrent/futures/_base.py", line 425, in result
    return self.__get_result()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/concurrent/futures/_base.py", line 384, in __get_result
    raise self._exception
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/tenacity/__init__.py", line 361, in call
    result = fn(*args, **kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/client.py", line 610, in _make_api_call
    operation_model, request_dict)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/endpoint.py", line 116, in create_request
    operation_name=operation_model.name)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/signers.py", line 149, in sign
    auth = self.get_auth_instance(**kwargs)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/signers.py", line 229, in get_auth_instance
    frozen_credentials = self._credentials.get_frozen_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 518, in get_frozen_credentials
    self._refresh()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 413, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 429, in _protected_refresh
    metadata = self._refresh_using()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 566, in fetch_credentials
    return self._get_cached_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 697, in _get_credentials
    client = self._create_client()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 716, in _create_client
    frozen_credentials = self._source_credentials.get_frozen_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 518, in get_frozen_credentials
    self._refresh()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 413, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 429, in _protected_refresh
    metadata = self._refresh_using()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 177, in __call__
    return self._refresh()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 566, in fetch_credentials
    return self._get_cached_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 696, in _get_credentials
    kwargs = self._assume_role_kwargs()
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/site-packages/botocore/credentials.py", line 707, in _assume_role_kwargs
    token_code = self._mfa_prompter(prompt)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/getpass.py", line 77, in unix_getpass
    passwd = _raw_input(prompt, stream, input=input)
  File "/home/rcobb/.pyenv/versions/3.6.5/lib/python3.6/getpass.py", line 148, in _raw_input
    raise EOFError

I'm currently working around this using a new feature of our development tools where we set the AWS_SESSION... env vars, which is fine, but it'd be nice to support the newer profile stuff.

@cobbr2 cobbr2 changed the title Support role assumption & MFA prompts Support role assumption & MFA prompts from profile without AWS_SESSION... env vars Dec 6, 2018
@zzl0 zzl0 added enhancement New feature or request P2 Medium priority labels Dec 7, 2018
@zzl0
Copy link
Contributor

zzl0 commented Dec 7, 2018

@cobbr2 Thanks for your feedback.

@zzl0 zzl0 added P3 Low priority and removed P2 Medium priority labels Dec 9, 2018
@tkang007
Copy link

Hello,
When using assume role, aws profile prepared with AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN and some more properties in the aws credential files.

Is there any way to use aws profile (not through athenaclirc file) at the athenacli command line for applying aws profile's properties ?

Thanks.

@zzl0
Copy link
Contributor

zzl0 commented May 9, 2020

@zzl0
Copy link
Contributor

zzl0 commented May 9, 2020

@tkang007 I haven't used AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN, I will happy to review the PR for this.

If you are interested in this, please refer to this PR #51

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request P3 Low priority
Projects
None yet
Development

No branches or pull requests

3 participants