From 5275a068b57abfc439aace721dfcf60fcfd7f6ca Mon Sep 17 00:00:00 2001 From: Arthur Burkart Date: Thu, 12 Oct 2017 22:46:51 -0400 Subject: [PATCH 1/2] Resolves #93: Use boto3 to find region if possible Rather than depending on the partially implemented `AWS_DEFAULT_REGION` check, this change makes it so credstash relies more heavily on boto3 to discover regions. Now we can do things like define an `~/.aws/config` file that looks like this: ```ini [profile work] region=us-west-2 ``` and run credstash like this: ```command AWS_PROFILE=work credstash -n arn:aws:iam::000000000000:role/some-role get test ``` and it will successfully find the correct region Only in the case where the region is absolutely not found, does credstash then default to us-east-1. It's slightly backward incompatible, but I think it's a nice improvement. --- credstash.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/credstash.py b/credstash.py index 3169579..373ec63 100755 --- a/credstash.py +++ b/credstash.py @@ -791,14 +791,13 @@ def main(): # Check for assume role and set session params session_params = get_session_params(args.profile, args.arn) + region = args.region if args.region else None try: - region = args.region session = get_session(**session_params) session.resource('dynamodb', region_name=region) except botocore.exceptions.NoRegionError: - if 'AWS_DEFAULT_REGION' not in os.environ: - region = DEFAULT_REGION + region = DEFAULT_REGION if "action" in vars(args): if args.action == "delete": From 02fbfb9c52155e82b8041354df50529d99bddab4 Mon Sep 17 00:00:00 2001 From: Arthur Burkart Date: Mon, 30 Oct 2017 19:11:01 -0400 Subject: [PATCH 2/2] Prints error to stderr when region not provided --- credstash.py | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/credstash.py b/credstash.py index 373ec63..cd313bf 100755 --- a/credstash.py +++ b/credstash.py @@ -60,7 +60,6 @@ DEFAULT_DIGEST = 'SHA256' HASHING_ALGORITHMS = _hash_classes.keys() LEGACY_NONCE = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01' -DEFAULT_REGION = "us-east-1" PAD_LEN = 19 # number of digits in sys.maxint WILDCARD_CHAR = "*" @@ -665,13 +664,10 @@ def get_parser(): description="A credential/secret storage system") parsers['super'].add_argument("-r", "--region", - help="the AWS region in which to operate. " + help="The AWS region in which to operate. " "If a region is not specified, credstash " - "will use the value of the " - "AWS_DEFAULT_REGION env variable, " - "or if that is not set, the value in " - "`~/.aws/config`. As a last resort, " - "it will use " + DEFAULT_REGION) + "will follow the default credential provider" + "chain as defined in the boto3 documentation.") parsers['super'].add_argument("-t", "--table", default="credential-store", help="DynamoDB table to use for " "credential storage") @@ -796,8 +792,8 @@ def main(): try: session = get_session(**session_params) session.resource('dynamodb', region_name=region) - except botocore.exceptions.NoRegionError: - region = DEFAULT_REGION + except botocore.exceptions.NoRegionError as e: + fatal(e) if "action" in vars(args): if args.action == "delete":