Merge pull request #423 from CMeza99/use-profiles-sts

add ability to use profile for ec2 provider

bootstrapvz/providers/ec2/README.rst

@@ -20,8 +20,10 @@ Manifest settings
 Credentials
 ~~~~~~~~~~~
 
-The AWS credentials can be configured in two ways: Via the manifest or
-through environment variables. To bootstrap S3 backed instances you will
+The AWS credentials can be configured via the manifest or through
+environment variables. If using EBS backing, credentials can not be included to
+allow `boto3 <http://boto3.readthedocs.io/en/latest/guide/configuration.html>`__
+to discover it's credentials. To bootstrap S3 backed instances you will
 need a user certificate and a private key in addition to the access key
 and secret key, which are needed for bootstraping EBS backed instances.
 
@@ -31,11 +33,11 @@ under the ``provider`` section.
 -  ``access-key``: AWS access-key.
    May also be supplied via the environment variable
    ``$AWS_ACCESS_KEY``
-   ``required for EBS & S3 backing``
+   ``required for S3 backing``
 -  ``secret-key``: AWS secret-key.
    May also be supplied via the environment variable
    ``$AWS_SECRET_KEY``
-   ``required for EBS & S3 backing``
+   ``required for S3 backing``
 -  ``certificate``: Path to the AWS user certificate. Used for
    uploading the image to an S3 bucket.
    May also be supplied via the environment variable
@@ -62,6 +64,24 @@ Example:
         access-key: AFAKEACCESSKEYFORAWS
         secret-key: thes3cr3tkeyf0ryourawsaccount/FS4d8Qdva
 
+Profile
+~~~~~~~
+A profile from the `boto3 shared credentials files <http://boto3.readthedocs.io/en/latest/guide/configuration.html#shared-credentials-file>`__
+can be declared rather than needing to enter credentials into the
+manifest.
+
+-  ``profile``: AWS configuration profile.
+
+Example:
+
+.. code-block:: yaml
+
+    ---
+    provider:
+      name: ec2
+      credentials:
+        profile: Default
+
 Virtualization
 ~~~~~~~~~~~~~~
 

bootstrapvz/providers/ec2/manifest-schema.yml

@@ -10,6 +10,7 @@ properties:
     type: object
     properties:
       description: {type: string}
+      profile: {type: string}
       credentials:
         type: object
         properties:

bootstrapvz/providers/ec2/tasks/connection.py

@@ -47,13 +47,20 @@ class GetCredentials(Task):
         def provider_key(key):
             return key.replace('-', '_')
 
-        import boto.provider
-        provider = boto.provider.Provider('aws')
+        provider_args = {
+            'profile_name': manifest.provider.get('profile', None)}
+
+        from boto3 import Session
+        if provider_args.get('profile_name', None):
+            if provider_args.get('profile_name') not in Session().available_profiles:
+                raise RuntimeError((
+                    'Profile specified was not found: {}'.format(provider_args.get('profile_name'))))
+        provider = Session(**provider_args).get_credentials().get_frozen_credentials()
         if all(getattr(provider, provider_key(key)) is not None for key in keys):
             for key in keys:
                 creds[key] = getattr(provider, provider_key(key))
-            if hasattr(provider, 'security_token'):
-                creds['security-token'] = provider.security_token
+            if hasattr(provider, 'token'):
+                creds['security-token'] = provider.token
             return creds
         raise RuntimeError(('No ec2 credentials found, they must all be specified '
                             'exclusively via environment variables or through the manifest.'))
@@ -72,10 +79,6 @@ class Connect(Task):
             'aws_secret_access_key': info.credentials['secret-key']
         }
 
-        if 'security-token' in info.credentials:
-            connect_args['security_token'] = info.credentials['security-token']
+        connect_args['aws_session_token'] = info.credentials.get('security-token', None)
 
-        info._ec2['connection'] = boto3.Session(info._ec2['region'],
-                                                info.credentials['access-key'],
-                                                info.credentials['secret-key'])
-        info._ec2['connection'] = boto3.client('ec2', region_name=info._ec2['region'])
+        info._ec2['connection'] = boto3.client('ec2', region_name=info._ec2['region'], **connect_args)