diff --git a/bootstrapvz/providers/ec2/README.rst b/bootstrapvz/providers/ec2/README.rst index 54f0a0a..7d22b99 100644 --- a/bootstrapvz/providers/ec2/README.rst +++ b/bootstrapvz/providers/ec2/README.rst @@ -20,8 +20,10 @@ Manifest settings Credentials ~~~~~~~~~~~ -The AWS credentials can be configured in two ways: Via the manifest or -through environment variables. To bootstrap S3 backed instances you will +The AWS credentials can be configured via the manifest or through +environment variables. If using EBS backing, credentials can not be included to +allow `boto3 `__ +to discover it's credentials. To bootstrap S3 backed instances you will need a user certificate and a private key in addition to the access key and secret key, which are needed for bootstraping EBS backed instances. @@ -31,11 +33,11 @@ under the ``provider`` section. - ``access-key``: AWS access-key. May also be supplied via the environment variable ``$AWS_ACCESS_KEY`` - ``required for EBS & S3 backing`` + ``required for S3 backing`` - ``secret-key``: AWS secret-key. May also be supplied via the environment variable ``$AWS_SECRET_KEY`` - ``required for EBS & S3 backing`` + ``required for S3 backing`` - ``certificate``: Path to the AWS user certificate. Used for uploading the image to an S3 bucket. May also be supplied via the environment variable @@ -62,6 +64,24 @@ Example: access-key: AFAKEACCESSKEYFORAWS secret-key: thes3cr3tkeyf0ryourawsaccount/FS4d8Qdva +Profile +~~~~~~~ +A profile from the `boto3 shared credentials files `__ +can be declared rather than needing to enter credentials into the +manifest. + +- ``profile``: AWS configuration profile. + +Example: + +.. code-block:: yaml + + --- + provider: + name: ec2 + credentials: + profile: Default + Virtualization ~~~~~~~~~~~~~~ diff --git a/bootstrapvz/providers/ec2/manifest-schema.yml b/bootstrapvz/providers/ec2/manifest-schema.yml index eff5bc0..b3a9ea3 100644 --- a/bootstrapvz/providers/ec2/manifest-schema.yml +++ b/bootstrapvz/providers/ec2/manifest-schema.yml @@ -10,6 +10,7 @@ properties: type: object properties: description: {type: string} + profile: {type: string} credentials: type: object properties: diff --git a/bootstrapvz/providers/ec2/tasks/connection.py b/bootstrapvz/providers/ec2/tasks/connection.py index cb9ab2a..b35ebb3 100644 --- a/bootstrapvz/providers/ec2/tasks/connection.py +++ b/bootstrapvz/providers/ec2/tasks/connection.py @@ -47,13 +47,20 @@ class GetCredentials(Task): def provider_key(key): return key.replace('-', '_') - import boto.provider - provider = boto.provider.Provider('aws') + provider_args = { + 'profile_name': manifest.provider.get('profile', None)} + + from boto3 import Session + if provider_args.get('profile_name', None): + if provider_args.get('profile_name') not in Session().available_profiles: + raise RuntimeError(( + 'Profile specified was not found: {}'.format(provider_args.get('profile_name')))) + provider = Session(**provider_args).get_credentials().get_frozen_credentials() if all(getattr(provider, provider_key(key)) is not None for key in keys): for key in keys: creds[key] = getattr(provider, provider_key(key)) - if hasattr(provider, 'security_token'): - creds['security-token'] = provider.security_token + if hasattr(provider, 'token'): + creds['security-token'] = provider.token return creds raise RuntimeError(('No ec2 credentials found, they must all be specified ' 'exclusively via environment variables or through the manifest.')) @@ -72,10 +79,6 @@ class Connect(Task): 'aws_secret_access_key': info.credentials['secret-key'] } - if 'security-token' in info.credentials: - connect_args['security_token'] = info.credentials['security-token'] + connect_args['aws_session_token'] = info.credentials.get('security-token', None) - info._ec2['connection'] = boto3.Session(info._ec2['region'], - info.credentials['access-key'], - info.credentials['secret-key']) - info._ec2['connection'] = boto3.client('ec2', region_name=info._ec2['region']) + info._ec2['connection'] = boto3.client('ec2', region_name=info._ec2['region'], **connect_args)