DhJrddlZddlZddlZddlZddlZddlZddlmZddlm Z ddl Z ddl m Z ddl m Z ddlmZddlmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5ddl6m7Z7dd l8m9Z9dd l:m;Z;dd lZ>ej~e@ZAdz,create_credential_resolver..hs G//) load_configclient_creatorr? profile_namecredential_sourcerprofile_provider_builderrJdisable_env_varszWSkipping environment variable credential check because profile name was explicitly set.) providers)get_config_variableinstance_variablesgetr,rAioEnvProviderAioContainerProviderAioInstanceMetadataProviderr1r<AioProfileProviderBuilderAioAssumeRoleProviderr'!AioCanonicalNameCredentialSourcerrOAioOriginalEC2ProviderAioBotoProviderremoveloggerdebugAioCredentialResolver)rDr?r@rJmetadata_timeoutr;rN imds_config env_providercontainer_providerinstance_metadata_providerrLassume_role_provider pre_profileprofile_providers post_profilerOresolvers` rEcreate_credential_resolverriAs ..y9FYL223MN../NOL11377 B$N*1)D)D +* /I / *KK }!#L-/!<3$%))+  " 9u+ 1/*7K@!< -/I J ":  K1::!);  " L //,>I &  8 %y9H OrGc*eZdZdZdZdZdZdZy)rVc$t|fdS)Nc0jjSrB_sessionrCselfsrErFzDAioProfileProviderBuilder._create_process_provider.. 9 9rG)rJrH)AioProcessProviderrprJs` rE_create_process_providerz2AioProfileProviderBuilder._create_process_providers!%9  rGcR|jjd}t||S)Ncredentials_file)rJcreds_filename)rnrPAioSharedCredentialProvider)rprJcredential_files rE"_create_shared_credential_providerz.rqrG)rHrIr?rJrN)$AioAssumeRoleWithWebIdentityProviderr'rn _region_name_cache)rprJrNs` rE_create_web_identity_providerz7AioProfileProviderBuilder._create_web_identity_providers939. t00++%-  rGc tfdjj|jjt jj|S)Nc0jjSrBrmrosrErFz@AioProfileProviderBuilder._create_sso_provider..rqrG)r?rJ)rHrIrJr? token_cachetoken_provider)AioSSOProviderrn create_clientr_sso_token_cacher/rss` rE_create_sso_providerz.AioProfileProviderBuilder._create_sso_providersN9==66%++--. ++)  rGN)__name__ __module__ __qualname__rtrzrrrrGrErVrVs       rGrVcTKt|}|jd{S7wrB)riload_credentials)rDrhs rEget_credentialsrs%)'2H**, ,, ,s (&(cfd}|S)NcK4d{}|jdid{}dddd{d}|d|d|dt|ddS7O777)#1d{7swY9xYww)Nr AccessKeyIdSecretAccessKey SessionToken Expiration access_key secret_keytoken expiry_timer) assume_roler*)stsresponse credentialsclientparamss rErefreshz-create_assume_role_refresher..refreshs 7 7S,S__6v66H 7 7}- &m4%&78 0/ L0IJ    76 7 7 7 7sQA5AA5A AA  A5A&A5A A5 A2&A) 'A2.A5r)rrrs`` rEcreate_assume_role_refresherrs   NrGc:Gdd}||jS)NceZdZdZdZy)/create_mfa_serial_refresher.._Refresherc ||_d|_y)NF)_refresh_has_been_called)rprs rE__init__z8create_mfa_serial_refresher.._Refresher.__init__s#DM$)D !rGcxK|jr td|_|jd{S7wNT)rr!rros rEcallz4create_mfa_serial_refresher.._Refresher.calls4$$566$(D !( ((s 1:8:N)rrrrrrrGrE _Refresherrs  * )rGr)r)actual_refreshrs rEcreate_mfa_serial_refresherrs ) ) n % * **rGceZdZdZy)AioCredentialsc`Kt|j|j|jSwrB)rrrrros rEget_frozen_credentialsz%AioCredentials.get_frozen_credentialss&" OOT__djj  s,.N)rrrrrrGrErrs rGrceZdZfdZedZej dZedZej dZedZej dZdZ d Z d Z xZ S) AioRefreshableCredentialscVt||i|tj|_yrB)superrasyncioLock _refresh_lockrpargskwargs __class__s rErz"AioRefreshableCredentials.__init__s# $)&)$\\^rGctdNzAmissing call to self._refresh. Use get_frozen_credentials instead)NotImplementedError _access_keyros rErz$AioRefreshableCredentials.access_key" 1  rGc||_yrB)rrpvalues rErz$AioRefreshableCredentials.access_key  rGctdr)r _secret_keyros rErz$AioRefreshableCredentials.secret_keyrrGc||_yrB)rrs rErz$AioRefreshableCredentials.secret_keyrrGctdr)r_tokenros rErzAioRefreshableCredentials.tokenrrGc||_yrB)rrs rErzAioRefreshableCredentials.token(s  rGcK|j|jsy|jjs|j4d{|j|js dddd{y|j|j}|j |d{ dddd{y|j|jrm|j4d{|j|js dddd{y|j dd{dddd{yy7777#1d{7swYyxYw7{7Q787*#1d{7swYyxYww)N) is_mandatoryT)refresh_needed_advisory_refresh_timeoutrlocked_mandatory_refresh_timeout_protected_refresh)rpis_mandatory_refreshs rErz"AioRefreshableCredentials._refresh,s""4#A#AB !!((*))  **4+I+IJ   (,':':33($--!5.    !@!@ A)) A A**4+J+JK A A A--4-@@@  A A AB        A AA  A A A AsAF E  F E* F5E6F;0E+E,E1 F<E=0F-E).F1E1 FE+FE14E-5E19 FE/FFEFE&E E&"F+F-E1/F1F7E: 8F?FcK |jd{}|j |t |j |j|j|_ |jr"d}tj|t|y7x#t$r$|rdnd}tjd|d|rYywxYww)N mandatoryadvisoryzARefreshing temporary credentials failed during %s refresh period.Texc_infozLCredentials were refreshed, but the refreshed credentials are still expired.) _refresh_using Exceptionr\warning_set_from_datarrrr_frozen_credentials _is_expired RuntimeError)rprmetadata period_namemsgs rErz,AioRefreshableCredentials._protected_refreshEs !0022H$ H%#6   d.. $      ;  NN3 s# # -3 )5+:K NN,    ! s8CBBBA4CB*B?<C>B??CcVK|jd{|jS7wrB)rrros rErz0AioRefreshableCredentials.get_frozen_credentialses&mmo''' s )')) rrrrpropertyrsetterrrrrr __classcell__rs@rErrs,   !!  !! \\A2$@(rGrc*eZdZefdZdfd ZxZS)!AioDeferredRefreshableCredentialsc||_d|_d|_d|_d|_||_t j|_||_ d|_ yrB) rrrr _expiry_time _time_fetcherrrrmethodr)rp refresh_usingr time_fetchers rErz*AioDeferredRefreshableCredentials.__init__ksN+  )$\\^ #' rGc<|jyt| |Sr)rrr)rp refresh_inrs rErz0AioDeferredRefreshableCredentials.refresh_neededvs"  # # +w%j11rGrB)rrrr(rrrrs@rErrjs;E (22rGrceZdZdZdZdZy)AioCachedCredentialFetcherc Ktdw)Nz_get_credentials())rros rE_get_credentialsz+AioCachedCredentialFetcher._get_credentials}s!"677s c>K|jd{S7wrB)_get_cached_credentialsros rEfetch_credentialsz,AioCachedCredentialFetcher.fetch_credentialss113333 cK|j}|*|jd{}|j|ntj d|d}t |dd}|d|d|d |d S7Pw) zGet up-to-date credentials. This will check the cache for up-to-date credentials, calling assume role if none are available. Nz*Credentials for role retrieved from cache.rrT)isorrrr)_load_from_cacher_write_to_cacher\r]r*)rprcreds expirations rErz2AioCachedCredentialFetcher._get_cached_credentialss ((*  !2244H   * LLE F')% *=4H  . 12>*%   5s&A;A9AA;N)rrrrrrrrGrErr|s84 rGrc eZdZy)"AioBaseAssumeRoleCredentialFetcherN)rrrrrGrErrs rGrceZdZdZdZy)AioAssumeRoleCredentialFetchercK|j}|jd{}|4d{}|jdi|d{cdddd{S7:7177 #1d{7swYyxYww)'Get credentials by calling assume role.Nr)_assume_role_kwargs_create_clientr)rprrrs rErz/AioAssumeRoleCredentialFetcher._get_credentialss|))+**,, 3 3S(2622 3 3 3- 32 3 3 3 3sf$A>A! A>A#A>A) A% A) A>A'A>#A>%A)'A>)A;/A2 0A;7A>cK|jjd{}|jd|j|j|j S77w)z2Create an STS client using the source credentials.Nr)aws_access_key_idaws_secret_access_keyaws_session_token)_source_credentialsr_client_creatorrrr)rpfrozen_credentialss rErz-AioAssumeRoleCredentialFetcher._create_clients`**AAC C ## 0;;"4"?"?066 $   DsAA8AN)rrrrrrrGrEr r s 3  rGr c2eZdZ dfd ZdZdZxZS)-AioAssumeRoleWithWebIdentityCredentialFetcherc<||_t| |||||y)N) extra_argsr?expiry_window_seconds)_web_identity_token_loaderrr)rprIweb_identity_token_loaderrole_arnrr?rrs rErz6AioAssumeRoleWithWebIdentityCredentialFetcher.__init__s/+D'   !"7  rGcK|j}tt}|jd|4d{}|jdi|d{cdddd{S7/77 #1d{7swYyxYww)r )signature_versionrr=Nr)r r.rrassume_role_with_web_identity)rprr=rs rErz>AioAssumeRoleWithWebIdentityCredentialFetcher._get_credentialss))+X6''f'= H H===GGG H H HG H H H HsV8BA*BA0A,A0 B$A.%B,A0.B0B6A9 7B>BcZt|j}|j}||d<|S)zAGet the arguments for assume role based on current configuration.WebIdentityToken)r_assume_kwargsr)rpassume_role_kwargsidentity_tokens rEr zAAioAssumeRoleWithWebIdentityCredentialFetcher._assume_role_kwargss3%d&9&9:88:1?-.!!rG)NNN)rrrrrr rrs@rErrs" (H"rGrcDeZdZejdfd ZdZdZxZS)rr)popenc,t||i|d|iy)Nr()rr)rpr(rrrs rErzAioProcessProvider.__init__s $6&66rGc*Kjyjd{}|jd%tj |fdj St |d|d|jdj S7hw)Nrc&jSrB)_retrieve_credentials_using)credential_processrpsrErFz)AioProcessProvider.load..s889KLrGrrr)rrrr)_credential_processr,rRrcreate_from_metadataMETHODr)rp creds_dictr-s` @rEloadzAioProcessProvider.loads!55  % ;;>- ( 4,AAL   !,/!,/..);;   Ps$BBA)BcKt|}|j|tjtjdd{}|j d{\}}|j dk7r&t |j|jdtjjj|jd}|jdd}|dk7rt |jd|d  |d |d |jd |jd dS77#t$r}t |jd|d}~wwxYww)N)stdoutstderrrutf-8provider error_msgVersionzzUnsupported version 'z8' for credential process provider, supported versions: 1rrrrrz"Missing required key in response: )r_popen subprocessPIPE communicate returncoderr0decodebotocorecompatjsonloadsrRKeyError) rpr- process_listpr4r5parsedversiones rEr,z.AioProcessProvider._retrieve_credentials_usingsJ**<= $++ *//*//   !}}. <<1 * g0F %%++FMM',BC**Y(DE a<*+G9567  $]3$%67N3%zz,7  ' /, *>qcB  sH>ED+ED-B&E*D/*E-E/ E8EEE) rrrrcreate_subprocess_execrr2r,rrs@rErrrrs$+$B$B7 (!rGrrceZdZdZy)rUcK|j}|jd{}|sytjd|dtj ||j |j}|S7Nw)Nz#Found credentials from IAM Role: %s role_namerr) _role_fetcherretrieve_iam_role_credentialsr\inforr/r0)rpfetcherrrs rEr2z AioInstanceMetadataProvider.loadsu$$ >>@@ 18K3H *>> ;;!???   As A3A1AA3Nrrrr2rrGrErUrUsrGrUceZdZdZy)rScnK|jj|jdd}|rtj d|j }|d}|d}|/t |}t|d|d|d|||j St|d|d|d|j Syw) Nrz+Found credentials in environment variables.F)require_expiryrrr)rrr) environrR_mappingr\rS_create_credentials_fetcherr+rr0r)rprrTrrs rEr2zAioEnvProvider.load/s\\%%dmmL&A2F  KKE F668G!7K%m4K&#K0 0 - -(");; "L)L)G${{  sB3B5NrUrrGrErSrS.srGrSceZdZdZy)rYcVKd|jvrtjj|jd}|j |}|j |vrKt jd||j }||j}t|||jSyyw)NAWS_CREDENTIAL_FILEz)Found credentials in AWS_CREDENTIAL_FILE.rZ) _environospath expanduser_parser ACCESS_KEYr\rS SECRET_KEYrr0)rp full_pathrrrs rEr2zAioOriginalEC2Provider.loadNs DMM 1** 34ILL+E%' GH"4??3 "4??3 % 4;; (sB'B)NrUrrGrErYrYMsrGrYceZdZdZy)rxcK |j|j}|j|vr||j}|j|vrtt j d|j|j||j|j\}}|j|}t||||jSyy#t$rYywxYww)Nz0Found credentials in shared credentials file: %srZ) _ini_parser_creds_filenamer _profile_namerfr\rS_extract_creds_from_mappingrg_get_session_tokenrr0)rpavailable_credsr=rrrs rEr2z AioSharedCredentialProvider.loadas "..t/C/CDO    0$T%7%78F&( F((*.)I)IDOOT__*& J//7% E$++) 1  s(CCB!C C  C C  CNrUrrGrErxrx`srGrxceZdZdZy)r~cK |j|j}|j|dvr|d|j}|j|vrtt j d|j|j||j|j\}}|j|}t||||jSyy#t$rYywxYww)Nprofilesz$Credentials found in config file: %srZ) _config_parser_config_filenamerrmrfr\rSrnrgrorr0)rprCprofile_configrrrs rEr2zAioConfigProvider.loadws --d.C.CDK   Z!8 8(4T5G5GHN.0 :))*.)I)I"DOOT__*& J//?% E$++1#  s(CCB'C CCCCNrUrrGrEr~r~vsrGr~ceZdZdZy)rZcK|j|jvr|j|jg}n |j}|D]} |j|}d|vs|d}|j |vs.t jd||j||j |j\}}t|||jcSy#t$rYwxYww)Nrz)Found credentials in boto config file: %srZ) BOTO_CONFIG_ENVraDEFAULT_CONFIG_FILENAMESrkrrfr\rSrnrgrr0)rppotential_locationsfilenamer=rrrs rEr2zAioBotoProvider.loads   4== 0#'==1E1E#F"G "&"?"? + H ))(3&$]3 ??k1KKCX.2-M-M#T__doo.*J *"Jt{{ "  s7ACCCC2AC CCCCNrUrrGrErZrZsrGrZc0eZdZdZdZdZdZdZdZy)rWcK|j|_|jjdi}|j|ji}|j |r#|j |jd{Sy7w)Nrs) _load_config_loaded_configrRrm_has_assume_role_config_vars_load_creds_via_assume_role)rprsr3s rEr2zAioAssumeRoleProvider.loadsu"//1&&**:r:,,t1126  , ,W 599$:L:LMM M 6MsA=B?BBcK|j|}|j||d{}i}|jd}|||d<|jd}|||d<|jd}|||d<|jd}|||d<t|j||d ||j |j } | j} | t| } t|j| t S7ͭw) Nrole_session_nameRoleSessionName external_id ExternalId mfa_serial SerialNumberduration_secondsDurationSecondsr)rIsource_credentialsrr mfa_prompterr?)rrr) _get_role_config_resolve_source_credentialsrRr r _prompterr?rrrr0r() rprJ role_configrrrrrrrT refreshers rErz1AioAssumeRoleProvider._load_creds_via_assume_roles$++L9 #'#C#C $   'OO,?@  (,=J( )!oom4  "'2J| $ __\2  !)3J~ &&??+=>  ',I 1;;##  I s'C9C7CC9cK|jd}||j||d{S|d}|jj||j |d{S7=7w)Ncredential_sourcesource_profile)rR _resolve_credentials_from_source_visited_profilesappend!_resolve_credentials_from_profile)rprrJrrs rErz1AioAssumeRoleProvider._resolve_source_credentialssz'OO,?@  (>>!< %%56 %%n5;;NKKK  Ls!)A-A)8A-$A+%A-+A-cK|jjdi}||}|j|r|js|j |S|j|s|j |sU|jj |d}t|}|jd{}|d}t||z|S|j|d{S727w)NrsTrMz.The source profile "%s" must have credentials.r9) rrR_has_static_credentials_profile_provider_builder(_resolve_static_credentials_from_profilerrOr^rrr)rprJrsr3rf profile_chainr error_messages rErz7AioAssumeRoleProvider._resolve_credentials_from_profiles&&**:r:<(  ( ( 122@@I I  ) )  227; $ > > H H)!%!I! 22CDM - > > @@K"D)+l: 55lCCCADs$B-C&/C"0-C&C$C&$C&c t|d|d|jdS#t$r%}t|jt |d}~wwxYw)Nrrr)rrr)r8cred_var)rrRrFrr0str)rpr3rKs rErz>AioAssumeRoleProvider._resolve_static_credentials_from_profiles_ !"#67"#:;kk"56   )s1v  s"% A AAc|K|jj|d{}|t|d|z|S7w)NzBNo credentials found in credential_source referenced in profile %sr7)_credential_sourcerrr)rprrJrs rErz6AioAssumeRoleProvider._resolve_credentials_from_sourcesX!44GG     **$&23  s <:<N) rrrr2rrrrrrrGrErWrWs$N* X LD: rGrWceZdZdZdZy)rc>K|jd{S7wrB)_assume_role_with_web_identityros rEr2z)AioAssumeRoleWithWebIdentityProvider.load"s88::::rcTK|jd}|sy|j|}|jd}|sd}t|i}|jd}|||d<t|j||||j }t |j|jSw) Nweb_identity_token_filerzThe provided profile or the current environment is configured to assume role with web identity but has no role ARN configured. Ensure that the profile has the role_arnconfiguration set or the AWS_ROLE_ARN env var is set.rrr)rIrrrr?rP) _get_config_token_loader_clsrrrr?rr0r)rp token_path token_loaderrr9rrrTs rErzCAioAssumeRoleWithWebIdentityProvider._assume_role_with_web_identity%s%%&?@ --j9 ##J/H  %y9 9  ,,-@A  (,=J( )?//&2!**  1;;!33  sB&B(N)rrrr2rrrGrErr!s ;" rGrceZdZdZdZy)rXcK|j|}t|tr|jd{S|j d{S77w)aLoads source credentials based on the provided configuration. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: Credentials N) _get_provider isinstancer^rr2)rp source_namesources rErz4AioCanonicalNameCredentialSourcer.source_credentialsKsM##K0 f3 40022 2[[]""3"s!5AAAAAAc|j|}|jdvr$|jd}|||St||gS| t ||S)a#Return a credential provider by its canonical name. :type canonical_name: str :param canonical_name: The canonical name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. ) sharedconfigsharedcredentialsz assume-role)name)_get_provider_by_canonical_namelower_get_provider_by_methodr^r&)rpcanonical_namer8rds rErz/AioCanonicalNameCredentialSourcer._get_providerYsv77G    !%J J#'#?#? #N #/ #// -.BH-MNN  (n= =rGN)rrrrrrrGrErXrXJs  #$rGrXc0eZdZfdZdZdZdZxZS)rTcxt||i|t|jtrt |_yyrB)rrr_fetcherrr0rs rErzAioContainerProvider.__init__s5 $)&) dmm%= >79DM ?rGcK|j|jvs|j|jvr|jd{Sy7wrB)ENV_VARra ENV_VAR_FULL_retrieve_or_failros rEr2zAioContainerProvider.loadsB <<4== (D,=,=,N//11 1-O1sAAA Ac K|jr3|jj|j|j}n|j|j }|j }|j||}|d{}t|d|d|d|jt|d|S74w)Nrrrr)rrrrrr) _provided_relative_urirfull_urlrarr_build_headers_create_fetcherrr0r))rpfull_uriheadersrTrs rErz&AioContainerProvider._retrieve_or_fails  & & (}}--dmmDLL.IJH}}T%6%67H%%'&&x9i(\*\*.;;(})=>!    sB C C 5Ccfd}|S)NcK jjd{}|d|d|d|d d S7#t$r=}tj d|dt j t|d}~wwxYww) N)rz'Error retrieving container metadata: %sTrr7rrTokenrr)rretrieve_full_urirr\r]rr0r)rrKrrrps rE fetch_credsz9AioContainerProvider._create_fetcher..fetch_credss !%!@!@g"A"'}5&'89!'*' 5  *  =q4/![[CF  s1B ?=?B? B8BBBr)rprrrs``` rErz$AioContainerProvider._create_fetchers &rG)rrrrr2rrrrs@rErTrTs:2 "rGrTceZdZdZy)r^cK|jD]@}tjd|j|j d{}|>|cSy7 w)zw Goes through the credentials chain, returning the first ``Credentials`` that could be loaded. zLooking for credentials via: %sN)rOr\r]r0r2)rpr8rs rErz&AioCredentialResolver.load_credentialssQ  H LL:HOO L"--/)E   *sAAAA AN)rrrrrrGrEr^r^srGr^c@eZdZdZ dfd ZdZdZdZxZS)AioSSOCredentialFetcherz%Y-%m-%dT%H:%M:%SZc ||_||_||_||_||_||_| |_| |_t |%||yrB) r _sso_region _role_name _account_id _start_url _token_loader_token_provider_sso_session_namerr) rp start_url sso_regionrO account_idrIrr?rrsso_session_namers rErz AioSSOCredentialFetcher.__init__sS .%#%#)-!1  56rGc,|j|jd}|jr|j|d<n|j|d<t j |dd}t |jdj}|j|S)N)roleName accountId sessionNamestartUrlT),:) sort_keys separatorsr6) rrrrrDdumpsrencode hexdigest_make_file_safe)rpr argument_hashs rE_create_cache_keyz)AioSSOCredentialFetcher._create_cache_keys))   ! !"&"8"8D #D zz$$:FT[[12<<> ##M22rGc|dz }tjj|t}|j|jS)Ng@@)datetime fromtimestampr-strftime_UTC_DATE_FORMAT)rp timestamp_mstimestamp_seconds timestamps rE_parse_timestampz(AioSSOCredentialFetcher._parse_timestamps?(61%%334EuwO !!$"7"788rGc Ktt|j}|jd|4d{}|jr=|jj }|j d{j}n|j|jd}|j|j|d} |jdi|d{}|d}d|d|d |d |j!|d d d }|cdddd{S777E#|jj$r twxYw72#1d{7swYyxYww)z4Get credentials by calling SSO get role credentials.)rr@ssor N accessToken)rrrroleCredentials accessKeyIdsecretAccessKey sessionTokenr)rrrr) ProviderTyperr)rrrrr load_tokenget_frozen_tokenrrrrrget_role_credentials exceptionsUnauthorizedExceptionr%r)rpr=rinitial_token_datarrrrs rErz(AioSSOCredentialFetcher._get_credentialssl&(( ''f'=  ##%)%9%9%D%D%F"1BBDDKK**4??;MJ!OO!--$F  2!<!rs  ."&&&&&&&&&&N(2   8 $Xv, 6, ^- "+&#> [ i( 6i(X2(A2$ !8 < #%?  !C .&"&&"R99x":$[>0&":,0l4v.vr& +L& R3(F3l1,1h.,Q8Qh [ rG