search

aws-powertools / powertools-lambda-python

A developer toolkit to implement Serverless best practices and increase developer velocity.
https://docs.powertools.aws.dev/lambda/python/latest/
MIT No Attribution
2.81k stars 390 forks source link

Add utility for handling temporary boto sessions #1174

Open thomasklinger1234 opened 3 years ago

thomasklinger1234 commented 3 years ago

Is your feature request related to a problem? Please describe.

When using the STS AssumeRole API to perform tasks in the context of another IAM role, there is usually a lot of boilerplate code to write:

credentials = sts.assume_role(RoleArn="...", "RoleSessionName="...")["Credentials"]
ec2 = boto3.Session(aws_session_token=credentials["SessionToken"], ...).client("ec2")

This feature request is about adding a new small helper utility for switching roles during Lambda invocations easier.

Describe the solution you'd like A contextmanager for assuming a session for given context, something like 

from aws_lambda_powertools.utilities import scoped_session

with scoped_session("ec2", role_arn="<role-arn>") as ec2:
  ec2.describe_regions()

Describe alternatives you've considered

Maybe there is also the possibility to do this using a decorator but I have no good API design for that.

heitorlessa commented 3 years ago

hey @thomasklinger1234 thanks for raising this - I believe this solidifies the idea of having a SDK Helper utility with these and other functions.

What do you think @jplock?

Example: awslabs/aws-lambda-powertools-python#1187

lorengordon commented 3 years ago

Fwiw, I've been using and love @benkehoe's utility https://github.com/benkehoe/aws-assume-role-lib for this kind of assume-role functionality in lambda funtions. Lot of good lessons there.

benkehoe commented 3 years ago

Huh, I have never though about a context manager for role assumption, though I don't see much value as there's nothing for it to do for cleanup or exception handling. The other thing that you want to avoid is doing it on a per-client (e.g., EC2) basis, this is what boto3 sessions are for (and I would suggest guiding people towards sessions rather than hiding them). You could just import aws_assume_role_lib.assume_role() into utilities so users don't need to discover and import it separately?

heitorlessa commented 3 years ago

First time seeing - yet another good SDK goodie - from Ben. Glancing at the code it’s more elaborate than I suspected, this made me question v2 more broadly to better accommodate this

A) Move into implicit namespace packages utilities that can be installed separately along with their deps, or as a whole suite of utilities like we do today

B) Make all dependencies optional and allow bringing great stuff from Ben like this without going through the hill of microlibs (I chartered waters for me in Python)

As boto surpassed 63M now it makes me worried about reaching Lambda package limit, since this project without dependencies is 1.2M only

On Thu, 1 Jul 2021 at 21:15, Ben Kehoe @.***> wrote:

Huh, I have never though about a context manager for role assumption, though I don't see much value as there's nothing for it to do for cleanup or exception handling. The other thing that you want to avoid is doing it on a per-client (e.g., EC2) basis, this is what boto3 sessions are for (and I would suggest guiding people towards sessions rather than hiding them). You could just import aws_assume_role_lib.assume_role() into utilities so users don't need to discover and import it separately?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/awslabs/aws-lambda-powertools-python/issues/477#issuecomment-872489300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZPQBBAGIGT6NOXOWHQI5TTVS5G3ANCNFSM46RPR2EQ .

ran-isenberg commented 3 years ago

@heitorlessa When we package our lambdas, we explicitly remove boto from the zip file as it's already present in the container image of Lambda. It reduced our zipped by a lot.

lorengordon commented 3 years ago

I wish the lambda runtimes would update their boto3/botocore libraries more often, and make it less necessary to include these in the package. Unfortunately, the versions are often quite out-of-date.

lorengordon commented 3 years ago

But another good reason to package them anyway is to ensure we are using the same versions we test against...

ran-isenberg commented 3 years ago

how do you know what version is merged and actually working? there's also the "older" boto there.

lorengordon commented 3 years ago

We don't use the original boto v1. The boto3 and botocore versions we use are a requirement of our lambda code, not this library. The packaging logic for the lambda function just needs to support some mechanism of specifying exact versions. We use a requirements.txt file, with Dependabot incrementing the version periodically, and CI/CD exercising the change in our test suite. Pretty straightforward.

heitorlessa commented 3 years ago

Thanks a lot everyone - I'm moving this to the official Roadmap to give other customers visibility, as Typescript and C# Powertools are also ramping up quickly to public beta.

Short-term plan is to create a RFC to support SDK high level utilities and gather ideas on what to include. Mid-term, we're working to document the new dynamic feature toggles utility, integrate API reference into the docs, and rewrite the docs for Data Classes and Parser to make it friendlier.

Once these are complete, or if I could get help in parallel, I'd love to have these and other high level utilities for SDK.