Closed iainelder closed 3 years ago
very cool -- any thoughts how to add a unit test for it?
I see there are some tests around the custom profile handling in https://github.com/okigan/awscurl/blob/master/tests/load_aws_config_test.py.
How do I run the existing unit tests? I don't see anything in the README about it.
What a great point about having a section on this in readme - I’ll update.
For now check out the GitHub actions file that shows commands to run:
On Jun 11, 2021, at 3:47 AM, Iain Samuel McLean Elder @.***> wrote:
I see there are some tests around the custom profile handling in https://github.com/okigan/awscurl/blob/master/tests/load_aws_config_test.py.
How do I run the existing unit tests? I don't see anything in the README about it.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
Hi, @okigan , sorry, I didn't get around to running the unit tests.
I see you have already merged this to master.
What do we need to do to get this feature into the version available from PyPI?
@iainelder unit tests still would be great for this - it's a bit unique feature and unit test would make sure it does not get broken by other pull requests.
I am working through another PR - so PyPI would get updated after that (so you still have time)
@iainelder FYI, PyPi (https://pypi.org/project/awscurl/) is updated -- test PR is still welcome to keep the feature working
Hi @okigan, thanks for the update. It's not immediately clear to me how to test it but I'll have a think about it and let you know.
With this change, awscurl uses botocore to fetch the temporary credentials for SSO profiles from the AWS CLI v2 credential cache.
awscurl used to create a session with the get_session function. The get_session function is poorly documented, but according to the botocore README it appears to load the default profile.
To load a named profile we need to use the Session object constructor and set the profile keyword argument. To load the default profile in this way, the profile keyword is set to None.
The load_aws_config function is tested in load_aws_config_test.py. It has no tests around the botocore behavior, and I don't see how to add them easily.
As botocore already has support for SSO profiles, at the application level this is a trivial change. Botocore has its own tests for handling credentials.
Manual testing
In my AWS config file (~/.aws/config) I have an AWS SSO profile like this:
The AWS shared credentials file (~/.aws/credentials) has no corresponding credentials for the AWS SSO profile. Instead it has "default" credentials used to simulate the existing support for EC2 instance credentials.
awscurl is installed with the botocore optional dependency.
I use this awscurl command to look up an S3 bucket using the AWS SSO profile. The actual AWS API operation doesn't matter. The important part is that the profile selected uses AWS SSO.
Before the change
awscurl fails with an AttributeError because it fails to find an access key. The output starting from loading the botocore package looks like this:
After the change
awscurl successfully sends a request and receives a response from AWS. The abridged output starting from the loading the botocore package looks like this:
I run one more command that uses the default credentials to check that the existing support for instance credentials still works. (I haven't had time to test this on a real EC2 instance.)
The request and response are generated in the same way. (Surprisingly it doesn't seem to matter to AWS at this point whether the credentials are valid or not!)