Working with Federation

[maestro1315]

This appears to not work with Federated AWS accounts. Is there anyway to work around that ?
An error occurred when calling the GetUser operation: Must specify userName when calling with non-User credentials.

I'm assuming it's looking for a local IAM user that does not exist.

[sergiocorreia]

That's a great point. I didn't test this with Federated AWS accounts because I don't have access to one.

I suspect the fix shouldn't be too complicated, as quipucamayoc relies on boto3 for authentication. Based on a few search results (eg) it seems we would have to change the references to IAM clients to references to STS clients. EG, from this:

iam_client = session.client('iam')

To this:

sts_client = session.client('sts')

Similarly, we would need to change the line self.account_id = boto3.resource('iam').CurrentUser() to something specific for STS (perhaps this?). However, as I mentioned I can't do it on my end as I don't have a way to test whether it works or not. That said, if you submit a workable STS alternative to aws_setup.py, I can take it from there and modify the code so it works for both IAM and STS.

Cheers,
S

[maestro1315]

I was able to get further but looks like there would be quite a few tweaks. I think this would be another issue.
# Create user, set its permissions, and obtain its credentials
create_user(quipu, iam_client, logger)
access_key_id, secret_access_key = set_user_permissions(quipu, iam_client, logger)

[maestro1315]

Your suggestion of using self.account_id = boto3.client('sts').get_caller_identity().get('Account') did work. As well as changing to sts_client = session.client('sts').

[sergiocorreia]

So you managed to get it to work? If so, can you share a copy of your .py file so I can add it to the next version? Thanks!