Using Boto3 to get AWS configuration option

Question

I am looking for a way to perform the equivalent of the AWS CLI's method aws configure get varname [--profile profile-name] using boto3 in python. Does anyone know if this possible without either:

1. Parsing the AWS config file myself
2. Somehow interacting with the AWS CLI itself from my python script

---

For more context, I am writing a python cli tool that will interact with AWS APIs using boto3. The python tool uses an AWS session token stored in a profile in the ~/.aws/credentials file. I am using the saml2aws cli to fetch AWS credentials from my company's identity provider, which writes the aws_access_key_id, aws_secret_access_key, aws_session_token, aws_security_token, x_principal_arn, and x_security_token_expires parameters to the ~/.aws/credentials file like so:

[saml]
aws_access_key_id        = #REMOVED#
aws_secret_access_key    = #REMOVED#
aws_session_token        = #REMOVED#
aws_security_token       = #REMOVED#
x_principal_arn          = arn:aws:sts::000000000123:assumed-role/MyAssumedRole
x_security_token_expires = 2019-08-19T15:00:56-06:00

By the nature of my python cli tool, sometimes the tool will execute past the expiration time of the AWS session token, which are enforced to be quite short by my company. I want the python cli tool to check the expiration time before it starts its critical task to verify that it has enough time to complete its task, and if not, alerting the user to refresh their session token.

Using the AWS CLI, I can fetch the expiration time of the AWS session token from the ~/.aws/credentials file using like this:

$ aws configure get x_security_token_expires --profile saml
2019-08-19T15:00:56-06:00

and I am curious if boto3 has a mechanism I was unable to find to do something similar.

---

As an alternate solution, given an already generated AWS session token, is it possible to fetch the expiration time of it? However, given the lack of answers on questions such as Ways to find out how soon the AWS session expires?, I would guess not.

Answer 1

Yes you can use boto3 in python to fetch credentials, I was able to find this using documentation available here:

import boto3
sesh = boto3.session.Session()

# get ReadOnlyCredentials containing access_key and secret_key
credentials = sesh.get_credentials().get_frozen_credentials()

Answer 2

Since the official AWS CLI is powered by boto3, I was able to dig into the source to find out how aws configure get is implemented. It's possible to read the profile configuration through the botocore Session object. Here is some code to get the config profile and value used in your example:

import botocore.session

# Create an empty botocore session directly
session = botocore.session.Session()

# Get config of desired profile. full_config is a standard python dictionary.
profiles_config = session.full_config.get("profiles", {})
saml_config = profiles_config.get("saml", {})

# Get config value. This will be None if the setting doesn't exist.
saml_security_token_expires = saml_config.get("x_security_token_expires")

I'm using code similar to the above as part of a transparent session cache. It checks for a profile's role_arn so I can identify a cached session to load if one exists and hasn't expired.

As far as the alternate question of knowing how long a given session has before expiring, you are correct in that there is currently no API call that can tell you this. Session expiration is only given when the session is created, either through STS get_session_token or assume_role API calls. You have to hold onto the expiration info yourself after that.