boto3-refresh-session now supports custom authentication flows!

Users with highly sophisticated, novel, or idiosyncratic authentication flows that are not or cannot be included in boto3-refresh-session have, until now, not been able to use boto3-refresh-session.

I am happy to announce that, as of today, boto3-refresh-session now supports user-provided custom temporary credential methods. Now, you can automatically refresh those temporary credentials automatically in the background without writing any boilerplate code yourself using boto3 and-or botocore.

Below is an example of how to use boto3-refresh-session with a user-provided custom temporary credential method called your_custom_credential_getter.

def your_custom_credential_getter(...):
    ...
    return {
        "access_key": ...,
        "secret_key": ...,
        "token": ...,
        "expiry_time": ...,
    }

# and pass it to RefreshableSession
session = RefreshableSession(
    method="custom",
    custom_credentials_method=your_custom_credential_getter,
    custom_credentials_methods_args=...,
    region_name=region_name,
    profile_name=profile_name,
    ...
)

In the coming weeks, boto3-refresh-session will include a new module for IoT. Stay tuned for that!

Full Changelog: 1.2.3...1.3.6

boto3-refresh-session now supports ECS

boto3-refresh-session (BRS) was originally designed to automatically refresh temporary security credentials using only STS.Client.assume_role.

To expand BRS's features, the latest changes include an ecs module that supports automatic refresh of temporary security credentials for ECS as well and use ECS metadata to retrieve credentials. Those changes were tested locally using mocked AWS credentials and a mocked AWS API. No unit / integration tests were added in the latest changes, however. Early adopters of the ecs module are encouraged to open issues if any appear.

Example usage:

from boto3_refresh_session import RefreshableSession
session = RefreshableSession(method="ecs")
s3 = session.client("s3")
s3.list_buckets()

Additional services will be introduced to BRS over the next two to three months. Stay tuned.

What's Changed

• [minor] Adding ECS module to boto3-refresh-session by @michaelthomasletts in #57

Full Changelog: 1.1.3...1.2.0

BRS is preparing for the addition of new refresh methods!

A user recently asked if I have any intention of adding SSO as a possible refresh method to boto3-refresh-session.

That question made me realize that boto3-refresh-session was not in a great condition to accept multiple refresh methods. The RefreshableSession object was exclusive to STS. I realized that RefreshableSession needed to be generalized and that new objects needed to be created per refresh method. Crucially, I realized that those updates would need to be non-invasive so as not to disrupt existing users who are, it's safe to say, happy to be using STS. I also realized that those updates needed to be designed in such a way that, in the future, I can focus less on architecture and more on researching the best way to package a refresh pattern for a particular AWS service and deliver that update to users ASAP.

To that end, I released the following updates this evening:

• A BaseRefreshableSession object was added into session.py
  • This puts all boto3 Session relevant logic in one single place
• An sts module containing an STSRefreshableSession object
  • This is a pattern that I plan to continue: as new refresh methods are introduced to BRS, they will be placed in a separate module -- named after the AWS service that they are related to
• RefreshableSession was refactored to initialize STSRefreshableSession (and any future object that is introduced) using a non-invasive "method" argument
• Added two helper methods to aide users: get_identity and get_available_methods. The former is intuitive. The latter lists all refresh methods available in STS -- for anyone too hurried to check the documentation

I plan on introducing IoT to BRS soon using this project for inspiration.

As for SSO -- honestly, that one will require a little more thought and care.

To everyone who starred this project, reached out to me, mentioned or featured it in your work, or simply uses BRS -- thank you!

Added a defer_refresh parameter to AutoRefreshableSession!

Someone recently asked me in a thread on Reddit about the difference between the RefreshableCredentials and DeferredRefreshableCredentials objects in botocore. That question got me thinking that I should finally add a defer_refresh option to AutoRefreshableSession so that users can choose between lazy and active temporary credential refreshes, which is something I planned on doing eventually but had not prioritized yet.

For context, the DeferredRefreshableCredentials object does not refresh temporary credentials until those credentials are explicitly needed; however, the RefreshableCredentials object refreshes temporary credentials the moment that they expire. The former is lazy; the latter is active. It is possible that the latter might be inefficient in some systems, hence my decision to finally include defer_refresh as a parameter.

Please note that, according to one user, DeferredRefreshableCredentials is leaking memory. I have not tested that claim myself; however, it may, according to their analysis, be something to be mindful of. You may, therefore, want to use defer_refresh=False in the meantime until that issue is resolved. I will monitor the issue and update the version of boto3 in pyproject.toml accordingly.

Initial release.

:)