Skip to content
This repository was archived by the owner on Jul 27, 2025. It is now read-only.

Commit da583d5

Browse files
RishangRishang
committed
duration_seconds
1 parent 97a614a commit da583d5

File tree

2 files changed

+27
-8
lines changed

2 files changed

+27
-8
lines changed

broker/aws/sts.py

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -32,12 +32,20 @@
3232

3333

3434
class AWSRoleSTS:
35-
def __init__(self, role_arn: str, username: str = "", region: str = None) -> None:
35+
def __init__(
36+
self,
37+
role_arn: str,
38+
username: str = "",
39+
region: str = None,
40+
duration_seconds: int = 3600,
41+
) -> None:
42+
3643
self.role_arn = role_arn
3744
self.username = username
3845
self.region = region
46+
self.duration_seconds = duration_seconds
3947

40-
def oidc_sts(self, jwt_token: str, duration_seconds: int = 3600) -> dict:
48+
def oidc_sts(self, jwt_token: str) -> dict:
4149
"""
4250
Returns a boto3 client for OpenID Connect STS (Security Token Service)
4351
"""
@@ -49,11 +57,9 @@ def oidc_sts(self, jwt_token: str, duration_seconds: int = 3600) -> dict:
4957
RoleArn=self.role_arn,
5058
RoleSessionName=self.username or "sts-role-session",
5159
WebIdentityToken=jwt_token,
52-
DurationSeconds=duration_seconds,
60+
DurationSeconds=self.duration_seconds,
5361
)
5462

55-
self.duration_seconds = duration_seconds
56-
5763
if isinstance(self.region, str) or self.region in aws_regions:
5864
# login based on region if provided
5965
self.response["Region"] = self.region
@@ -124,13 +130,23 @@ def quote_plus_function(s):
124130

125131

126132
def get_role(
127-
token, role: str, username: str = "", issuer: str = None, region: str = None
133+
token,
134+
role: str,
135+
username: str = "",
136+
issuer: str = None,
137+
region: str = None,
138+
duration_seconds: int = 3600,
128139
):
129140
"""Provide aws sts role access to aws cli or console based on web identity token"""
130141

131142
sts: dict = {}
132143
if isinstance(username, str) and username != "":
133-
aws_role = AWSRoleSTS(role_arn=role, username=username, region=region)
144+
aws_role = AWSRoleSTS(
145+
role_arn=role,
146+
username=username,
147+
region=region,
148+
duration_seconds=duration_seconds,
149+
)
134150
else:
135151
aws_role = AWSRoleSTS(role_arn=role)
136152
try:

broker/routes.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,11 +74,12 @@ def aws_auth():
7474
"""provide aws iam role based creds to"""
7575

7676
args: dict = request.args.to_dict()
77+
7778
role: str = args.get("role")
7879
region: str = args.get("region")
79-
8080
userinfo = session.get("user")
8181
type: str = args.get("type")
82+
duration_s: str = args.get("duration_seconds") or 3600
8283

8384
if None in [userinfo, role]:
8485
return redirect(url_for("login", role=role))
@@ -95,7 +96,9 @@ def aws_auth():
9596
username=userinfo.get("preferred_username"),
9697
issuer=request.headers.get("Host"),
9798
region=region,
99+
duration_seconds=int(duration_s),
98100
)
101+
99102
if sts_role["expired"] == True:
100103
return redirect(url_for("login"))
101104

0 commit comments

Comments
 (0)