Add Region Support for GovCloud

README.md

@@ -132,6 +132,20 @@ aws_secret_access_key = <POPULATED_BY_AWS-MFA>
 aws_security_token = <POPULATED_BY_AWS-MFA>
 ```
 
+Regions and GovCloud
+--------------------
+
+Normally any commercial end-point can be used, but in many regions and in particular in GovCloud you
+need to use a specific region (or regions). By default you aws configure region is used. If you need
+to override this then you can use either the `--region us-gov-west-1` CLI option or you can add a region
+specification to your long-term credentials.
+
+```[govcloud-long-term]
+aws_access_key_id = YOUR_LONGTERM_KEY_ID
+aws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY
+region = us-gov-west-1
+```
+
 Usage
 -----
 
@@ -153,7 +167,7 @@ Usage
                         To identify the long term credential section by
                         [<profile_name>-LONG_TERM_SUFFIX]. Use 'none' to
                         identify the long term credential section by
-                        [<profile_name>]. Omit to identify the long term 
+                        [<profile_name>]. Omit to identify the long term
                         credential section by [<profile_name>-long-term].
 --short-term-suffix SHORT_TERM_SUFFIX
                         To identify the short term credential section by
@@ -167,6 +181,11 @@ Usage
 --role-session-name ROLE_SESSION_NAME
                         Friendly session name required when using --assume-
                         role. By default, this is your local username.
+--force                 Refresh credentials even if currently valid.
+--region REGION         Optional specify the region to connect to.
+--log-level {CRITICAL,ERROR,WARNING,INFO,DEBUG,NOTSET}
+                        Set log level
+--setup                 Setup a new log term credentials section
 ```
 
 **Argument precedence**: Command line arguments take precedence over environment variables.
@@ -277,7 +296,7 @@ INFO - Your credentials have expired, renewing.
 Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me] (renewing for 3600 seconds):123456
 INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:43+00:00
 
-$> aws-mfa —profile myorganization --assume-role arn:aws:iam::333333333333:role/Administrator --short-term-suffix staging --long-term-suffix none --role-session-name staging 
+$> aws-mfa —profile myorganization --assume-role arn:aws:iam::333333333333:role/Administrator --short-term-suffix staging --long-term-suffix none --role-session-name staging
 INFO - Validating credentials for profile: myorganization-staging with assumed role arn:aws:iam::333333333333:role/Administrator
 INFO - Your credentials have expired, renewing.
 Enter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me] (renewing for 3600 seconds):123456
@@ -286,4 +305,4 @@ INFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:1
 $> aws s3 list-objects —bucket my-production-bucket —profile myorganization-production
 
 $> aws s3 list-objects —bucket my-staging-bucket —profile myorganization-staging
-```
+```

awsmfa/__init__.py

@@ -13,6 +13,7 @@
 import boto3
 
 from botocore.exceptions import ClientError, ParamValidationError
+from botocore.config import Config
 from awsmfa.config import initial_setup
 from awsmfa.util import log_error_and_exit, prompter
 
@@ -67,6 +68,9 @@ def main():
                         help="Refresh credentials even if currently valid.",
                         action="store_true",
                         required=False)
+    parser.add_argument('--region',
+                        help="Optional specify the region to connect to.",
+                        required=False)
     parser.add_argument('--log-level',
                         help="Set log level",
                         choices=[
@@ -79,10 +83,6 @@ def main():
                         help="Setup a new log term credentials section",
                         action="store_true",
                         required=False)
-    parser.add_argument('--token', '--mfa-token',
-                        type=str,
-                        help="Provide MFA token as an argument",
-                        required=False)
     args = parser.parse_args()
 
     level = getattr(logging, args.log_level)
@@ -192,6 +192,11 @@ def validate(args, config):
         else:
             args.duration = 3600 if args.assume_role else 43200
 
+    # get region to use form args or credentials file
+    if not args.region:
+        if config.has_option(long_term_name, 'region'):
+            args.region = config.get(long_term_name, 'region')
+
     # If this is False, only refresh credentials if expired. Otherwise
     # always refresh.
     force_refresh = False
@@ -277,19 +282,18 @@ def validate(args, config):
 
 
 def get_credentials(short_term_name, lt_key_id, lt_access_key, args, config):
-    if args.token:
-        logger.debug("Received token as argument")
-        mfa_token = '%s' % (args.token)
-    else:
-        console_input = prompter()
-        mfa_token = console_input('Enter AWS MFA code for device [%s] '
-                                  '(renewing for %s seconds):' %
-                                  (args.device, args.duration))
+    console_input = prompter()
+    mfa_token = console_input('Enter AWS MFA code for device [%s] '
+                              '(renewing for %s seconds):' %
+                              (args.device, args.duration))
+
+    aws_config=None if args.region is None else Config(region_name = args.region)
 
     client = boto3.client(
         'sts',
         aws_access_key_id=lt_key_id,
-        aws_secret_access_key=lt_access_key
+        aws_secret_access_key=lt_access_key,
+        config=aws_config
     )
 
     if args.assume_role:
@@ -337,7 +341,7 @@ def get_credentials(short_term_name, lt_key_id, lt_access_key, args, config):
         except ClientError as e:
             log_error_and_exit(
                 logger,
-                "An error occured while calling assume role: {}".format(e))
+                "An error occured while calling get_session_token: {}".format(e))
         except ParamValidationError:
             log_error_and_exit(
                 logger,

setup.py

@@ -9,7 +9,7 @@
 
 setup(
     name='aws-mfa',
-    version='0.0.12',
+    version='0.0.13',
     description='Manage AWS MFA Security Credentials',
     long_description=long_description,
     long_description_content_type='text/markdown',