t_c@spddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z ddlmZddlmZmZddlZddlZddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#ddlm$Z$ddl%m&Z&m'Z'ddl%m(Z(ddl%m)Z)ddl%m*Z*ej+e,Z-e ddddgZ.e/e/dZ0de1fdYZ2dZ3d Z4d!Z5e6d"Z7d#Z8d$Z9d%Z:d&e1fd'YZ;d(e1fd)YZ<d*e<fd+YZ=d,e=fd-YZ>d.e1fd/YZ?d0e?fd1YZ@d2e@fd3YZAd4e@fd5YZBd6e1fd7YZCd8eCfd9YZDd:eCfd;YZEd<eCfd=YZFd>eCfd?YZGd@eCfdAYZHdBeCfdCYZIdDeCfdEYZJdFeCfdGYZKdHeCfdIYZLdJe1fdKYZMdLeCfdMYZNdNe1fdOYZOdPe?fdQYZPdReCfdSYZQdS(TiN(t namedtuple(tdeepcopy(tsha1(tparse(ttzlocalttzutc(tUNSIGNED(t total_seconds(tcompat_shell_split(tConfig(tUnknownCredentialError(tPartialCredentialsError(tConfigNotFound(tInvalidConfigError(tInfiniteLoopConfigError(tRefreshWithMFAUnsupportedError(tMetadataRetrievalError(tCredentialRetrievalError(tUnauthorizedSSOTokenError(tInstanceMetadataFetchertparse_key_val_file(tContainerMetadataFetcher(tFileWebIdentityTokenLoader(tSSOTokenLoadertReadOnlyCredentialst access_keyt secret_keyttokencsjdpd}jd}jd}jjddk }ijdd6jdd6}|dkri}nt}t} tdtd|d |d jd |} t d |d |} t dfddt |d |d|dt || | gd| } || g} | j d|d|}tt| | g}| ||}|r|j|tjdntd|}|S(sCreate a default credential resolver. This creates a pre-configured credential resolver that includes the default lookup chain for credentials. tprofiletdefaulttmetadata_service_timeouttmetadata_service_num_attemptstec2_metadata_service_endpointt imds_use_ipv6tiam_role_fetcherttimeoutt num_attemptst user_agenttconfigtcachet region_namet load_configcsjS(N(t full_config((tsession(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytZttclient_creatort profile_nametcredential_sourcertprofile_provider_buildertdisable_env_varssWSkipping environment variable credential check because profile name was explicitly set.t providersN(tget_config_variabletinstance_variablestgettNonet EnvProvidertContainerProvidertInstanceMetadataProviderRR%tProfileProviderBuildertAssumeRoleProvidert_get_client_creatortCanonicalNameCredentialSourcerR3tOriginalEC2Providert BotoProvidertremovetloggertdebugtCredentialResolver(R+R'R(R/tmetadata_timeoutR$R2t imds_configt env_providertcontainer_providertinstance_metadata_providerR1tassume_role_providert pre_profiletprofile_providerst post_profileR3tresolver((R+s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytcreate_credential_resolver7sV             R;cBsYeZdZddddZedZdZdZdZ dZ dZ RS( sThis class handles the creation of profile based providers. NOTE: This class is only intended for internal use. This class handles the creation and ordering of the various credential providers that primarly source their configuration from the shared config. This is needed to enable sharing between the default credential chain and the source profile chain created by the assume role provider. cCs(||_||_||_||_dS(N(t_sessiont_cachet _region_namet_sso_token_cache(tselfR+R'R(tsso_token_cache((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt__init__s   cCsC|j|||j||j||j||j|gS(N(t_create_web_identity_providert_create_sso_providert"_create_shared_credential_providert_create_process_providert_create_config_provider(RTR/R2((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR3s     cstd|dfdS(NR/R)cs jjS(N(RPR*((RT(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR,R-(tProcessProvider(RTR/((RTs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRZscCs%|jjd}td|d|S(Ntcredentials_fileR/tcreds_filename(RPR4tSharedCredentialProvider(RTR/tcredential_file((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRYscCs%|jjd}td|d|S(Nt config_fileR/tconfig_filename(RPR4tConfigProvider(RTR/Ra((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR[sc s@tdfddtjjdjd|d|S(NR)cs jjS(N(RPR*((RT(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR,R-R.R'R/R2(t!AssumeRoleWithWebIdentityProviderR=RPRRRQ(RTR/R2((RTs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRWs c s:tdfddjjd|djdjS(NR)cs jjS(N(RPR*((RT(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR,R-R.R/R't token_cache(t SSOProviderRPt create_clientRQRS(RTR/((RTs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRXs   N( t__name__t __module__t__doc__R7RVtFalseR3RZRYR[RWRX(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR;s      cCst|}|jS(N(ROtload_credentials(R+RN((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytget_credentialss cCstjjtS(N(tdatetimetnowR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt _local_nowscCs t|tjr|St|S(N(t isinstanceRnR(tvalue((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_parse_if_neededscCs3t|tjr/|r"|jS|jdS|S(Ns%Y-%m-%dT%H:%M:%S%Z(RqRnt isoformattstrftime(Rrtiso((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_serialize_if_neededs   csfd}|S(Ncs*id6}|j|j||S(NR((tupdateRg(t service_nametkwargstcreate_client_kwargs(R(R+(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR.s  ((R+R(R.((R(R+s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR=scsfd}|S(NcsOj}|d}i|dd6|dd6|dd6t|dd 6S( Nt Credentialst AccessKeyIdRtSecretAccessKeyRt SessionTokenRt Expirationt expiry_time(t assume_roleRw(tresponset credentials(tclienttparams(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytrefreshs    ((RRR((RRs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytcreate_assume_role_refreshers cCs dtfdY}||S(Nt _RefreshercBseZdZdZRS(cSs||_t|_dS(N(t_refreshRkt_has_been_called(RTR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs cSs(|jrtnt|_|jS(N(RRtTrueR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt__call__s   (RhRiRVR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs (tobject(tactual_refreshR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytcreate_mfa_serial_refresherst JSONFileCachecBseeZdZejjejjddddZedZdZ dZ dZ d Z RS( sJSON file cache. This provides a dict like interface that stores JSON serializable objects. The objects are serialized to JSON and stored in a file. These values can be retrieved at a later time. t~s.awstbotoR'cCs ||_dS(N(t _working_dir(RTt working_dir((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVscCs|j|}tjj|S(N(t_convert_cache_keytostpathtisfile(RTt cache_keyt actual_key((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt __contains__!scCsb|j|}y&t|}tj|SWdQXWn&tttfk r]t|nXdS(s Retrieve value from a cache key.N(RtopentjsontloadtOSErrort ValueErrortIOErrortKeyError(RTRRtf((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt __getitem__%s cCs|j|}ytj|dt}Wn'ttfk rQtd|nXtjj|j sztj |j ntj tj |tj tjBdd}|j|j|WdQXdS(NRs5Value cannot be cached, must be JSON serializable: %sitw(RRtdumpsRwt TypeErrorRRRtisdirRtmakedirstfdopenRtO_WRONLYtO_CREATttruncatetwrite(RTRRrtfull_keyt file_contentR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt __setitem__.s cCs tjj|j|d}|S(Ns.json(RRtjoinR(RTRt full_path((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR<s( RhRiRjRRt expanduserRt CACHE_DIRRVRRRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs'   R|cBs/eZdZdddZdZdZRS(s\ Holds the credentials needed to authenticate requests. :ivar access_key: The access key part of the credentials. :ivar secret_key: The secret key part of the credentials. :ivar token: The security token, valid only for session credentials. :ivar method: A string which identifies where the credentials were found. cCsG||_||_||_|dkr0d}n||_|jdS(Ntexplicit(RRRR7tmethodt _normalize(RTRRRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVLs      cCs4tjj|j|_tjj|j|_dS(N(tbotocoretcompattensure_unicodeRR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRXscCst|j|j|jS(N(RRRR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytget_frozen_credentialsbs N(RhRiRjR7RVRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR|As   tRefreshableCredentialscBseZdZdZdZedZdZedZ e dZ e j dZ e d Z e j d Z e d Zej d Zd ZddZdZdZdZedZdZdZRS(s Holds the credentials needed to authenticate requests. In addition, it knows how to refresh itself. :ivar access_key: The access key part of the credentials. :ivar secret_key: The secret key part of the credentials. :ivar token: The security token, valid only for session credentials. :ivar method: A string which identifies where the credentials were found. ii<i cCsq||_||_||_||_||_||_tj|_||_ t ||||_ |j dS(N( t_refresh_usingt _access_keyt _secret_keyt_tokent _expiry_timet _time_fetchert threadingtLockt _refresh_lockRRt_frozen_credentialsR(RTRRRRt refresh_usingRt time_fetcher((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVzs       cCs4tjj|j|_tjj|j|_dS(N(RRRRR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRsc CsJ|d|dd|dd|dd|j|dd|d|}|S(NRRRRRR(t_expiry_datetime(tclstmetadataRRtinstance((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytcreate_from_metadatas    cCs|j|jS(sWarning: Using this property can lead to race conditions if you access another property subsequently along the refresh boundary. Please use get_frozen_credentials instead. (RR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs cCs ||_dS(N(R(RTRr((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRscCs|j|jS(sWarning: Using this property can lead to race conditions if you access another property subsequently along the refresh boundary. Please use get_frozen_credentials instead. (RR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs cCs ||_dS(N(R(RTRr((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRscCs|j|jS(sWarning: Using this property can lead to race conditions if you access another property subsequently along the refresh boundary. Please use get_frozen_credentials instead. (RR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs cCs ||_dS(N(R(RTRr((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRscCs|j|j}t|S(N(RRR(RTtdelta((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_seconds_remainingscCsR|jdkrtS|dkr+|j}n|j|krAtStjdtS(sCheck if a refresh is needed. A refresh is needed if the expiry time associated with the temporary credentials is less than the provided ``refresh_in``. If ``time_delta`` is not provided, ``self.advisory_refresh_needed`` will be used. For example, if your temporary credentials expire in 10 minutes and the provided ``refresh_in`` is ``15 * 60``, then this function will return ``True``. :type refresh_in: int :param refresh_in: The number of seconds before the credentials expire in which refresh attempts should be made. :return: True if refresh needed, False otherwise. s!Credentials need to be refreshed.N(RR7Rkt_advisory_refresh_timeoutRRBRCR(RTt refresh_in((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytrefresh_neededs   cCs|jddS(NRi(R(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt _is_expiredscCs|j|jsdS|jjtr|z@|j|jsAdS|j|j}|jd|dSWd|jjXnK|j|jr|j+|j|jsdS|jdtWdQXndS(Nt is_mandatory( RRRtacquireRkt_mandatory_refresh_timeoutt_protected_refreshtreleaseR(RTtis_mandatory_refresh((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs   cCsy|j}WnHtk rZ}|r.dnd}tjd|dt|rVndSX|j|t|j|j|j |_ |j rd}tj|t |ndS(Nt mandatorytadvisorysARefreshing temporary credentials failed during %s refresh period.texc_infosLCredentials were refreshed, but the refreshed credentials are still expired.( Rt ExceptionRBtwarningRt_set_from_dataRRRRRRt RuntimeError(RTRRtet period_nametmsg((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs      cCs t|S(N(R(ttime_str((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR(scCsddddg}|s!|}n%g|D]}||kr(|^q(}|rzd}td|jd|dj|n|d|_|d|_|d|_t|d|_tj d |j|j dS( NRRRRs7Credential refresh failed, response did not contain: %stprovidert error_msgs, s(Retrieved credentials will expire at: %s( RRRRRRRRRBRCR(RTtdatat expected_keyst missing_keystktmessage((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR,s  %      cCs|j|jS(sReturn immutable credentials. The ``access_key``, ``secret_key``, and ``token`` properties on this class will always check and refresh credentials if needed before returning the particular credentials. This has an edge case where you can get inconsistent credentials. Imagine this: # Current creds are "t1" tmp.access_key ---> expired? no, so return t1.access_key # ---- time is now expired, creds need refreshing to "t2" ---- tmp.secret_key ---> expired? yes, refresh and return t2.secret_key This means we're using the access key from t1 with the secret key from t2. To fix this issue, you can request a frozen credential object which is guaranteed not to change. The frozen credentials returned from this method should be used immediately and then discarded. The typical usage pattern would be:: creds = RefreshableCredentials(...) some_code = SomeSignerObject() # I'm about to sign the request. # The frozen credentials are only used for the # duration of generate_presigned_url and will be # immediately thrown away. request = some_code.sign_some_request( with_credentials=creds.get_frozen_credentials()) print("Signed request:", request) (RR(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRBs" iiXN(RhRiRjRRRpRVRt classmethodRtpropertyRtsetterRRRR7RRRRt staticmethodRRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRhs(        "   ! tDeferredRefreshableCredentialscBs&eZdZedZddZRS(syRefreshable credentials that don't require initial credentials. refresh_using will be called upon first access. cCs[||_d|_d|_d|_d|_||_tj|_ ||_ d|_ dS(N( RR7RRRRRRRRRR(RTRRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVms       cCs)|jdkrtStt|j|S(N(RR7RtsuperRR(RTR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRxsN(RhRiRjRpRVR7R(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRhs tCachedCredentialFetchercBseeZd Zd d dZdZdZdZdZdZ dZ d Z d Z RS( i<icCsR|dkri}n||_|j|_|dkrE|j}n||_dS(N(R7RQt_create_cache_keyt _cache_keytDEFAULT_EXPIRY_WINDOW_SECONDSt_expiry_window_seconds(RTR'texpiry_window_seconds((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs     cCstddS(Ns_create_cache_key()(tNotImplementedError(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRscCs4|jddjtjjd}|jddS(Nt:t_t/(treplaceRRtsep(RTtfilename((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_make_file_safes$cCstddS(Ns_get_credentials()(R(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_get_credentialsscCs |jS(N(t_get_cached_credentials(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pytfetch_credentialsscCs|j}|d kr4|j}|j|n tjd|d}t|ddt}i|dd6|dd6|d d 6|d 6S( sGet up-to-date credentials. This will check the cache for up-to-date credentials, calling assume role if none are available. s*Credentials for role retrieved from cache.R|RRvR}RR~RRRRN(t_load_from_cacheR7Rt_write_to_cacheRBRCRwR(RTRtcredst expiration((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs        cCsO|j|jkrKt|j|j}|j|s;|StjdndS(Ns6Credentials were found in cache, but they are expired.(RRQRRRBRCR7(RTR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs cCst||j|jtCANONICAL_NAMERVRRC(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR;s   R\cBs>eZdZejdZdZdZedZ RS(scustom-processcCs(||_||_d|_||_dS(N(t _profile_namet _load_configR7t_loaded_configt_popen(RTR/R)tpopen((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs   c sjdkrdSj}|jddk r_tj|fdjStd|dd|dd|jddjS(NRcs jS(N(t_retrieve_credentials_using((tcredential_processRT(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR,R-RRRR(t_credential_processR7RJR6RRR>R|(RTt creds_dict((RKRTs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs     c CsAt|}|j|dtjdtj}|j\}}|jdkrrtd|jd|jdnt j j j |jd}|j dd}|d krtd|jdd |ny>i|d d 6|d d6|j dd6|j dd6SWn/tk r<}td|jdd|nXdS(NtstdouttstderriRRsutf-8tVersionsisOUnsupported version '%s' for credential process provider, supported versions: 1R}RR~RRRRRs$Missing required key in response: %s(RRHt subprocesstPIPEt communicatet returncodeRR>tdecodeRRRRR6R( RTRKt process_listtpRNROtparsedtversionR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRJs2          cCsR|jdkr!|j|_n|jjdij|ji}|jdS(NtprofilesRK(RGR7RFR6RE(RTtprofile_config((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRLs  ( RhRiR>RQtPopenRVRRJRRL(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR\s   R:cBs&eZdZdZdZdZRS(siam-roletEc2InstanceMetadatacCs ||_dS(N(t _role_fetcher(RTR"((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVscCsX|j}|j}|sdStjd|dtj|d|jd|j}|S(Ns#Found credentials from IAM Role: %st role_nameRR(R^tretrieve_iam_role_credentialsR7RBRCRRR>(RTtfetcherRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs      (RhRiR>RDRVR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR:s R8cBs\eZdZdZdZdZddgZdZd d dZ dZ d Z d Z RS( tenvt EnvironmenttAWS_ACCESS_KEY_IDtAWS_SECRET_ACCESS_KEYtAWS_SECURITY_TOKENtAWS_SESSION_TOKENtAWS_CREDENTIAL_EXPIRATIONcCs7|dkrtj}n||_|j||_dS(s :param environ: The environment variables (defaults to ``os.environ`` if no value is provided). :param mapping: An optional mapping of variable names to environment variable names. Use this if you want to change the mapping of access_key->AWS_ACCESS_KEY_ID, etc. The dict can have up to 3 keys: ``access_key``, ``secret_key``, ``session_token``. N(R7Rtenviront_build_mappingt_mapping(RTRiR?((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs   cCsi}|dkrI|j|d<|j|d<|j|d<|j|dR|(RTRRaRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR>s       cs7|j|j|jtfd}|S(Ncs/i}jdd}|s>tdddn||d<jdd}|stdddn||dRiR(RTR((RiR?Rs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRtZs     N( RhRiR>RDRlRmRnRoR7RVRjRRt(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR8s   R?cBs>eZdZdZdZdZdZdddZdZ RS(sec2-credentials-filet Ec2ConfigtAWS_CREDENTIAL_FILEtAWSAccessKeyIdt AWSSecretKeycCsC|dkrtj}n|dkr-t}n||_||_dS(N(R7RRiRt_environt_parser(RTRitparser((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs      cCsd|jkrtjj|jd}|j|}|j|krtjd||j}||j}t ||d|j SndSdS(sN Search for a credential file used by original EC2 CLI tools. Rws)Found credentials in AWS_CREDENTIAL_FILE.RN( RzRRRR{RlRBRsRmR|R>R7(RTRRRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs    N( RhRiR>RDt CRED_FILE_ENVRlRmR7RVR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR?sR_cBsMeZdZdZdZdZddgZd d dZdZ dZ RS( sshared-credentials-filetSharedCredentialsR0R1taws_security_tokenR2cCsO||_|dkrd}n||_|dkrBtjj}n||_dS(NR(t_creds_filenameR7RERt configloadertraw_config_parset _ini_parser(RTR^R/t ini_parser((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs     cCsy|j|j}Wntk r*dSX|j|kr||j}|j|krtjd|j|j||j|j \}}|j |}t |||d|j SndS(Ns0Found credentials in shared credentials file: %sR( RRR R7RERlRBRsRCRmt_get_session_tokenR|R>(RTtavailable_credsR&RRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs    cCs,x%|jD]}||kr ||Sq WdS(N(Rn(RTR&t token_envvar((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs N( RhRiR>RDRlRmRnR7RVRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR_s  RccBsPeZdZdZdZdZdZddgZd dZ dZ d Z RS( s0INI based config provider with profile sections.s config-filet SharedConfigR0R1RR2cCs:||_||_|dkr-tjj}n||_dS(s :param config_filename: The session configuration scoped to the current profile. This is available via ``session.config``. :param profile_name: The name of the current profile. :param config_parser: A config parser callable. N(t_config_filenameRER7RRR)t_config_parser(RTRbR/t config_parser((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs   cCsy|j|j}Wntk r*dSX|j|dkr|d|j}|j|krtjd|j|j||j|j \}}|j |}t |||d|j SndSdS(sr If there is are credentials in the configuration associated with the session, use those. RZs$Credentials found in config file: %sRN( RRR R7RERlRBRsRCRmRR|R>(RTR*R[RRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs    cCs,x%|jD]}||kr ||Sq WdS(N(Rn(RTR[t token_name((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs N( RhRiRjR>RDRlRmRnR7RVRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRcs   R@cBsJeZdZdZdZddgZdZdZd d dZ dZ RS( s boto-configt Boto2Configt BOTO_CONFIGs /etc/boto.cfgs~/.botoR0R1cCsI|dkrtj}n|dkr3tjj}n||_||_dS(N(R7RRiRRRRzR(RTRiR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs     cCs|j|jkr(|j|jg}n |j}x|D]}y|j|}Wntk rgq8nXd|kr8|d}|j|krtjd||j||j|j \}}t ||d|j Sq8q8WdS(s; Look for credentials in boto config file. R|s)Found credentials in boto config file: %sRN( tBOTO_CONFIG_ENVRztDEFAULT_CONFIG_FILENAMESRR RlRBRsRCRmR|R>(RTtpotential_locationsRR&RRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs"       N( RhRiR>RDRRRlRmR7RVR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR@s R<cBseZdZdZdZdZdZejdddZ dZ dZ dZ d Z d Zd Zd Zd ZdZdZdZdZRS(s assume-roleRtweb_identity_token_filei<icCs[||_||_||_||_||_i|_||_||_|jg|_dS(s :type load_config: callable :param load_config: A function that accepts no arguments, and when called, will return the full configuration dictionary for the session (``session.full_config``). :type client_creator: callable :param client_creator: A factory function that will create a client when called. Has the same interface as ``botocore.session.Session.create_client``. :type cache: dict :param cache: An object that supports ``__getitem__``, ``__setitem__``, and ``__contains__``. An example of this is the ``JSONFileCache`` class in the CLI. :type profile_name: str :param profile_name: The name of the profile. :type prompter: callable :param prompter: A callable that returns input provided by the user (i.e raw_input, getpass.getpass, etc.). :type credential_sourcer: CanonicalNameCredentialSourcer :param credential_sourcer: A credential provider that takes a configuration, which is used to provide the source credentials for the STS call. N( R'RFRREt _prompterRGt_credential_sourcert_profile_provider_buildert_visited_profiles(RTR)R.R'R/tprompterR0R1((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRV>s$        cCs\|j|_|jjdi}|j|ji}|j|rX|j|jSdS(NRZ(RFRGR6REt_has_assume_role_config_varst_load_creds_via_assume_role(RTRZR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRus cCs|j|ko|j|kS(N(tROLE_CONFIG_VARtWEB_IDENTITY_TOKE_FILE_VAR(RTR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR|sc CsA|j|}|j||}i}|jd}|dk rO||dRp( RTR/t role_configR#RRRR+R.Rat refresher((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs<                c Cs~|jjdi}||}|jd}|d}|jd}|jd}|jd}|jd} |jd} i|d6|d6|d6| d6|d6|d6} | dk ryt| | dt_validate_credential_sourcet_validate_source_profile( RTR/RZRRRRR+RRR.R((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRsD          cCs]|jdkr+tdd||fn|jj|sYtdd||fndS(NRs_The credential_source "%s" is specified in profile "%s", but no source provider was configured.sCThe credential source "%s" referenced in profile "%s" is not valid.(RR7R t is_supported(RTtparent_profileR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRscCs"t|j||j|gS(N(tanyt_has_static_credentialsR(RTR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_source_profile_has_credentialss cCs|jjdi}||kr=tdd||fn||}||jkrZdS||krtd|d|jn|j|std|d|jndS(NRZRsFThe source_profile "%s" referenced in the profile "%s" does not exist.Rtvisited_profiles(RGR6R RRR(RTtparent_profile_nametsource_profile_nameRZR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs    cs&ddg}tfd|DS(NR1R0c3s|]}|kVqdS(N((t.0t static_key(R(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pys s(R(RTRt static_keys((Rs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs cCsR|jd}|dk r+|j||S|d}|jj||j|S(NRR(R6R7t _resolve_credentials_from_sourceRR=t!_resolve_credentials_from_profile(RTRR/RR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR!s   cCs|jjdi}||}|j|rE|j rE|j|S|j|sd|j| r|jjd|dt}t|}|j }|dkrd}t d||n|S|j |S(NRZR/R2s.The source profile "%s" must have credentials.R( RGR6RRt(_resolve_static_credentials_from_profileRR3RRDRlR7R R(RTR/RZRRLt profile_chainRt error_message((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR,s$        cCsfy.td|dd|dd|jdSWn1tk ra}td|jdt|nXdS( NRR0RR1RR2RR<(R|R6RR R>tstr(RTRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRJs  cCs>|jj|}|dkr:td|dd|n|S(NRRsBNo credentials found in credential_source referenced in profile %s(RR#R7R(RTRR/R((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRUs    Ni(RhRiR>R7RDRRtEXPIRY_WINDOW_SECONDSR"RVRRRRRRRRRRRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR</s&  5  , 2  &   RdcBsneZdZd Zidd6dd6dd6Zd ed dZdZd Z d Z d Z d Z RS(sassume-role-with-web-identitytAWS_WEB_IDENTITY_TOKEN_FILERtAWS_ROLE_SESSION_NAMERt AWS_ROLE_ARNRcCsX||_||_||_||_d|_||_|dkrKt}n||_dS(N( R'RFRRER7t_profile_configt_disable_env_varsRt_token_loader_cls(RTR)R.R/R'R2ttoken_loader_cls((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVms        cCs |jS(N(t_assume_role_with_web_identity(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRscCsX|jdkrH|j}|jdi}|j|ji|_n|jj|S(NRZ(RR7RFR6RE(RTtkeyt loaded_configRZ((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_get_profile_configs  cCsC|jr dS|jj|}|r?|tjkr?tj|SdS(N(RR7t_CONFIG_TO_ENV_VARR6RRi(RTRtenv_key((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_get_env_configs   cCs,|j|}|dk r|S|j|S(N(RR7R(RTRt env_value((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt _get_configs c Cs|jd}|sdS|j|}|jd}|sUd}td|ni}|jd}|dk r||dR(RTt token_patht token_loaderRRRRRa((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs*     N( RhRiR>R7RDRRkRVRRRRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRdds     R>cBs>eZdZdZdZdZdZdZRS(cCs ||_dS(N(t _providers(RTR3((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVscCs#|g|jD]}|j^q kS(sLValidates a given source name. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: bool :returns: True if the credential provider is supported, False otherwise. (RRD(RTt source_nameRW((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs cCs2|j|}t|tr(|jS|jS(sLoads source credentials based on the provided configuration. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: Credentials (t _get_providerRqRDRlR(RTRtsource((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR#s  cCs|j|}|jdkr_|jd}|dk r_|dkrL|St||gSn|dkr}td|n|S(s#Return a credential provider by its canonical name. :type canonical_name: str :param canonical_name: The canonical name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. t sharedconfigtsharedcredentialss assume-roletname(RRN(t_get_provider_by_canonical_nametlowert_get_provider_by_methodR7RDR (RTtcanonical_nameRRJ((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs    cCsCx<|jD]1}|j}|r |j|jkr |Sq WdS(sReturn a credential provider by its canonical name. This function is strict, it does not attempt to address compatibility issues. N(RRDR(RTRRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs cCs+x$|jD]}|j|kr |Sq WdS(s0Return a credential provider by its METHOD name.N(RR>(RTRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs(RhRiRVRR#RRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR>s    & R9cBsbeZdZdZdZdZdZd d dZdZ dZ dZ d Z d Z RS( scontainer-rolet EcsContainert&AWS_CONTAINER_CREDENTIALS_RELATIVE_URIt"AWS_CONTAINER_CREDENTIALS_FULL_URIt!AWS_CONTAINER_AUTHORIZATION_TOKENcCsF|dkrtj}n|dkr0t}n||_||_dS(N(R7RRiRRzt_fetcher(RTRiRa((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs      cCs2|j|jks$|j|jkr.|jSdS(N(tENV_VARRzt ENV_VAR_FULLt_retrieve_or_fail(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR$s$c Cs|jr+|jj|j|j}n|j|j}|j}|j||}|}td|dd|dd|dd|j dt |dd|S(NRRRRRR( t_provided_relative_uriRtfull_urlRzRRt_build_headerst_create_fetcherRR>Rs(RTtfull_uritheadersRaR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR*s       cCs6i}|jj|j}|dk r2i|d6SdS(Nt Authorization(RzR6tENV_VAR_AUTH_TOKENR7(RTRt auth_token((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR;s  csfd}|S(Ncsyjjd}WnGtk re}tjd|dttdjdt|nXi|dd6|dd 6|d d 6|d d 6S(NRs'Error retrieving container metadata: %sRRRR}RR~RtTokenRRR( Rtretrieve_full_uriRRBRCRRR>R(RR(RRRT(s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt fetch_credsDs    ((RTRRR((RRRTs?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRCscCs|j|jkS(N(RRz(RT((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVsN(RhRiR>RDRRRR7RVRRRRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR9s    RDcBsGeZdZdZdZdZdZdZdZRS(cCs ||_dS(sQ :param providers: A list of ``CredentialProvider`` instances. N(R3(RTR3((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRV[scCsfy,g|jD]}|j^q j|}Wn tk rNtd|nX|jj||dS(s= Inserts a new instance of ``CredentialProvider`` into the chain that will be tried before an existing one. :param name: The short name of the credentials you'd like to insert the new credentials before. (ex. ``env`` or ``config``). Existing names & ordering can be discovered via ``self.available_methods``. :type name: string :param cred_instance: An instance of the new ``Credentials`` object you'd like to add to the chain. :type cred_instance: A subclass of ``Credentials`` RN(R3R>tindexRR tinsert(RTRtcredential_providerRWtoffset((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt insert_beforecs , cCs*|j|}|jj|d|dS(s9 Inserts a new type of ``Credentials`` instance into the chain that will be tried after an existing one. :param name: The short name of the credentials you'd like to insert the new credentials after. (ex. ``env`` or ``config``). Existing names & ordering can be discovered via ``self.available_methods``. :type name: string :param cred_instance: An instance of the new ``Credentials`` object you'd like to add to the chain. :type cred_instance: A subclass of ``Credentials`` iN(t_get_provider_offsetR3R(RTRRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt insert_afterwscCsRg|jD]}|j^q }||kr/dS|j|}|jj|dS(s Removes a given ``Credentials`` instance from the chain. :param name: The short name of the credentials instance to remove. :type name: string N(R3R>Rtpop(RTRRWtavailable_methodsR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRAs  cCs|j|j|S(sReturn a credential provider by name. :type name: str :param name: The name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. (R3R(RTR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt get_providers cCsQy*g|jD]}|j^q j|SWn tk rLtd|nXdS(NR(R3R>RRR (RTRRW((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs* cCsGx@|jD]5}tjd|j|j}|dk r |Sq WdS(sw Goes through the credentials chain, returning the first ``Credentials`` that could be loaded. sLooking for credentials via: %sN(R3RBRCR>RR7(RTRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRls   ( RhRiRVRRRARRRl(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRDZs     tSSOCredentialFetchercBs5eZddddZdZdZdZRS(c CsS||_||_||_||_||_||_tt|j||dS(N( Rt _sso_regiont _role_namet _account_idt _start_urlt _token_loaderRRRV( RTt start_urlt sso_regionR_t account_idR.RR'R((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs      cCsgi|jd6|jd6|jd6}tj|dtdd }t|jdj}|j |S( sCreate a predictable cache key for the current configuration. The cache key is intended to be compatible with file names. tstartUrltroleNamet accountIdRt separatorst,Rsutf-8(RR( RRRRRRRRRR(RTRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs   cCs,|d}tjj|t}t|S(Ng@@(Rnt fromtimestampRRw(RTt timestamp_msttimestamp_secondst timestamp((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_parse_timestamps cCstdtd|j}|jdd|}i|jd6|jd6|j|jd6}y|j|}Wn |j j k rt nX|d}idd 6i|d d 6|d d 6|dd6|j |dd6d6}|S(s4Get credentials by calling SSO get role credentials.R7R(tssoR&RRt accessTokentroleCredentialst ProviderTypet accessKeyIdR}tsecretAccessKeyR~t sessionTokenRRRR|( R RRRRRRRtget_role_credentialst exceptionstUnauthorizedExceptionRR(RTR&RRzRR((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs*        N(RhRiR7RVRRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRs   RfcBsheZdZejjejjddddZddddgZd d dZ d Z d Z RS( RRs.awsR't sso_start_urlRt sso_role_nametsso_account_idcCsd|dkrt|j}n||_|dkr<i}n||_||_||_||_dS(N(R7Rt_SSO_TOKEN_CACHE_DIRt _token_cacheR'RFRRE(RTR)R.R/R'Re((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRVs       cs|j}|jdi}|j}|j|jitfd|jDr_dSi}g}x;|jD]0}|kr|||$ss, RsSThe profile "%s" is configured to use SSO but is missing required configuration: %s( RFR6REtallt_SSO_CONFIG_VARSR7R=RR (RTRRZR/R&tmissing_config_varst config_vartmissing((R[s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyt_load_sso_configs$   c Csu|j}|sdSt|d|d|d|d|jdtd|jd|j}td|jd|j S( NRRRRRR'RR( RR7RRRRR'RR>R(RTt sso_configt sso_fetcher((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyR:s    N( RhRiR>RRRRRRR7RVRR(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyRfs   (RRRntloggingRR"RRRQt collectionsRtcopyRthashlibRtdateutil.parserRt dateutil.tzRRtbotocore.configloaderRtbotocore.compatRRRtbotocore.configR tbotocore.exceptionsR R R R RRRRRtbotocore.utilsRRRRRt getLoggerRhRBRR7RORR;RmRpRsRkRwR=RRRR|RRRR RR4R;R\R:R8R?R_RcR@R<RdR>R9RDRRf(((s?/opt/awscli/lib/python2.7/site-packages/botocore/credentials.pyts          UD      -'E1P8-Ft"*7*6YXEdG