Skip to content

Instantly share code, notes, and snippets.

View benkehoe's full-sized avatar

Ben Kehoe benkehoe

View GitHub Profile
@benkehoe
benkehoe / string_template_demo.py
Last active June 23, 2023 21:17
Demo of the two new methods of string.Template in Python 3.11
#!/usr/bin/env python3.11
# MIT No Attribution
#
# Copyright 2023 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
@benkehoe
benkehoe / kms_random.md
Created April 28, 2023 14:45
Python random numbers from KMS.GenerateRandom

Python random numbers from KMS.GenerateRandom

Spurred by this twitter conversation. random.SystemRandom uses os.urandom as a source of bytes, but doesn't provide a way to use a different source of bytes. So stream_random.py is exactly that. Then kms_random.py has raw and buffered bytestreams pulling from KMS.GenerateRandom.

The main interface is kms_random.get_kms_random(boto3_session, buffer_size=None). The default buffer size is 16, chosen arbitrarily.

I do not vouch for the randomness properties of the results.

@benkehoe
benkehoe / dont-use-aws-s3-ls-to-check-credentials.md
Last active April 23, 2023 16:22
Use "aws sts get-caller-identity" instead of "aws s3 ls" for checking credentials

People shouldn't use aws s3 ls to check credentials

Here's why, and an SCP to stop them

Lots of people use aws s3 ls to check that they have valid credentials. If it succeeds, they assume they are good to go. Even AWS blog tutorials often use it. They're all wrong.

There's multiple things wrong with using aws s3 ls to check credential validity. The first is that it has an IAM permission, s3:ListAllMyBuckets, associated with it.

@benkehoe
benkehoe / aws_console_launcher.py
Created October 5, 2022 17:17
Launch the AWS web console from the CLI
# Copyright 2022 Ben Kehoe
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
@benkehoe
benkehoe / timedelta_iso.py
Last active December 22, 2022 17:54
IS8601 functions for datetime.timedelta
# MIT No Attribution
#
# Copyright 2022 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
@benkehoe
benkehoe / ddb_composite_key_escaping.py
Last active May 14, 2023 21:33
Example composite key escaping for DynamoDB
import random
import re
import string
from typing import Iterable
import dataclasses
def escape(s: str) -> str:
return s.replace("#", "##")
def unescape(s: str) -> str:
@benkehoe
benkehoe / get_boto3_session_with_config.py
Last active September 26, 2024 01:02
A drop-in replacement for relying on well-known profiles in ~/.aws/config
# Copyright 2020 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
@benkehoe
benkehoe / aws_orgs_for_each_account.py
Last active September 2, 2021 11:47
Template for running work in every account in an organization
import aws_assume_role_lib # https://github.com/benkehoe/aws-assume-role-lib
account_role_name = "YOUR_ACCOUNT_ROLE_NAME_HERE" # TODO: put your role name here
management_account_session = boto3.Session()
# if you're using AWS SSO in your management account and there's a specific role for this work, you could use aws-sso-lib
# https://github.com/benkehoe/aws-sso-util/blob/master/lib/README.md
# management_account_session = aws_sso_lib.get_boto3_session(start_url, sso_region, management_account_id, management_role_name, region=sso_region)
orgs = management_account_session.client('organizations')
@benkehoe
benkehoe / package_with_single_sourced_version.py
Last active June 22, 2022 13:31
Single sourcing a python package version using importlib.metadata.version()
# MIT No Attribution
#
# Copyright 2022 Ben Kehoe
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
@benkehoe
benkehoe / aws_assume_role.py
Last active November 13, 2022 13:48
Assumed role session chaining (with credential refreshing) for boto3
# *** WARNING ***
# This gist is no longer maintained
# It has been replaced by aws-assume-role-lib in PyPI
# Documentation at https://github.com/benkehoe/aws-assume-role-lib
# It is still a single-file library, you can find the stable version here:
# https://raw.githubusercontent.com/benkehoe/aws-assume-role-lib/stable/aws_assume_role_lib/aws_assume_role_lib.py
# (link also available in the docs)
# Copyright 2020 Ben Kehoe
#