{"id":19963707,"url":"https://github.com/cyberark/conjur-authn-iam-client-python","last_synced_at":"2025-07-22T14:34:27.350Z","repository":{"id":137668374,"uuid":"252791134","full_name":"cyberark/conjur-authn-iam-client-python","owner":"cyberark","description":"Python client for using Conjur with authn-iam","archived":false,"fork":false,"pushed_at":"2025-02-07T15:33:54.000Z","size":273165,"stargazers_count":2,"open_issues_count":0,"forks_count":4,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-05-03T22:37:06.003Z","etag":null,"topics":["aws","conjbot-notify","conjur","iam","python","python3"],"latest_commit_sha":null,"homepage":"https://conjur.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-04-03T17:00:10.000Z","updated_at":"2025-02-21T05:46:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"ba89c432-2f72-46e8-a1de-c0db341e58f9","html_url":"https://github.com/cyberark/conjur-authn-iam-client-python","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":"cyberark/conjur-template","purl":"pkg:github/cyberark/conjur-authn-iam-client-python","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-authn-iam-client-python","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-authn-iam-client-python/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-authn-iam-client-python/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-authn-iam-client-python/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/conjur-authn-iam-client-python/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-authn-iam-client-python/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266510687,"owners_count":23940696,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","conjbot-notify","conjur","iam","python","python3"],"created_at":"2024-11-13T02:17:07.609Z","updated_at":"2025-07-22T14:34:27.329Z","avatar_url":"https://github.com/cyberark.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# conjur-authn-iam-client-python\nGet an IAM signed request used for Conjur authentication or instantiate a Conjur SDK Python3 client using IAM authentication.\n\n## Certification Level\n![](https://img.shields.io/badge/Certification%20Level-Community-28A745?link=https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md)\n\nThis repo is a **Community** level project. It's a community contributed project that **is not reviewed or supported\nby CyberArk**. For more detailed information on our certification levels, see [our community guidelines](https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md#community).\n\n## Requirements\n- Conjur OSS v1+\n- DAP v10+\n- python \u003e= 3.6\n- summon \u003e= 0.6.9\n\n## Installation\n\n### From source\n```bash\n$ pip3 install --user conjur-client\n$ git clone https://github.com/cyberark/conjur-authn-iam-client-python.git\n$ cd conjur-authn-iam-client-python; pip3 install --user .\n```\n\n## Usage Instructions\n\n#### create_conjur_iam_api_key\n\nThis function returns a JSON-formatted [AWS signature](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) header that can be used to authenticate to Conjur when using the IAM authenticator.\n\n```python\n\u003e\u003e\u003e from conjur_iam_client import *\n\u003e\u003e\u003e conjur_api_key = create_conjur_iam_api_key()\n```\n\n#### get_conjur_iam_session_token\n\nThis function uses the `create_conjur_iam_api_key` method to retrieve the AWS signature header, uses the header to authenticate to the Conjur API, and returns a Conjur [access token](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Operations/Services/Authentication-new.htm#Accesstokens).\n\n```python\nfrom conjur_iam_client import *\nappliance_url = 'https://conjur.yourorg.com'\nservice_id = 'dev'\nusername = 'host/cust-portal/\u003caws-account-id\u003e/\u003ciam-role-name\u003e'\ncert_file = 'conjur-cert.pem'\nconjur_account = 'dev'\nconjur_session_token = get_conjur_iam_session_token(appliance_url, conjur_account, service_id, username, cert_file)\n```\n\n#### create_conjur_iam_client\n\nThis function uses the `get_conjur_iam_session_token` to create a Conjur access token and returns an\ninstantiated [Conjur Python3 client](https://github.com/cyberark/conjur-api-python3). The client will not\nautomatically refresh the access token, so the client can only be used for 5-8 min. After this time, this\nmethod must be invoked again to instantiate another client.\n\n```python\nfrom conjur_iam_client import *\nappliance_url = 'https://conjur.yourorg.com'\nservice_id = 'dev'\nusername = 'host/cust-portal/\u003caws-account-id\u003e/\u003ciam-role-name\u003e'\ncert_file = 'conjur-cert.pem'\nconjur_account = 'dev'\nconjur_client = create_conjur_iam_client(appliance_url, conjur_account, service_id, username, cert_file)\nconjur_client.list() # This will return a list of all the resource you have access to. See https://github.com/cyberark/conjur-api-python3 for all of the methods this client supports.\n```\n\n#### create_conjur_iam_client_from_env\n\nThis function returns a client exactly like `create_conjur_iam_client`; however instead of providing all of the\nparameters within the function, it will read the parameters from the environment variables described in the\n[setting environment variables](#setting-the-environment-variables) section.\n\n```python\nfrom conjur_iam_client import *\nconjur_client = create_conjur_iam_client_from_env()\nconjur_client.list() # This will return a list of all the resource you have access to. See https://github.com/cyberark/conjur-api-python3 for all of the methods this client supports.\n```\n\n## EC2 Usage\nIn this example we will be using the `create_conjur_iam_client_from_env()` function. It is assumed an IAM role is already associated with the ec2 instance.\n\n#### Setting the environment variables\n```bash\n$ export CONJUR_APPLIANCE_URL=https://conjur.yourorg.com\n$ export AUTHN_IAM_SERVICE_ID=dev\n$ export CONJUR_AUTHN_LOGIN=host/cust-portal/\u003caws-account-id\u003e/\u003ciam-role-name\u003e\n$ export CONJUR_CERT_FILE=./conjur-dev.pem\n$ export CONJUR_ACCOUNT=dev\n```\n\n#### Executing python script from the ec2 instance\n```python3\nfrom conjur import Client\nfrom conjur_iam_client import create_conjur_iam_client_from_env\n\nconjur_client = create_conjur_iam_client_from_env()\nconjur_list = conjur_client.list()\n```\n\n## Lambda Usage\nSince lambda cannot reach out to the AWS metadata url we have to slightly modify how we execute `create_conjur_iam_client_from_env()`. It is assumed an IAM role is already associated with the lambda function.\n\n#### Lambda environment variables\n```\nCONJUR_APPLIANCE_URL=https://conjur.yourorg.com\nAUTHN_IAM_SERVICE_ID=dev\nCONJUR_AUTHN_LOGIN=host/cust-portal/\u003caws-account-id\u003e/\u003ciam-role-name\u003e\nCONJUR_CERT_FILE=./conjur-dev.pem\nCONJUR_ACCOUNT=dev\nIAM_ROLE_NAME=\u003ciam-role-name\u003e\n# Depending if you want to ignore untrusted ssl certificate\nIGNORE_SSL=\u003ctrue or false\u003e\n```\n\n#### Executing python script\nThe difference here is instead of having the client reach out to the metadata url and automatically obtain the keys and tokens required to authenticate. We are fetching these and pushing them into the `create_conjur_iam_client_from_env()` function.\n```python3\nfrom conjur import Client\nfrom conjur_iam_client import create_conjur_iam_client_from_env\nimport os\n\ndef lambda_handler(event, context):\n    iam_role_name=os.environ['IAM_ROLE_NAME']\n    access_key=os.environ['AWS_ACCESS_KEY_ID']\n    secret_key=os.environ['AWS_SECRET_ACCESS_KEY']\n    token=os.environ['AWS_SESSION_TOKEN']\n    conjur_client = create_conjur_iam_client_from_env(iam_role_name, access_key, secret_key, token)\n    conjur_list = conjur_client.list()\n    return {\n        \"list\": conjur_list\n    }\n```\n\n#### \n#### Example lambda function package\nAn example of a bundled lambda function can be found [here](https://github.com/cyberark/conjur-authn-iam-client-python/blob/master/lambda_function_package.zip). **If you are using a self signed certificate make sure to replace conjur-conjur.pem with your self signed cert!**\n\n## Summon Usage\nSummon usage has only been manually tested on an EC2 instance. With that being said make sure to set the [environment variables mentioned here](#ec2-usage). `iam_provider.py` is the summon provider. The `iam_provider.py` assumes python3 is installed on the EC2 instance. Example below:\n```bash\n# this should print out the environment variables \n# which should contain the password retrieved\nsummon -p ./iam_provider.py env\n\n# using 'iam_provider.py' standalone\n./iam_provider.py path/to/secret/goes/here\n```\n\n## Contributing\n\nWe welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions\nof our development workflows, please see our [contributing guide](CONTRIBUTING.md).\n\n## License\n\nThis repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fconjur-authn-iam-client-python","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2Fconjur-authn-iam-client-python","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fconjur-authn-iam-client-python/lists"}