use aws-assume-role-lib to refresh assumed role

falcon_data_replicator.ini

@@ -78,9 +78,9 @@ DO_OCSF_CONVERSION = No
 # OCSF Target AWS Account Id
 TARGET_ACCOUNT_ID= TARGET_ACCOUNT_ID
 # The role name to assume to write to Security Lake bucket
-OCSF_ROLE_NAME = 
+OCSF_ROLE_NAME =
 # The external ID used to assume the role in the target account
-OCSF_ROLE_EXTERNAL_ID = "CrowdStrikeCustomSource"
+OCSF_ROLE_EXTERNAL_ID = CrowdStrikeCustomSource
 # Security Lake performance is sensitive to the number of files that must be read for a query.
 # The max amount of time (in minutes) to buffer records before publishing. Min: 5 Max: 60 Default: 5
 OCSF_INGEST_LATENCY = 5

falcon_data_replicator.py

@@ -53,6 +53,13 @@
                      "Data Replicator.\nPlease execute 'pip3 install boto3'"
                      ) from err
 
+try:
+    from aws_assume_role_lib import assume_role
+except ImportError as err:
+    print(err)
+    raise SystemExit("The aws-assume-role-lib library is required to run Falcon "
+                     "Data Replicator.\nPlease execute 'pip3 install aws-assume-role-lib'"
+                     ) from err
 # Global FDR
 FDR = None
 
@@ -415,7 +422,6 @@ def get_aws_client(resource_type, account_id, aws_region, role_name, session_nam
         serviceClient (botocore client): botocore resource client
 
     """
-    sts_client = boto3.client('sts')
     try:
         # Make Role ARN
         if role_path == '/':
@@ -424,16 +430,10 @@ def get_aws_client(resource_type, account_id, aws_region, role_name, session_nam
             role_arn = f'arn:aws:iam::{account_id}:role/{role_path.lstrip("/").rstrip("/")}/{role_name}'
 
         # Assume role
-        role = sts_client.assume_role(
-            RoleArn=role_arn, RoleSessionName=session_name, ExternalId=external_id)
-        access_key = role['Credentials']['AccessKeyId']
-        secret_key = role['Credentials']['SecretAccessKey']
-        session_token = role['Credentials']['SessionToken']
-        service_client = boto3.client(resource_type, region_name=aws_region,
-                                      aws_access_key_id=access_key,
-                                      aws_secret_access_key=secret_key,
-                                      aws_session_token=session_token)
-        return service_client
+        session = boto3.Session(region_name=aws_region)
+        assumed_role_session = assume_role(session, role_arn, RoleSessionName=session_name, ExternalId=external_id)
+        return assumed_role_session.client(resource_type, region_name=aws_region)
+
     except Exception as error:
         print(f'Failed to assume the role for Account: {account_id}: {error}')
         raise

requirements.txt

@@ -15,3 +15,4 @@ json2parquet>=2.0.0
 pyyaml>=6.0
     # via -r requirements.txt
 numpy>=1.22.2 # not directly required, pinned by Snyk to avoid a vulnerability
+aws-assume-role-lib>=2.10.0