Python subprocess AWS credentials shell script causing a directory error

Question

I have to run the following commands in order to obtain all the required "credentials" to run my Python scripts within EC2. So I decided to use subprocess in order to streamline this procedure.

subprocess.call(["export instance_profile=`curl 
http://169.254.169.254/latest/meta-data/iam/security-credentials",
"export AWS_ACCESS_KEY_ID=`curl http://169.254.169.254/latest/meta-
data/iam/security-credentials/${instance_profile} | grep AccessKeyId 
| cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`",
"export AWS_SECRET_ACCESS_KEY=`curl 
http://169.254.169.254/latest/meta-data/iam/security-
credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -
f2 | sed 's/[^0-9A-Za-z/+=]*//g'`",
"export AWS_SECURITY_TOKEN=`curl http://169.254.169.254/latest/meta-
data/iam/security-credentials/${instance_profile} | grep Token | cut 
-d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`",
"export http_proxy=proxy.xxx.xxxxxxxxx.com:8099",
"export https_proxy=${http_proxy}"])

and I got an error:

File "funtest.py", line 25, in <module>
"export https_proxy=${http_proxy}"])
File "/usr/lib64/python2.7/subprocess.py", line 524, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
errread, errwrite)
File "/usr/lib64/python2.7/subprocess.py", line 1327, in 
_execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

I am new to bash and subprocess so forgive me if my mistake something trivial. I tried running python ./script.py but I have the same error. I would like to use subprocess for this as it is supposedly the safest way of doing this. Some guidance would be really appreciated.

Answer 1

The first argument to subprocess.call has to be a program or executable. In your case, it is not. Looks like you want to execute the call in a shell, so set this argument shell=True . Note: using shell=True is a security hazard.

Warning Executing shell commands that incorporate unsanitized input from an untrusted source makes a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input.

subprocess.call(["export instance_profile=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials`",
"export AWS_ACCESS_KEY_ID=`curl http://169.254.169.254/latest/meta- data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`",
"export AWS_SECRET_ACCESS_KEY=`curl http://169.254.169.254/latest/meta-data/iam/security- credentials/${instance_profile} | grep SecretAccessKey | cut -d':' - f2 | sed 's/[^0-9A-Za-z/+=]*//g'`",
"export AWS_SECURITY_TOKEN=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep Token | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`",
"export http_proxy=proxy.xxx.xxxxxxxxx.com:8099",
"export https_proxy=${http_proxy}"], shell=True)