create --duration --format ini, closes #17

README.md

@@ -65,6 +65,7 @@ Created user: s3.read-write.static.niche-museums.com with permissions boundary:
 Attached policy s3.read-write.static.niche-museums.com to user s3.read-write.static.niche-museums.com
 Created access key for user: s3.read-write.static.niche-museums.com
 % cat ini.txt
+[default]
 aws_access_key_id=AKIAWXFXAIOZKGXI4PVO
 aws_secret_access_key=...
 ```

s3_credentials/cli.py

@@ -242,9 +242,21 @@ def create(
             Policy=json.dumps(bucket_access_policy),
             DurationSeconds=duration,
         )
-        click.echo(
-            json.dumps(credentials_response["Credentials"], indent=4, default=str)
-        )
+        if format_ == "ini":
+            click.echo(
+                (
+                    "[default]\naws_access_key_id={}\n"
+                    "aws_secret_access_key={}\naws_session_token={}"
+                ).format(
+                    credentials_response["Credentials"]["AccessKeyId"],
+                    credentials_response["Credentials"]["SecretAccessKey"],
+                    credentials_response["Credentials"]["SessionToken"],
+                )
+            )
+        else:
+            click.echo(
+                json.dumps(credentials_response["Credentials"], indent=4, default=str)
+            )
         return
     # No duration, so wo create a new user so we can issue non-expiring credentials
     if not username:
@@ -307,7 +319,7 @@ def create(
     log("Created access key for user: {}".format(username))
     if format_ == "ini":
         click.echo(
-            ("aws_access_key_id={}\n" "aws_secret_access_key={}").format(
+            ("[default]\naws_access_key_id={}\n" "aws_secret_access_key={}").format(
                 response["AccessKey"]["AccessKeyId"],
                 response["AccessKey"]["SecretAccessKey"],
             )

tests/test_s3_credentials.py

@@ -348,13 +348,8 @@ def test_create(
         ]
 
 
-@pytest.mark.parametrize(
-    "options,use_policy_stdin,expected_policy,expected_name_fragment",
-    CREATE_TESTS,
-)
-def test_create_duration(
-    mocker, tmpdir, options, use_policy_stdin, expected_policy, expected_name_fragment
-):
+@pytest.fixture
+def mocked_for_duration(mocker):
     boto3 = mocker.patch("boto3.client")
     boto3.return_value = Mock()
     boto3.return_value.create_access_key.return_value = {
@@ -363,8 +358,27 @@ def test_create_duration(
     boto3.return_value.get_caller_identity.return_value = {"Account": "1234"}
     boto3.return_value.get_role.return_value = {"Role": {"Arn": "arn:::role"}}
     boto3.return_value.assume_role.return_value = {
-        "Credentials": {"AccessKeyId": "access", "SecretAccessKey": "secret"}
+        "Credentials": {
+            "AccessKeyId": "access",
+            "SecretAccessKey": "secret",
+            "SessionToken": "session",
+        }
     }
+    return boto3
+
+
+@pytest.mark.parametrize(
+    "options,use_policy_stdin,expected_policy,expected_name_fragment",
+    CREATE_TESTS,
+)
+def test_create_duration(
+    mocked_for_duration,
+    tmpdir,
+    options,
+    use_policy_stdin,
+    expected_policy,
+    expected_name_fragment,
+):
     runner = CliRunner()
     with runner.isolated_filesystem():
         filepath = str(tmpdir / "policy.json")
@@ -386,9 +400,13 @@ def test_create_duration(
         assert result.exit_code == 0
         assert result.output == (
             "Assume role against arn:::role for 900s\n"
-            '{\n    "AccessKeyId": "access",\n    "SecretAccessKey": "secret"\n}\n'
+            "{\n"
+            '    "AccessKeyId": "access",\n'
+            '    "SecretAccessKey": "secret",\n'
+            '    "SessionToken": "session"\n'
+            "}\n"
         )
-        assert [str(c) for c in boto3.mock_calls] == [
+        assert [str(c) for c in mocked_for_duration.mock_calls] == [
             "call('s3')",
             "call('iam')",
             "call('sts')",
@@ -408,7 +426,11 @@ def test_create_format_ini(mocker):
     boto3 = mocker.patch("boto3.client")
     boto3.return_value = Mock()
     boto3.return_value.create_access_key.return_value = {
-        "AccessKey": {"AccessKeyId": "access", "SecretAccessKey": "secret"}
+        "AccessKey": {
+            "AccessKeyId": "access",
+            "SecretAccessKey": "secret",
+            "SessionToken": "session",
+        }
     }
     runner = CliRunner(mix_stderr=False)
     result = runner.invoke(
@@ -416,7 +438,26 @@ def test_create_format_ini(mocker):
         ["create", "test-bucket", "-c", "-f", "ini"],
     )
     assert result.exit_code == 0
-    assert result.stdout == "aws_access_key_id=access\naws_secret_access_key=secret\n"
+    assert (
+        result.stdout
+        == "[default]\naws_access_key_id=access\naws_secret_access_key=secret\n"
+    )
+
+
+def test_create_format_duration_ini(mocked_for_duration):
+    runner = CliRunner(mix_stderr=False)
+    result = runner.invoke(
+        cli,
+        ["create", "test-bucket", "-c", "--duration", "15m", "-f", "ini"],
+        catch_exceptions=False,
+    )
+    assert result.exit_code == 0
+    assert result.stdout == (
+        "[default]\n"
+        "aws_access_key_id=access\n"
+        "aws_secret_access_key=secret\n"
+        "aws_session_token=session\n"
+    )
 
 
 def test_list_user_policies(mocker):