Updated the APC client to take in an optional IAM role to assume.

key-import-export/key_exchange/README.md

@@ -6,6 +6,14 @@ KDH : Key Distribution Host
 KRD : Key Receiving Device
 Futurex : HSM is configured using PMK
 
+## Configure AWS credentials
+AWS credentials needed for the scripts can be configured in 2 ways :
+* Configure environment variables for credentials : https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html
+** To do this, leave 'assume_role' key in input_config.json file empty for 'apc' in either 'krd' or 'kdh' section.
+* Use an IAM role to assume.
+** To do this, add the IAM role arn to assume in 'assume_role' key in input_config.json file for 'apc' in either 'krd' or 'kdh' section.
+** Configure environment variables for credentials for the account which will be used to assume this role. Make sure to add the calling account in the trust relationship of the assuming account.
+
 ## Key Exchange using TR34
 
 The script will establish a KEK (Key Encryption Key) between the chosen KDH and KRD. A set of options are supported for KDH and KRD type.
@@ -50,3 +58,9 @@ Using this path, you can import/export upto AES-256 keys.
 ```
 python3 import_export_ecdh.py --kdh <Options: "futurex | payshield | apc"> --krd <Options: "apc">
 ```
+
+To transport a key from 1 APC account to another APC account, add 'assume_role' of Account1 in 'apc' section of 'kdh' and 'assume_role' of Account2 in 'apc' section of 'krd'.
+Configure environment variables for credentials of the central account with trust relationships added both in Account1 and Account2.
+Central account credentials will be used to assume roles in Account1 and Account2.
+
+

key-import-export/key_exchange/input_config.json

@@ -19,6 +19,7 @@
         },
         "apc": {
             "region": "us-west-2",
+            "assume_role": "arn:aws:iam::111111111111:role/Admin",
             "ecdh": {
                  "transport_key": "",
                  "transport_key_kcv": ""
@@ -27,7 +28,7 @@
         "payshield": {
             "host": "127.0.0.1",
             "port": 9150,
-            "variant_lmk": true,
+            "variant_lmk": false,
             "variant_lmk_identifier": "02",
             "tr34": {
                 "transport_key": "",
@@ -47,6 +48,7 @@
     "krd": {
         "apc": {
             "region": "us-east-2",
+            "assume_role": "arn:aws:iam::111111111111:role/Admin",
             "tr31": {
                 "kek": ""
             }

key-import-export/key_exchange/utils/apc.py

@@ -17,7 +17,24 @@
 
 class Apc(object):
     def __init__(self, config):
-        self.apc_client = boto3.client("payment-cryptography", region_name=config["region"])
+        if not config.get('assume_role'):
+            # Use environment credentials
+            self.apc_client = boto3.client("payment-cryptography", region_name=config["region"])
+        else:
+            sts_client = boto3.client('sts')
+            assumed_role = sts_client.assume_role(
+                RoleArn=config['assume_role'],
+                RoleSessionName='ApcSession'
+            )
+            credentials = assumed_role['Credentials']
+            self.apc_client = boto3.client(
+                'payment-cryptography',
+                region_name=config['region'],
+                aws_access_key_id=credentials['AccessKeyId'],
+                aws_secret_access_key=credentials['SecretAccessKey'],
+                aws_session_token=credentials['SessionToken']
+            )
+
 
     def create_symmetric_key(
         self, key_algorithm: SymmetricKeyAlgorithm, key_usage: SymmetricKeyUsage