RubyGems - aws-asmr - Versions diffs - 0.0.4 → 0.0.5 - Mend

aws-asmr 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9804add634c49c85745aa41741d6558b7dc5e0cab20426aaa9827eb06ae6808
-  data.tar.gz: 8ebaaabd5a6a65c5609ff08a2723a4fa135298667b842cd7175549dec6069b96
+  metadata.gz: 6cc279ebf6f98696525bd333297e3d9e07f4546235685e4cc56ede2f6e5936df
+  data.tar.gz: 5e8ba9aa25320658bbe860b0733141d4bda426a75330bd52603922bb6e0274fb
 SHA512:
-  metadata.gz: 0345bb76d7e174c1a18debd29a262d85506cb95f4e2c76c7f4aa86a1ca9bd6de6c09c5a040d12794cae2af1ea18582d311789bf458fb935a1525d0c30dd5ab37
-  data.tar.gz: 4fb26c3b1aeb378ff4da4e47b0bf5450c70223d781f1993c1dbb03353755eb59781d8ba7a61e5798d19e003491cca53d6a3307afd2adff7312e04b52d9374fd4
+  metadata.gz: 3ac9215a9c0ddb69a23eb94e7aa30eb91b07ea2e4bdf1fe2be1f03f2ec4fdbb4890bd329432e443044c70360b4aba568f03e5294a9f311779aac95ec334273f2
+  data.tar.gz: 52d2bf0b95b0f377a2507ed9e72372edce4a6dcd1aeacc1e231558bf1f4b2b228a9798c9e6d63f54f18b02c28d77c572b405aa0272ce134aaa2417f84d76254f

data/README.md CHANGED Viewed

@@ -69,6 +69,7 @@ Here is the example of alias file. `arn` is the only required attribute.
 [awesome-app-staging]
 arn = arn:aws:iam::0001:role/AwesomeRole
 profile = custodian
+region = ap-northeast-1
 [awesome-app-production]
 arn = arn:aws:iam::0002:role/AwesomeRole
@@ -79,6 +80,8 @@ secret_access_key = yyyy
 # arn = test
 ```
+`region` is optional and is only used by `asmr-login` (see below) to pick the console landing region.
 Then, you can choose one of the alias.
 ```
@@ -91,3 +94,40 @@ Or you can specify alias name.
 ```
 asmr --name=awesome-app-staging aws sts get-caller-identity
 ```
+## Web Login (AWS Management Console)
+The companion command `asmr-login` opens the **AWS Management Console** in your browser as the assumed role, using the [AWS federation endpoint](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html). This is handy when you want a *browser* session for a role you normally only use from the CLI.
+```
+asmr-login --name=awesome-app-staging
+```
+It assumes the role exactly like `asmr` does — sharing the same alias resolution (`--name`/`-n`), MFA prompt and credential cache — then exchanges the temporary credentials for a sign-in token at `https://signin.aws.amazon.com/federation` and opens the resulting console URL in your default browser. On a headless host where no browser opener is available, the URL is printed instead (it is valid for 15 minutes — treat it as a secret).
+### Landing region
+The console page you land on is derived from the `region` of the chosen alias. Add `region` to the alias:
+```
+[my-awesome-project]
+arn = arn:aws:iam::xxxx:role/AdminRole
+profile = smcdk-prejp
+region = ap-northeast-1
+```
+Then `asmr-login --name=my-awesome-project` opens the console home of `ap-northeast-1`. When the alias has no `region` (or you pass an ARN directly), it falls back to the global console home (`https://console.aws.amazon.com/`).
+### Session duration
+The console session duration (seconds, 900-43200) is set via the alias's optional `session_duration`. When omitted, it defaults to 43200 (12h).
+```
+[my-awesome-project]
+arn = arn:aws:iam::xxxx:role/AdminRole
+profile = smcdk-prejp
+region = ap-northeast-1
+session_duration = 3600
+```
+Note: the requested duration must be **less than the assumed role's maximum session duration** (1 hour by default). When the federation endpoint rejects it (e.g. the role's max is shorter, or you reached the role via role chaining), `asmr-login` automatically retries *without* it, falling back to the lifetime of the temporary credentials. To get a full 12-hour console session, raise the role's *Maximum session duration* in IAM accordingly.

data/bin/asmr CHANGED Viewed

@@ -1,41 +1,6 @@
 #!/usr/bin/env ruby
-require "aws/asmr"
-require "aws/asmr/options"
-require "aws/asmr/prompt"
-asmr_args, command_args = Aws::ASMR::Options.partition(ARGV)
-options = Aws::ASMR::Options.parse(asmr_args)
-if options[:version]
-  require "aws/asmr/version"
-  puts Aws::ASMR::VERSION
-  exit(0)
-elsif options[:clear]
-  Aws::ASMR::Cache.destroy!
-  exit(0)
-else
-end
-prompt = Aws::ASMR::Prompt.safe
-name = if options[:name]
-  options[:name]
-else
-  alias_keys = Aws::ASMR::Alias.base.keys
-  if alias_keys.empty?
-    STDERR.puts "Please specify --name=ARN to assume_role or make alias at #{Aws::ASMR::ROOT}/alias"
-    exit(1)
-  end
-  prompt.select("Choose a role you're going to assume:", alias_keys)
-end
-asmr_alias = Aws::ASMR::Alias.get(name)
-assume_role_arn = if asmr_alias
-  asmr_alias.set_environment_variables!
-  asmr_alias.arn
-else
-  name
-end
+require "aws/asmr/cli"
 def run(command, shell_variables=[])
   if command.empty?
@@ -57,33 +22,8 @@ def run(command, shell_variables=[])
     end
     exec([*shell_variables, *command].join(' '))
   end
-end
-if cache = Aws::ASMR::Cache.get(assume_role_arn)
-  run(command_args, cache.shell_variables)
 end
-begin
-  serial_number = Aws::ASMR.detect_mfa_device_serial_number
-  assume_role_args = asmr_alias ? asmr_alias.assume_role_args : {}
-  assume_role_args = if serial_number
-    token_code = prompt.ask("Type MFA token code:")
-    assume_role_args.merge({serial_number: serial_number, token_code: token_code})
-  else
-    assume_role_args
-  end
-  res = Aws::ASMR.assume_role(assume_role_arn, **assume_role_args)
-  cache = Aws::ASMR::Cache.new(**res.credentials.to_h)
-  cache.save!(assume_role_arn)
+Aws::ASMR::CLI.main(ARGV) do |cache, command_args, _options|
   run(command_args, cache.shell_variables)
-rescue => e
-  STDERR.puts e.message
-  if options[:verbose]
-    STDERR.puts e.backtrace
-  else
-    STDERR.puts "Add --verbose for more error information."
-  end
-  exit(1)
-end
+end

data/bin/asmr-login ADDED Viewed

@@ -0,0 +1,18 @@
+#!/usr/bin/env ruby
+require "aws/asmr/cli"
+# Session duration is read from the alias only (a raw, possibly empty string).
+# Returns nil to let WebLogin fall back to its default.
+def alias_session_duration(asmr_alias)
+  raw = asmr_alias&.session_duration
+  raw.to_i if raw && !raw.empty?
+end
+Aws::ASMR::CLI.main(ARGV) do |cache, _command_args, _options, asmr_alias|
+  args = { region: asmr_alias&.region }
+  duration = alias_session_duration(asmr_alias)
+  args[:session_duration] = duration if duration
+  url = Aws::ASMR::WebLogin.signin_url(cache, **args)
+  Aws::ASMR::WebLogin.open_browser(url)
+end

data/lib/aws/asmr/alias.rb CHANGED Viewed

@@ -3,7 +3,7 @@ require 'aws/asmr'
 module Aws
   module ASMR
-    class Alias < Struct.new(:arn, :access_key_id, :secret_access_key, :profile, :external_id, :role_session_name, keyword_init: true)
+    class Alias < Struct.new(:arn, :access_key_id, :secret_access_key, :profile, :external_id, :role_session_name, :region, :session_duration, keyword_init: true)
       PATH = "#{Aws::ASMR::ROOT}/alias"

data/lib/aws/asmr/cli.rb ADDED Viewed

@@ -0,0 +1,92 @@
+require "aws/asmr"
+require "aws/asmr/options"
+require "aws/asmr/prompt"
+module Aws
+  module ASMR
+    # The parts shared by every asmr executable: option parsing, --version /
+    # --clear, resolving the role (alias or ARN), and obtaining temporary
+    # credentials via assume_role (with MFA prompt and caching).
+    #
+    # Each executable is just a thin wrapper that decides what to do with the
+    # resolved credentials:
+    #
+    #   Aws::ASMR::CLI.main(ARGV) do |cache, command_args, options, asmr_alias|
+    #     # ... use cache.shell_variables / build a login URL / etc.
+    #   end
+    module CLI
+      # Parses asmr-level args, handles --version/--clear, resolves credentials
+      # and yields (cache, command_args, options, asmr_alias) to the block; the
+      # resolved alias is nil when an ARN was given directly. Top-level errors
+      # are reported here (with a backtrace under --verbose) and exit non-zero.
+      def main(argv)
+        asmr_args, command_args = Options.partition(argv)
+        options = Options.parse(asmr_args)
+        if options[:version]
+          require "aws/asmr/version"
+          puts VERSION
+          exit(0)
+        elsif options[:clear]
+          Cache.destroy!
+          exit(0)
+        end
+        prompt = Prompt.safe
+        begin
+          cache, asmr_alias = resolve_credentials(options, prompt)
+          yield cache, command_args, options, asmr_alias
+        rescue => e
+          STDERR.puts e.message
+          if options[:verbose]
+            STDERR.puts e.backtrace
+          else
+            STDERR.puts "Add --verbose for more error information."
+          end
+          exit(1)
+        end
+      end
+      # Resolves the role to assume (from --name/-n or an interactive alias
+      # selection) and returns [cache, asmr_alias]: a Cache holding temporary
+      # credentials (reusing a valid cache entry or performing assume_role with an
+      # MFA prompt), and the resolved Alias (nil when an ARN was given directly).
+      def resolve_credentials(options, prompt)
+        name = options[:name] || begin
+          alias_keys = Alias.base.keys
+          if alias_keys.empty?
+            STDERR.puts "Please specify --name=ARN to assume_role or make alias at #{ROOT}/alias"
+            exit(1)
+          end
+          prompt.select("Choose a role you're going to assume:", alias_keys)
+        end
+        asmr_alias = Alias.get(name)
+        assume_role_arn = if asmr_alias
+          asmr_alias.set_environment_variables!
+          asmr_alias.arn
+        else
+          name
+        end
+        if cache = Cache.get(assume_role_arn)
+          return [cache, asmr_alias]
+        end
+        serial_number = Aws::ASMR.detect_mfa_device_serial_number
+        assume_role_args = asmr_alias ? asmr_alias.assume_role_args : {}
+        if serial_number
+          token_code = prompt.ask("Type MFA token code:")
+          assume_role_args = assume_role_args.merge(serial_number: serial_number, token_code: token_code)
+        end
+        res = Aws::ASMR.assume_role(assume_role_arn, **assume_role_args)
+        cache = Cache.new(**res.credentials.to_h)
+        cache.save!(assume_role_arn)
+        [cache, asmr_alias]
+      end
+      module_function :main, :resolve_credentials
+    end
+  end
+end

data/lib/aws/asmr/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Aws
   module ASMR
-    VERSION = "0.0.4"
+    VERSION = "0.0.5"
   end
 end

data/lib/aws/asmr/web_login.rb ADDED Viewed

@@ -0,0 +1,99 @@
+require 'json'
+require 'uri'
+require 'net/http'
+require 'rbconfig'
+require 'aws/asmr'
+module Aws
+  module ASMR
+    # Builds a sign-in URL for the AWS Management Console out of the temporary
+    # credentials obtained by assume_role, using the AWS federation endpoint.
+    # See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    module WebLogin
+      ENDPOINT = "https://signin.aws.amazon.com/federation"
+      DEFAULT_DESTINATION = "https://console.aws.amazon.com/"
+      DEFAULT_ISSUER = "aws-asmr"
+      # Console session duration. Up to 43200 (12h), but it must be LESS than the
+      # max session duration setting of the role being assumed (default 1h), so
+      # request_signin_token falls back to omitting it when the endpoint rejects it.
+      DEFAULT_SESSION_DURATION = 43200
+      # Exchanges the temporary credentials for a sign-in token at the federation
+      # endpoint. Retries without SessionDuration when it is rejected (e.g. the
+      # role's max session duration is shorter, or the credentials come from role
+      # chaining, both of which make SessionDuration invalid).
+      def signin_token(cache, session_duration: DEFAULT_SESSION_DURATION)
+        res = request_signin_token(cache, session_duration)
+        if !res.is_a?(Net::HTTPSuccess) && session_duration
+          STDERR.puts "getSigninToken with SessionDuration=#{session_duration} was rejected (HTTP #{res.code}). Retrying without SessionDuration..."
+          res = request_signin_token(cache, nil)
+        end
+        unless res.is_a?(Net::HTTPSuccess)
+          raise "Federation endpoint returned HTTP #{res.code}: #{res.body}"
+        end
+        token = JSON.parse(res.body)["SigninToken"]
+        raise "Federation endpoint did not return a SigninToken: #{res.body}" unless token
+        token
+      end
+      # Builds the final console login URL. Valid for 15 minutes after creation.
+      # The landing page defaults to the given region's console home, or the
+      # global console home when no region is given (e.g. ARN passed directly).
+      def signin_url(cache, region: nil, issuer: DEFAULT_ISSUER, session_duration: DEFAULT_SESSION_DURATION)
+        token = signin_token(cache, session_duration: session_duration)
+        build_url(
+          "Action" => "login",
+          "Issuer" => issuer,
+          "Destination" => destination_for(region),
+          "SigninToken" => token,
+        )
+      end
+      # Console home URL to land on after sign-in.
+      def destination_for(region)
+        return DEFAULT_DESTINATION if region.nil? || region.empty?
+        "https://#{region}.console.aws.amazon.com/console/home?region=#{region}"
+      end
+      # Opens the given URL in the default browser. Falls back to printing it
+      # (e.g. on a headless host where no opener is available).
+      def open_browser(url)
+        opener = browser_opener
+        if opener && system(*opener, url)
+          STDERR.puts "Opened the AWS Management Console in your browser."
+        else
+          STDERR.puts "Open the following URL in your browser to sign in (valid for 15 minutes):"
+          puts url
+        end
+      end
+      def request_signin_token(cache, session_duration)
+        session = {
+          sessionId: cache.access_key_id,
+          sessionKey: cache.secret_access_key,
+          sessionToken: cache.session_token,
+        }.to_json
+        params = { "Action" => "getSigninToken", "Session" => session }
+        params["SessionDuration"] = session_duration.to_s if session_duration
+        Net::HTTP.get_response(URI(build_url(params)))
+      end
+      def build_url(params)
+        uri = URI(ENDPOINT)
+        uri.query = URI.encode_www_form(params)
+        uri.to_s
+      end
+      def browser_opener
+        case RbConfig::CONFIG['host_os']
+        when /darwin/ then ["open"]
+        when /mswin|mingw|cygwin/ then ["cmd", "/c", "start", ""]
+        else ["xdg-open"]
+        end
+      end
+      module_function :signin_token, :signin_url, :destination_for, :open_browser, :request_signin_token, :build_url, :browser_opener
+    end
+  end
+end

data/lib/aws/asmr.rb CHANGED Viewed

@@ -34,3 +34,4 @@ end
 require 'aws/asmr/cache'
 require 'aws/asmr/alias'
+require 'aws/asmr/web_login'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-asmr
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - metheglin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-10 00:00:00.000000000 Z
+date: 2026-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -70,17 +70,21 @@ description: ''
 email: pigmybank@gmail.com
 executables:
 - asmr
+- asmr-login
 extensions: []
 extra_rdoc_files: []
 files:
 - README.md
 - bin/asmr
+- bin/asmr-login
 - lib/aws/asmr.rb
 - lib/aws/asmr/alias.rb
 - lib/aws/asmr/cache.rb
+- lib/aws/asmr/cli.rb
 - lib/aws/asmr/options.rb
 - lib/aws/asmr/prompt.rb
 - lib/aws/asmr/version.rb
+- lib/aws/asmr/web_login.rb
 homepage: https://rubygems.org/gems/aws-asmr
 licenses:
 - MIT