aws-asmr 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 295a3e23217a96e62d009c06284c2523d9397479c300c686dd2f3a750ed37a5f
+  data.tar.gz: 22138144c91d1cce17ebfc50c0f537954996995350483f22984ade1c380d7a91
+SHA512:
+  metadata.gz: b4a733b089f9c05ff0e7dbeca84f3c647180e40347733385fd008b0ca23a590b7f5939a1aeaf7cab55875391e3be3ca8db3ba4e2d2618ded656acb3f8148912e
+  data.tar.gz: 94ece634442510edaaf7f5d2ab4e3a3dc11bc586fe60fa85c019adb9fac2247292f6cc36d8b140b19e158aea1207ad958322548119e6442157b241d98849f25f

data/README.md

@@ -0,0 +1,102 @@
+# Aws::ASMR
+
+`ASMR` stands for "Assume Role", obviously!! This is a command line utility for people in the hell of aws assume_role.
+
+## Install
+
+Only gem(ruby package) install is supported now, sorry!
+
+```
+gem install aws-asmr
+gem which aws/asmr
+
+# Set `PATH` generated from command below
+gem which aws/asmr | sed -e "s/lib\/aws\/asmr.rb/bin/" | sed "s/^/PATH=/" | sed "s/$/:\$PATH/"
+
+# Only in current shell
+. <(gem which aws/asmr | sed -e "s/lib\/aws\/asmr.rb/bin/" | sed "s/^/PATH=/" | sed "s/$/:\$PATH/")
+
+# Set PATH everytime started zsh session
+gem which aws/asmr | sed -e "s/lib\/aws\/asmr.rb/bin/" | sed "s/^/PATH=/" | sed "s/$/:\$PATH/" >> ~/.zshrc
+
+asmr --version
+```
+
+## Command Example
+
+In the example below, you can run command `aws sts get-caller-identity` with assumed role `arn:aws:iam::0000:role/AwesomeRole` on specified aws account `custodian`.
+
+If active *MFA* device detected on the IAM account(`custodian`), it'll prompt `MFA token code`. Please check and type the successful code and you'll see the process goes on. Once you went through the MFA, the credentials to assume role are cached on local. At the next command on the same *ARN*, you can skip MFA unless cache is expired.
+
+Regardless that MFA is enabled or not, temporary credentials `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SECRET_TOKEN` are set in the current command when assume_role was successful, without `export` environment variables.  
+In the case below, you'll run a command like `AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY=yyyy AWS_SECRET_TOKEN=zzzz aws sts get-caller-identity`  
+This means those variables are only effective for the subsequential command(`aws sts get-caller-identity`). So it is safe and you can run commands idempotently (If you export those environment variables, the same command for assume_role would never be successful in the same shell session).
+
+```
+AWS_PROFILE=custodian asmr --name=arn:aws:iam::0000:role/AwesomeRole aws sts get-caller-identity
+```
+
+Of course you can set `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` respectively to perform assume_role, instead of profile.
+
+```
+AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY=yyyy asmr --name=arn:aws:iam::0000:role/AwesomeRole aws sts get-caller-identity
+```
+
+To specify ARN (or alias name of assumed role), you MUST set `name` option with a form like `--name=<arn>` NOT a form like `--name <arn>`. For short version, `-n<arn>` works, `-n <arn>` doesn't. You must be wasting time for this pitfall, sorry!  
+This is due to a development circumstance. This tool is supposed to run 2 commands. One is assume_role, and the other is subsequential(this is main though) command. To safely separate options for assume_role and subsequential commands, all components of the `asmr` args must be start with `-`. Curse my programming ability!
+
+```
+asmr --name=arn:aws:iam::0000:role/AwesomeRole
+asmr -narn:aws:iam::0000:role/AwesomeRole
+```
+
+Of course you can set options for subsequential command.
+
+```
+asmr --name=arn:aws:iam::0000:role/AwesomeRole aws ec2 describe-instances --filter '[{"Name":"instance-state-name","Values":["stopped"]}]'
+```
+
+Unfortunatelly you need quote and appropriate escape to run piped command as subsequential.
+
+```
+asmr --name=arn:aws:iam::0000:role/AwesomeRole "aws sts get-caller-identity | grep Arn"
+```
+
+Without subsequential command, it just prints environment variables for assume_role.
+
+```
+AWS_PROFILE=custodian asmr --name=arn:aws:iam::0000:role/AwesomeRole
+# AWS_ACCESS_KEY_ID=xxxx
+# AWS_SECRET_ACCESS_KEY=yyyy
+# AWS_SECRET_TOKEN=zzzz
+```
+
+You can define aliases as you like at `~/.aws-asmr/alias` (default).  
+Here is the example of alias file. `arn` is the only required attribute.
+
+```
+[awesome-app-staging]
+arn = arn:aws:iam::0001:role/AwesomeRole
+profile = custodian
+
+[awesome-app-production]
+arn = arn:aws:iam::0002:role/AwesomeRole
+access_key_id = xxxx
+secret_access_key = yyyy
+
+# [commented-awesome-app-test]
+# arn = test
+```
+
+Then, you can choose one of the alias.
+
+```
+asmr aws sts get-caller-identity
+  # Choose alias listed on the shell
+```
+
+Or you can specify alias name.
+
+```
+asmr --name=awesome-app-staging aws sts get-caller-identity
+```

data/bin/asmr

@@ -0,0 +1,83 @@
+#!/usr/bin/env ruby
+
+require "tty-prompt"
+require "aws/asmr"
+require "aws/asmr/options"
+
+asmr_args, command_args = Aws::ASMR::Options.partition(ARGV)
+options = Aws::ASMR::Options.parse(asmr_args)
+
+if options[:version]
+  require "aws/asmr/version"
+  puts Aws::ASMR::VERSION
+  exit(0)
+elsif options[:clear]
+  Aws::ASMR::Cache.destroy!
+  exit(0)
+else
+end
+
+prompt = TTY::Prompt.new
+
+name = if options[:name]
+  options[:name]
+else
+  alias_keys = Aws::ASMR::Alias.base.keys
+  if alias_keys.empty?
+    STDERR.puts "Please specify --name=ARN to assume_role or make alias at #{Aws::ASMR::ROOT}/alias"
+    exit(1)
+  end
+  prompt.select("Choose a role you're going to assume:", alias_keys)
+end
+asmr_alias = Aws::ASMR::Alias.get(name)
+assume_role_arn = if asmr_alias
+  asmr_alias.set_environment_variables!
+  asmr_alias.arn
+else
+  name
+end
+
+def run(command, shell_variables=[])
+  if command.empty?
+    exec("echo \"#{shell_variables.join($/)}\"")
+  else
+    command = if command.length == 1
+      # Ex: asmr "aws sts get-caller-identity | grep Arn"
+      command
+    else
+      # Ex: asmr aws ec2 describe-instances --filter '[{"Name":"instance-state-name","Values":["stopped"]}]'
+      command.map{|plain|
+        if plain.match?(/[\"\'\ ]/)
+          quoted = plain.gsub("'"){"\\'"}
+          "'#{quoted}'"
+        else
+          plain
+        end
+      }
+    end
+    exec([*shell_variables, *command].join(' '))
+  end
+end 
+
+if cache = Aws::ASMR::Cache.get(assume_role_arn)
+  run(command_args, cache.shell_variables)
+end
+
+
+begin
+  serial_number = Aws::ASMR.detect_mfa_device_serial_number
+  assume_role_args = if serial_number
+    token_code = prompt.ask("Type MFA token code:")
+    {serial_number: serial_number, token_code: token_code}
+  else
+    {}
+  end
+
+  res = Aws::ASMR.assume_role(assume_role_arn, **assume_role_args)
+  cache = Aws::ASMR::Cache.new(**res.credentials.to_h)
+  cache.save!(assume_role_arn)
+  run(command_args, cache.shell_variables)
+rescue => e
+  STDERR.puts e.message
+  exit(1)
+end

data/lib/aws/asmr/alias.rb

@@ -0,0 +1,61 @@
+require 'fileutils'
+require 'aws/asmr'
+
+module Aws
+  module ASMR
+    class Alias < Struct.new(:arn, :access_key_id, :secret_access_key, :profile, keyword_init: true)
+
+      PATH = "#{Aws::ASMR::ROOT}/alias"
+
+      class << self
+        def parse(lines)
+          lines = lines.map(&:strip).select{! _1.start_with?('#')}
+          arr = lines.reduce([]) do |acc,line|
+            m = line.match(/\A\[([^\[\]]+)\]\z/)
+            if m
+              acc << [m[1], []]
+            else
+              alias_name, alias_props = acc.last
+              if alias_name
+                k, v = line.split('=').map(&:strip)
+                if k and v
+                  alias_props << [k, v]
+                end
+              end
+            end
+            acc
+          end
+          arr.map{|k,v| [k,v.to_h]}.select{|k,v| v["arn"] and !v["arn"].empty?}.to_h
+        end
+
+        def base
+          @base ||= begin
+            if File.exists?(PATH)
+              parse(File.readlines(PATH))
+            else
+              {}
+            end
+          end
+        end
+
+        def first
+          k,v = base.first
+          get(k)
+        end
+
+        def get(alias_name)
+          base[alias_name] && new(base[alias_name])
+        end
+      end
+
+      def set_environment_variables!
+        if access_key_id and !access_key_id.empty?
+          ENV["AWS_ACCESS_KEY_ID"] = access_key_id
+          ENV["AWS_SECRET_ACCESS_KEY"] = secret_access_key
+        elsif profile and !profile.empty?
+          ENV["AWS_PROFILE"] = profile
+        end
+      end
+    end
+  end
+end

data/lib/aws/asmr/cache.rb

@@ -0,0 +1,64 @@
+require 'fileutils'
+require 'aws/asmr'
+
+module Aws
+  module ASMR
+    class Cache < Struct.new(:access_key_id, :secret_access_key, :session_token, :expiration, keyword_init: true)
+
+      PATH = "#{Aws::ASMR::ROOT}/cache"
+
+      class << self
+        def base
+          @base ||= begin
+            if File.exists?(PATH)
+              JSON.parse(File.read(PATH))
+            else
+              {}
+            end
+          end
+        end
+
+        def first
+          k,v = base.first
+          get(k)
+        end
+
+        def get(assume_role_arn)
+          cache = base[assume_role_arn] && new(base[assume_role_arn])
+          return nil unless cache
+          cache.expired? ? nil : cache
+        end
+
+        def destroy!
+          File.exists?(PATH) && File.delete(PATH)
+        end
+      end
+
+      def expiration_time
+        return nil unless expiration
+        expiration.is_a?(Time) ? expiration : Time.parse(expiration)
+      end
+
+      def expired?
+        return true unless expiration_time
+        expiration_time < (Time.now+60*5)
+      end
+
+      def save!(assume_role_arn)
+        FileUtils.mkdir_p(Pathname.new(PATH).dirname)
+        self.class.base[assume_role_arn] = to_h
+        File.open(PATH, 'w') do |f|
+          f.puts(JSON.pretty_generate(self.class.base))
+        end
+      end
+
+      def shell_variables
+        {
+          AWS_ACCESS_KEY_ID: access_key_id,
+          AWS_SECRET_ACCESS_KEY: secret_access_key,
+          AWS_SESSION_TOKEN: session_token,
+        }.map{|k,v| "#{k}=#{v}"}
+      end
+    end
+  end
+end

data/lib/aws/asmr/options.rb

@@ -0,0 +1,52 @@
+require "optparse"
+require "aws/asmr"
+
+module Aws::ASMR
+  module Options
+    def partition(args)
+      _idx, asmr_args, command_args = args.reduce([1, [], []]) do |acc,i|
+        idx, _, _ = acc
+        unless i.start_with?('-')
+          idx = 2
+          acc[0] = idx
+        end
+        acc[idx] << i
+        acc
+      end
+      [asmr_args, command_args]
+    end
+
+    def parse(args)
+      options = {}
+      OptionParser.new do |opts|
+        # opts.banner = "Usage: asmr [options]"
+        opts.banner = <<~EOS
+          You can use ALIAS to shortcut name input by setting it at #{Aws::ASMR::ROOT}/alias
+
+          Usage: asmr [options] [command] [arg...]
+        EOS
+
+        opts.on("-nNAME", "--name=NAME", "Name to perform assume role with ARN or ALIAS") do |name|
+          options[:name] = name
+        end
+
+        opts.on("-h", "--help", "Prints this help") do
+          puts opts
+          exit(0)
+        end
+        opts.on("--version", "Prints version") do
+          options[:version] = true
+        end
+        opts.on("--clear", "Clear cache") do
+          options[:clear] = true
+          # require "aws/asmr/version"
+          # puts Aws::ASMR::VERSION
+          # exit(0)
+        end
+      end.parse(args)
+      options
+    end
+
+    module_function :partition, :parse
+  end
+end

data/lib/aws/asmr/version.rb

@@ -0,0 +1,5 @@
+module Aws
+  module ASMR
+    VERSION = "0.0.0"
+  end
+end

data/lib/aws/asmr.rb

@@ -0,0 +1,34 @@
+require 'aws-sdk-iam'
+require 'aws-sdk-sts'
+require 'fileutils'
+
+module Aws
+  module ASMR
+    ROOT = if ENV["AWS_ASMR_ROOT"] && !ENV["AWS_ASMR_ROOT"].empty?
+      Pathname.new(ENV["AWS_ASMR_ROOT"]).join('').to_s
+    else
+      Pathname.new(ENV['HOME']).join('.aws-asmr').to_s
+    end
+
+    # assume_role('arn', serial_number: 'serial-number', token_code: '012345')
+    def assume_role(assume_role_arn, **args)
+      sts = Aws::STS::Client.new(region: 'us-east-1')
+      res = sts.assume_role(
+        role_arn: assume_role_arn, 
+        role_session_name: "aws-asmr",
+        **args
+      )
+    end
+
+    def detect_mfa_device_serial_number
+      iam_client = Aws::IAM::Client.new(region: 'us-east-1')
+      res = iam_client.list_mfa_devices
+      res.mfa_devices.detect(&:serial_number)&.serial_number
+    end
+
+    module_function :assume_role, :detect_mfa_device_serial_number
+  end
+end
+
+require 'aws/asmr/cache'
+require 'aws/asmr/alias'

metadata

@@ -0,0 +1,92 @@
+--- !ruby/object:Gem::Specification
+name: aws-asmr
+version: !ruby/object:Gem::Version
+  version: 0.0.0
+platform: ruby
+authors:
+- metheglin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2023-01-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: tty-prompt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-sts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-iam
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: ''
+email: pigmybank@gmail.com
+executables:
+- asmr
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- bin/asmr
+- lib/aws/asmr.rb
+- lib/aws/asmr/alias.rb
+- lib/aws/asmr/cache.rb
+- lib/aws/asmr/options.rb
+- lib/aws/asmr/version.rb
+homepage: https://rubygems.org/gems/aws-asmr
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.7'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: aws command line tool for ASMR. ASMR stands for AssumeRole, obviously!
+test_files: []