aws-google 0.1.2 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a88d08ce22738aaf30652e7e195a581cb44bd1797e0d65f02405f0f39850170f
-  data.tar.gz: ed9433f72205cb4d139674e4cd3a26285cf75595b149235f52d636ebde60552d
+  metadata.gz: 29e2bac01a2d62b1b156badf3fda404596d56fef92f5b8de438095362abea600
+  data.tar.gz: d25ac4ca974f4991120814679678a923375ede8bbfd0b189917344596f0d79ec
 SHA512:
-  metadata.gz: b706382bcfe06a1362f595d2f2193866c35e05d68d595bfb9b23d0f9f74d99229a3bc93046bdcbd003eb366da05b0c1085e1d639412011a0ce094d81e70703e5
-  data.tar.gz: 0b8a9f86ceb0fd79ddafa76c76d4c5bf3d53b338f10bd2086afdb5f3aed8a3638398fefe891852d03608e34dbe25e6329d96c54081d9a453c7836b54e9823bfd
+  metadata.gz: e2e26e77654e356c81c424dd76d679c09304f44a846bff66d6d204c845d9a918e0bac3dd99d6922c9e4cfb363d773dbcfd679c29f736e46eb52acccb5f4ba0f6
+  data.tar.gz: 9226a37c273473589a4f56ea3e49a7a9bb652d42b436e39f62f41124ccbd36bf101e4edbd6ee7d5a44e4138e91c135f72d5a6292f8149cc4e3f2272b809add19

data/README.md

@@ -21,8 +21,8 @@ Or install it yourself as:
 ## Usage
 
 - Visit the [Google API Console](https://console.developers.google.com/) to create/obtain OAuth 2.0 Client ID credentials (client ID and client secret) for an application in your Google account.
-- Create an AWS IAM Role with the desired IAM policies attached, and a 'trust relationship' (`AssumeRolePolicyDocument`) allowing the `sts:AssumeRoleWithWebIdentity` action to be permitted
-by your Google Client ID and a specific set of Google Account IDs:
+- Create an AWS IAM Role with the desired IAM policies attached, and a ['trust policy'](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy) ([`AssumeRolePolicyDocument`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html)) allowing the [`sts:AssumeRoleWithWebIdentity`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) action with [Web Identity Federation condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif) authorizing
+your Google Client ID (`accounts.google.com:aud`) and a specific set of Google Account IDs (`accounts.google.com:sub`):
 
 ```json
 {
@@ -36,9 +36,7 @@ by your Google Client ID and a specific set of Google Account IDs:
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
         "StringEquals": {
-          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com"
-        },
-        "ForAnyValue:StringEquals": {
+          "accounts.google.com:aud": "123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com",
           "accounts.google.com:sub": [
             "000000000000000000000",
             "111111111111111111111"
@@ -79,6 +77,17 @@ Aws::Google.config = {
 puts Aws::STS::Client.new.get_caller_identity
 ```
 
+- Or, set `credential_process` in your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to `aws-google` to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) without any change to your application code:
+
+```
+[profile my_google]
+credential_process = aws-google --profile my_google
+aws_role = arn:aws:iam::[AccountID]:role/[Role]
+google_client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
+google_client_secret = 01234567890abcdefghijklmn
+
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/aws-google.gemspec

@@ -23,11 +23,11 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'aws-sdk-core', '~> 3'
   spec.add_dependency 'google-api-client', '~> 0.23'
-  spec.add_dependency 'launchy', '~> 2' # Peer dependency of Google::APIClient::InstalledAppFlow
+  spec.add_dependency 'launchy', '~> 2'
 
   spec.add_development_dependency 'activesupport', '~> 5'
-  spec.add_development_dependency 'bundler', '~> 1'
-  spec.add_development_dependency 'minitest', '~> 5.10'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'minitest', '~> 5.14.2'
   spec.add_development_dependency 'mocha', '~> 1.5'
   spec.add_development_dependency 'rake', '~> 12'
   spec.add_development_dependency 'timecop', '~> 0.8'

data/exe/aws-google

@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+
+# CLI to retrieve AWS credentials in credential_process format.
+# Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
+
+require 'aws/google'
+require 'time'
+require 'json'
+require 'optparse'
+
+def error(msg)
+  puts msg
+  exit 1
+end
+
+options = {}
+OptionParser.new do |opts|
+  opts.on('-p PROFILE', '--profile PROFILE', 'Profile') do |p|
+    options[:profile] = p
+  end
+  opts.on('-v', '--version', 'Version') do
+    require 'aws/google/version'
+    puts Aws::Google::VERSION
+    exit 0
+  end
+  opts.on('-r ROLE', '--role ROLE', 'AWS Role arn') do |r|
+    options[:role_arn] = r
+  end
+  opts.on('-i ID', '--client-id ID', 'Google Client ID') do |id|
+    options[:google_client_id] = id
+  end
+  opts.on('-s SECRET', '--client-secret SECRET', 'Google Client Secret') do |secret|
+    options[:google_client_secret] = secret
+  end
+  opts.on('-h DOMAIN', '--domain DOMAIN', 'Google Domain') do |hd|
+    options[:domain] = hd
+  end
+  opts.on('-d DURATION', '--duration DURATION', 'Duration in seconds') do |d|
+    options[:duration_seconds] = d.to_i
+  end
+  opts.on('--port PORT', 'Port number for local server') do |p|
+    options[:port] = p.to_i
+  end
+  opts.on('--online', 'Online authentication, no refresh token') do |o|
+    options[:online] = true
+  end
+end.parse!
+
+config = Aws.shared_config
+profile = options[:profile] || ENV['AWS_PROFILE'] || 'default'
+
+options[:role_arn] ||= config.get('aws_role', profile: profile) ||
+                   error('Missing config: aws_role')
+options[:google_client_id] ||= config.get('google_client_id', profile: profile) ||
+                        error('Missing config: google_client_id')
+options[:google_client_secret] ||= config.get('google_client_secret', profile: profile) ||
+                            error('Missing config: google_client_secret')
+
+# Cache temporary-session credentials in a separately-named profile.
+# Stored credentials take priority over credential_process,
+# so they would never be refreshed if stored in the same profile.
+options[:profile] += '_session'
+google = Aws::Google.new(options)
+credentials = google.credentials
+output = {
+  Version: 1,
+  AccessKeyId: credentials.access_key_id,
+  SecretAccessKey: credentials.secret_access_key,
+  SessionToken: credentials.session_token,
+  Expiration: Time.at(google.expiration.to_i).iso8601
+}
+require 'json'
+puts output.to_json

data/lib/aws/google.rb

@@ -39,7 +39,7 @@ module Aws
     # @option options [String] :online if `true` only a temporary access token will be provided,
     #                 a long-lived refresh token will not be created and stored on the filesystem.
     # @option options [String] :port port for local server to listen on to capture oauth browser redirect.
-    #                 Defaults to an out-of-band authentication process.
+    #                 Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
     # @option options [::Google::Auth::ClientId] :google_id
     def initialize(options = {})
       @oauth_attempted = false
@@ -56,7 +56,7 @@ module Aws
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
       @online = options[:online]
-      @port = options[:port]
+      @port = options[:port] || 1234
 
       # Use existing AWS credentials stored in the shared config if available.
       # If this is `nil` or expired, #refresh will be called on the first AWS API service call
@@ -105,8 +105,18 @@ module Aws
       credentials.tap(&storage.method(:write_credentials))
     end
 
+    def silence_output
+      outs = [$stdout, $stderr]
+      clones = outs.map(&:clone)
+      outs.each { |io| io.reopen '/dev/null'}
+      yield
+    ensure
+      outs.each_with_index { |io, i| io.reopen(clones[i]) }
+    end
+
     def get_oauth_code(client, options)
-      raise 'fallback' unless @port
+      raise 'fallback' unless @port && !@port.zero?
+
       require 'launchy'
       require 'webrick'
       code = nil
@@ -123,26 +133,29 @@ module Aws
       end
       trap('INT') { server.shutdown }
       client.redirect_uri = "http://localhost:#{@port}"
-      launchy = Launchy.open(client.authorization_uri(options).to_s)
-      server_thread = Thread.new do
-        begin
-          server.start
-        ensure server.shutdown
+      silence_output do
+        launchy = Launchy.open(client.authorization_uri(options).to_s)
+        server_thread = Thread.new do
+          begin
+            server.start
+          ensure server.shutdown
+          end
+        end
+        while server_thread.alive?
+          raise 'fallback' if !launchy.alive? && !launchy.value.success?
+
+          sleep 0.1
         end
-      end
-      while server_thread.alive?
-        raise 'fallback' if !launchy.alive? && !launchy.value.success?
-        sleep 0.1
       end
       code || raise('fallback')
     rescue StandardError
       trap('INT', 'DEFAULT')
       # Fallback to out-of-band authentication if browser launch failed.
       client.redirect_uri = 'oob'
-      url = client.authorization_uri(options)
-      print "\nOpen the following URL in a browser and enter the " \
-             "resulting code after authorization:\n#{url}\n> "
-      gets
+      return ENV['OAUTH_CODE'] if ENV['OAUTH_CODE']
+
+      raise RuntimeError, 'Open the following URL in a browser to get a code,' \
+             "export to $OAUTH_CODE and rerun:\n#{client.authorization_uri(options)}", []
     end
 
     def refresh
@@ -176,7 +189,7 @@ module Aws
         raise e, "\nYour Google ID does not have access to the requested AWS Role. Ask your administrator to provide access.
 Role: #{@assume_role_params[:role_arn]}
 Email: #{token_params['email']}
-Google ID: #{token_params['sub']}", e.backtrace
+Google ID: #{token_params['sub']}", []
       end
 
       c = assume_role.credentials

data/lib/aws/google/version.rb

@@ -1,5 +1,5 @@
 module Aws
   class Google
-    VERSION = '0.1.2'.freeze
+    VERSION = '0.1.3'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-google
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Will Jordan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-03-18 00:00:00.000000000 Z
+date: 2020-10-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -70,30 +70,30 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.10'
+        version: 5.14.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.10'
+        version: 5.14.2
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -153,7 +153,8 @@ dependencies:
 description: Use Google OAuth as an AWS credential provider.
 email:
 - will@code.org
-executables: []
+executables:
+- aws-google
 extensions: []
 extra_rdoc_files: []
 files:
@@ -166,6 +167,7 @@ files:
 - aws-google.gemspec
 - bin/console
 - bin/setup
+- exe/aws-google
 - lib/aws/google.rb
 - lib/aws/google/credential_provider.rb
 - lib/aws/google/version.rb
@@ -189,8 +191,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.4
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Use Google OAuth as an AWS credential provider