aws-keychain-util 0.0.12 → 0.0.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 27605c262ccf5d07a36f56918a04d4b9c3f012ad
-  data.tar.gz: 8790d93d8bc976e41cf132fb9724f88a38917181
+  metadata.gz: 90edd8647b398a66b149ca02c9d6790b6e7d6a1e
+  data.tar.gz: 9dfa7feb0b5fe3b00147704f9135fdc89a724cef
 SHA512:
-  metadata.gz: 40cbeceef571c407749c645ee1fb72b748dddee8564a13c58406282da439dd6dbbcf6e5721ab705945ada9b0b59d9f2d5c1380fee7895955fb4b3a5db661cb51
-  data.tar.gz: 523a878f9f686ce5ef81e409957cfc778a40813584d0340f0ecfc12af07c26c20d540b0d0d5817b2e94ba813ffd09f51192a747da7a0413c7084044426a59d02
+  metadata.gz: 0478d2ca301dda7bf6866bf4c237caf9b01bec3f8934de48422e3b1a202d23f31f47ce0595b9764603fd9aba70e83656d7a44384dcc080d211e2c2d084b2d6cc
+  data.tar.gz: d6ba9c8718e9c7a4ddbc7a11502a00c430eb35006d134005336010667f62ffea3acf37e1d546639aee9aa9fcc3b4f86754d8f5bfa033b2c9a0c30bc92e66d1a9

data/.rubocop.yml

@@ -0,0 +1,7 @@
+Metrics/LineLength:
+  Max: 120
+
+AllCops:
+  Includes:
+    - Rakefile
+

data/README.md

@@ -53,15 +53,29 @@ you can source into your shell:
 
     $ aws-creds env <name>
 
+If you want to load the credentials into your *current* shell, add a function
+like this to your `.bashrc`:
+
+    aws-shell() { eval "$(/usr/bin/env aws-creds env $@)"; }
+
+Then, you can use `aws-shell <name>`. This can be slightly more convenient as
+you keep shell history around.
+
 To always load the given environment in your shell, add the following to
 your .bashrc or .zshrc
 
-    source `aws-creds env <name>`
+    eval "$(aws-creds env <name>)"
 
 To automatically grab AWS credentials from your keychain when using
 the aws-sdk gem, add the following code:
 
-    AWS.config(:credential_provider => AwsKeychainUtil::CredentialProvider.new('<name>', 'keychain name'))
+    require 'aws-keychain-util/credential_provider'
+    Aws.config[:credentials] = AwsKeychainUtil::CredentialProvider.new('<name>', 'keychain name')
+
+To remove an item from your aws keychain:
+
+    $ aws-creds rm <name>
+
 
 ## AWS Multi-Factor Authentication (MFA) 
 
@@ -86,6 +100,27 @@ The tool also tracks mfa expiration, and automatically removes expired tokens wh
 or source your env.
 
 
+## AWS Assume Role credentials
+
+It's also possible assume a role that specifies a set of permissions that you can use to access
+AWS resources that you need for a limited time. The role can be in your own account or any other AWS account.
+
+For information about how to create and configure Roles, see
+ IAM Roles[Here](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
+
+In order to configure a role run:
+
+     $ aws-creds add-role <name>
+
+Then to assume a role, you need to run:
+
+    $ aws-creds assume-role <name> <role-name>
+    
+Then you just need to either open a fresh shell for the `<name>` key or re-source your environment.
+
+The tool also tracks role expiration, and automatically removes expired tokens when you open a new shell 
+or source your env.
+
 ## Security
 
 Unfortunately, when Keychain whitelists either the `aws-creds` script

data/Rakefile

@@ -1 +1,6 @@
-require "bundler/gem_tasks"
+require 'bundler/gem_tasks'
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new do |rubocop|
+  rubocop.options = ['-D']
+end

data/aws-keychain-util.gemspec

@@ -3,20 +3,22 @@ lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |gem|
-  gem.name          = "aws-keychain-util"
-  gem.version       = '0.0.12'
-  gem.authors       = ["Zach Wily"]
-  gem.email         = ["zach@zwily.com"]
-  gem.description   = %q{Helps manage a keychain of AWS credentials on OS X.}
-  gem.summary       = %q{Helps manage a keychain of AWS credentials on OS X.}
-  gem.homepage      = ""
+  gem.name          = 'aws-keychain-util'
+  gem.version       = '0.0.13'
+  gem.authors       = ['Zach Wily']
+  gem.email         = ['zach@zwily.com']
+  gem.description   = 'Helps manage a keychain of AWS credentials on OS X.'
+  gem.summary       = 'Helps manage a keychain of AWS credentials on OS X.'
+  gem.homepage      = ''
 
-  gem.files         = `git ls-files`.split($/)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
-  gem.require_paths = ["lib"]
+  gem.require_paths = ['lib']
 
   gem.add_dependency('ruby-keychain', '~> 0.2.0')
   gem.add_dependency('highline')
-  gem.add_dependency('aws-sdk-v1')
+  gem.add_dependency('aws-sdk', '> 2.0')
+  gem.add_development_dependency 'rubocop'
+  gem.add_development_dependency 'rake'
 end

data/bin/aws-creds

@@ -1,15 +1,22 @@
 #!/usr/bin/env ruby
 
-if $0 == "bin/aws-creds"
-  $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__)) + "/../lib")
+if $PROGRAM_NAME == 'bin/aws-creds'
+  $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__)) + '/../lib')
 end
 
 require 'rubygems'
 require 'highline'
 require 'keychain'
 require 'json'
-require 'aws-keychain-util'
-require 'aws-sdk-v1'
+require 'aws_keychain_util'
+require 'aws-sdk'
+
+trap('SIGINT') do
+  puts
+  $stderr.puts "\nExecution aborted."
+  puts
+  exit 1
+end
 
 def ask(question)
   HighLine.new.ask(question)
@@ -22,53 +29,74 @@ end
 def load_keychain
   keychain = AwsKeychainUtil.load_keychain
   if keychain && keychain.lock_interval > 300
-    $stderr.puts "Your keychain is *not* set to lock automatically in under five minutes. This could be dangerous."
-    if !File.exist? AwsKeychainUtil::PREFS_FILE
-      $stderr.puts "You should probably run `#{$0} init` to create a new, secure keychain."
+    $stderr.puts 'Your keychain is *not* set to lock automatically in under five minutes. This could be dangerous.'
+    unless File.exist? AwsKeychainUtil::PREFS_FILE
+      $stderr.puts "You should probably run `#{$PROGRAM_NAME} init` to create a new, secure keychain."
     end
   end
   keychain
 end
 
 def get_item(name)
-  load_keychain.generic_passwords.where(:label => name).first
+  load_keychain.generic_passwords.where(label: name).first
+end
+
+def delete_expired(key, token)
+  expires_at = Time.at(key.attributes[:comment].to_i)
+  if expires_at < Time.now
+    delete_pair(key, token, '# Removing expired STS credentials')
+    key = nil
+    token = nil
+  end
+  [key, token]
+end
+
+def delete_pair(key, token, message)
+  puts message
+  token.delete if token
+  key.delete if key
 end
 
 def get_name_from_args_for_command(command)
-  if ARGV.length < 1
-    puts "Usage: #{$0} #{command} <name>"
+  if ARGV.empty?
+    puts "Usage: #{$PROGRAM_NAME} #{command} <name>"
     exit 1
   end
   ARGV.shift
 end
 
+def get_valid_item(name)
+  item = get_item(name)
+  unless item
+    puts "Could not find item with name #{name}"
+    exit 1
+  end
+  item
+end
+
 def get_item_from_args_for_command(command)
   name = get_name_from_args_for_command(command)
+
+  role_key = get_item("#{name} role-key")
+  role_token = get_item("#{name} role-token")
+  role_key, role_token = delete_expired(role_key, role_token) if role_key
+
   item_mfa = get_item("#{name} mfa")
   item_token = get_item("#{name} token")
-  if item_mfa
-    if item_mfa.attributes[:comment]
-      expires_at = Time.at(item_mfa.attributes[:comment].to_i)
-      if expires_at < Time.now
-          puts "# Removing expired STS credentials"
-          item_token.delete
-          item_token = nil
-          item_mfa.delete
-          item_mfa = nil
-      end
-    end
+  item_mfa, item_token = delete_expired(item_mfa, item_token) if item_mfa
+
+  if role_key && role_token
+    puts '# Using temporary STS role credentials'
+    return role_key, role_token
   end
-  if item_mfa and item_token
-    puts "# Using temporary STS credentials"
+
+  if item_mfa && item_token
+    puts '# Using temporary STS credentials'
     return item_mfa, item_token
   end
 
-  item = get_item(name)
-  unless item
-    puts "Could not find item with name #{name}"
-    exit 1
-  end
-  return item, nil
+  item = get_valid_item(name)
+  [item, nil]
 end
 
 command = ARGV.shift
@@ -81,107 +109,182 @@ when 'init'
   end
 
   name = ask("Name for AWS keychain (default: 'aws'): ")
-  name = "aws" if name == ""
+  name = 'aws' if name == ''
 
   shell_arguments = ask("Shell arguments (default: '--login'): ")
-  shell_arguments = "--login" if shell_arguments == ""
+  shell_arguments = '--login' if shell_arguments == ''
 
-  puts "The OS will now ask you for a password to protect your keychain. Choose wisely."
+  puts 'The OS will now ask you for a password to protect your keychain. Choose wisely.'
   keychain = Keychain.create(name)
   keychain.lock_interval = 300
   keychain.lock_on_sleep = true
 
   $prefs = { 'aws_keychain_name' => name, 'shell_arguments' => shell_arguments }
-  File.new(AwsKeychainUtil::PREFS_FILE, "w").write JSON.dump($prefs)
+  File.new(AwsKeychainUtil::PREFS_FILE, 'w').write JSON.dump($prefs)
 
-  puts "Your AWS keychain has been created and configured to auto-lock after"
-  puts "5 minutes, and when sleeping. You can change those options in"
-  puts "Keychain Access."
+  puts 'Your AWS keychain has been created and configured to auto-lock after'
+  puts '5 minutes, and when sleeping. You can change those options in'
+  puts 'Keychain Access.'
   puts
-  puts "You can now add accounts to the keychain with:"
-  puts "    #{$0} add"
+  puts 'You can now add accounts to the keychain with:'
+  puts "    #{$PROGRAM_NAME} add"
 
 when 'ls'
   keychain = load_keychain
-  keychain.generic_passwords.all.sort {|a,b|
+  items = keychain.generic_passwords.all.sort do |a, b|
     a.attributes[:label] <=> b.attributes[:label]
-  }.each do |item|
+  end
+  items.each do |item|
     puts "  #{item.attributes[:label]}"
   end
 
 when 'add'
   keychain = load_keychain
-  name     =        ask("      account name: ")
-  account  =        ask("     access key id: ")
-  password = ask_secure(" secret_access_key: ")
-  arn      =        ask("           mfa arn: ")
+  name     =        ask('      account name: ')
+  account  =        ask('     access key id: ')
+  password = ask_secure(' secret_access_key: ')
+  arn      =        ask('           mfa arn: ')
 
   item = keychain.generic_passwords.create(
-    :label => name,
-    :account => account,
-    :password => password,
-    :comment => arn
+    label: name,
+    account: account,
+    password: password,
+    comment: arn
   )
 
 when 'cat'
   item, token = get_item_from_args_for_command('cat')
   puts "AWS_ACCESS_KEY_ID=#{item.attributes[:account]}"
   puts "AWS_SECRET_ACCESS_KEY=#{item.password}"
-  if token
-    puts "AWS_SECURITY_TOKEN=#{token.password}"
-  end
+  puts "AWS_SECURITY_TOKEN=#{token.password}" if token
 
 when 'rm'
   item, token = get_item_from_args_for_command('rm')
-  item.delete
+  delete_pair(item, token, '# Removing credentials')
+
+when 'add-role'
+  keychain = load_keychain
+  name = get_name_from_args_for_command('add-role')
+  item = get_valid_item(name)
+
+  role     = ask('         role name: ')
+  arn      = ask('          role arn: ')
+
+  keychain.generic_passwords.create(
+    label: "#{name} role #{role}",
+    account: role,
+    password: '',
+    comment: arn
+  )
+
+when 'assume-role'
+  keychain = load_keychain
+  name = ARGV.shift
+  role_name = ARGV.shift
+  code = ARGV.shift
+
+  unless name
+    puts "Usage: #{$PROGRAM_NAME} assume-role <name> <role-name> [<mfa>]"
+    exit 1
+  end
+
+  item = get_valid_item(name)
+
+  role_key = get_item("#{name} role-key")
+  role_token = get_item("#{name} role-token")
+  delete_pair(role_key, role_token, '# Removing STS role credentials') if role_key
+
+  sts_item = get_item("#{name} mfa")
+  sts_token = get_item("#{name} token")
+  delete_pair(sts_item, sts_token, '# Removing STS credentials') if sts_item
+
+  exit 0 if 'none' == role_name || role_name.nil?
+
+  item_role = get_valid_item("#{name} role #{role_name}")
+
+  sts = Aws::STS::Client.new(access_key_id: item.attributes[:account], secret_access_key: item.password)
+
+  begin
+      if code
+        response = sts.assume_role(duration_seconds: (60 * 60 * 1),
+                                   role_arn: item_role.attributes[:comment],
+                                   role_session_name: item_role.attributes[:account],
+                                   serial_number: item.attributes[:comment],
+                                   token_code: code)
+      else
+        response = sts.assume_role(duration_seconds: (60 * 60 * 1),
+                                   role_arn: item_role.attributes[:comment],
+                                   role_session_name: item_role.attributes[:account])
+      end
+      keychain.generic_passwords.create(label: "#{name} role-key",
+                                        account: response.credentials[:access_key_id],
+                                        password: response.credentials[:secret_access_key],
+                                        comment: response.credentials[:expiration].to_i.to_s)
+      keychain.generic_passwords.create(label: "#{name} role-token",
+                                        account: "#{response.credentials[:access_key_id]}_token",
+                                        password: response.credentials[:session_token],
+                                        comment: "#{name} role #{role_name}")
+
+      puts "AssumeRoleAuthentication succeeded, expiration is #{response.credentials[:expiration]}"
+    rescue Aws::STS::Errors::AccessDenied => e
+      puts e.to_s
+    end
 
 when 'mfa'
   keychain = load_keychain
   item_name = ARGV.shift
   code = ARGV.shift
-  if not item_name or not code
-    puts "Usage: aws-creds mfa <item-name> <mfa-code>"
-    exit(1)
+  if !item_name || !code
+    puts "Usage: #{$PROGRAM_NAME} mfa <name> <mfa-code>"
+    exit 1
   end
 
+  role_key = get_item("#{item_name} role-key")
+  role_token = get_item("#{item_name} role-token")
+  delete_pair(role_key, role_token, '# Removing STS role credentials')
+
   sts_item = get_item("#{item_name} mfa")
   sts_token = get_item("#{item_name} token")
-  if sts_item
-    puts "Removing existing STS credentials"
-    sts_item.delete
-    sts_token.delete if sts_token
-  end
+  delete_pair(sts_item, sts_token, '# Removing STS credentials')
 
   item, token = get_item(item_name)
-  sts = AWS::STS.new(:access_key_id => item.attributes[:account], :secret_access_key => item.password)
+  sts = Aws::STS::Client.new(access_key_id: item.attributes[:account],
+                             secret_access_key: item.password)
   begin
-    response = sts.new_session(:duration => (60 * 60 * 12), :serial_number => item.attributes[:comment], :token_code => code)
-    temp_item = keychain.generic_passwords.create(:label => "#{item_name} mfa",
-                                                  :account => response.credentials[:access_key_id],
-                                                  :password=> response.credentials[:secret_access_key],
-                                                  :comment => response.expires_at.to_i.to_s)
-    temp_token = keychain.generic_passwords.create(:label => "#{item_name} token",
-                                                  :account => "#{response.credentials[:access_key_id]}_token",
-                                                  :password=> response.credentials[:session_token],
-                                                  :comment => response.expires_at.to_i.to_s)
-
-    puts "MultiFactorAuthentication succeeded, expiration is #{response.expires_at}"
-  rescue AWS::STS::Errors::AccessDenied => e
+    response = sts.get_session_token(duration_seconds: (60 * 60 * 12),
+                                     serial_number: item.attributes[:comment],
+                                     token_code: code)
+    keychain.generic_passwords.create(label: "#{item_name} mfa",
+                                      account: response.credentials[:access_key_id],
+                                      password: response.credentials[:secret_access_key],
+                                      comment: response.credentials[:expiration].to_i.to_s)
+    keychain.generic_passwords.create(label: "#{item_name} token",
+                                      account: "#{response.credentials[:access_key_id]}_token",
+                                      password: response.credentials[:session_token],
+                                      comment: "#{item_name} mfa")
+
+    puts "MultiFactorAuthentication succeeded, expiration is #{response.credentials[:expiration]}"
+  rescue Aws::STS::Errors::AccessDenied => e
     puts e.to_s
   end
 
 when 'env'
-  item, token = get_item_from_args_for_command('shell')
+  item, token = get_item_from_args_for_command('env')
   key = item.password
   puts "export AWS_ACCESS_KEY_ID=\"#{item.attributes[:account]}\""
   puts "export AWS_ACCESS_KEY=\"#{item.attributes[:account]}\""
   puts "export AWS_SECRET_ACCESS_KEY=\"#{key}\""
   puts "export AWS_SECRET_KEY=\"#{key}\""
-  puts "export RPROMPT=\"(aws #{item.attributes[:label]})\""
-  puts "export AWS_CREDS_NAME=\"#{item.attributes[:label]}\""
   if token
+    puts "export RPROMPT=\"(aws #{token.attributes[:comment]})\""
+    puts "export AWS_CREDS_NAME=\"#{token.attributes[:comment]}\""
     puts "export AWS_SECURITY_TOKEN=\"#{token.password}\""
     puts "export AWS_SESSION_TOKEN=\"#{token.password}\""
+  else
+    puts "export RPROMPT=\"(aws #{item.attributes[:label]})\""
+    puts "export AWS_CREDS_NAME=\"#{item.attributes[:label]}\""
+    puts 'unset AWS_SECURITY_TOKEN'
+    puts 'unset AWS_SESSION_TOKEN'
   end
 
 when 'shell'
@@ -196,13 +299,16 @@ when 'shell'
   aws_env = {}
   aws_env['AWS_ACCESS_KEY_ID'] = aws_env['AWS_ACCESS_KEY'] = item.attributes[:account]
   aws_env['AWS_SECRET_ACCESS_KEY'] = aws_env['AWS_SECRET_KEY'] = item.password
-  aws_env['AWS_CREDS_NAME'] = item.attributes[:label]
   if token
+    aws_env['AWS_CREDS_NAME'] = token.attributes[:comment]
     aws_env['AWS_SECURITY_TOKEN'] = aws_env['AWS_SESSION_TOKEN'] = token.password
+  else
+    aws_env['AWS_CREDS_NAME'] = item.attributes[:label]
   end
 
   if ARGV.empty?
     aws_env['RPROMPT'] = "(aws #{item.attributes[:label]})" # zsh only
+
     if prefs['shell_arguments']
       exec(aws_env, ENV['SHELL'], prefs['shell_arguments'])
     else
@@ -213,6 +319,6 @@ when 'shell'
   end
 
 else
-  puts "Usage: #{$0} <command> <arguments>"
-  puts "  Commands: init, ls, add, cat, env, mfa, rm, shell"
+  puts "Usage: #{$PROGRAM_NAME} <command> <arguments>"
+  puts '  Commands: init, ls, add, add-role, assume-role, cat, env, mfa, rm, shell'
 end

data/lib/aws-keychain-util/credential_provider.rb

@@ -3,23 +3,21 @@ require 'keychain'
 require 'aws-keychain-util'
 
 module AwsKeychainUtil
+  # class to automatically grab AWS credentials from your keychain
   class CredentialProvider
-    include AWS::Core::CredentialProviders::Provider
+    include Aws::CredentialProvider
 
     attr_reader :item, :keychain
 
     def initialize(item = 'AWS', keychain = nil)
-      @item, @keychain = item, keychain
+      @item = item
+      @keychain = keychain
     end
 
-    def get_credentials
+    def credentials
       keychain = @keychain ? Keychain.open(@keychain) : AwsKeychainUtil.load_keychain
-      item = keychain.generic_passwords.where(:label => @item).first
-      return {} unless item
-      {
-        access_key_id: item.attributes[:account],
-        secret_access_key: item.password
-      }
+      item = keychain.generic_passwords.where(label: @item).first
+      Aws::Credentials.new(item.attributes[:account], item.password)
     end
   end
 end

data/lib/{aws-keychain-util.rb → aws_keychain_util.rb}

@@ -1,5 +1,6 @@
+# Utility class to hold runtime config.
 module AwsKeychainUtil
-  PREFS_FILE = File.expand_path "~/.aws-keychain-util"
+  PREFS_FILE = File.expand_path '~/.aws-keychain-util'
 
   def self.load_keychain
     name = prefs['aws_keychain_name']

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-keychain-util
 version: !ruby/object:Gem::Version
-  version: 0.0.12
+  version: 0.0.13
 platform: ruby
 authors:
 - Zach Wily
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-31 00:00:00.000000000 Z
+date: 2017-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-keychain
@@ -39,13 +39,41 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-v1
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  type: :runtime
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -61,14 +89,15 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - aws-keychain-util.gemspec
 - bin/aws-creds
-- lib/aws-keychain-util.rb
 - lib/aws-keychain-util/credential_provider.rb
+- lib/aws_keychain_util.rb
 homepage: ''
 licenses: []
 metadata: {}
@@ -93,4 +122,3 @@ signing_key:
 specification_version: 4
 summary: Helps manage a keychain of AWS credentials on OS X.
 test_files: []
-has_rdoc: