RubyGems - aws-keychain-util - Versions diffs - 0.0.3 → 0.0.4 - Mend

aws-keychain-util 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/README.md +15 -0
data/aws-keychain-util.gemspec +1 -2
data/bin/aws-creds +12 -7
data/lib/aws-keychain-util/credential_provider.rb +20 -0
metadata +3 -2

data/README.md CHANGED

@@ -46,6 +46,21 @@ set in the environment:
     $ aws-creds shell <name>
+To automatically grab AWS credentials from your keychain when using
+the aws-sdk gem, add the following code:
+    AWS.config(:credential_provider => AwsKeychainUtil::CredentialProvider.new('<name>', 'keychain name'))
+## Security
+Unfortunately, when Keychain whitelists either the `aws-creds` script
+or a ruby application that uses the CredentialProvider for aws-sdk,
+it whitelists `ruby` as a whole. This means *any* ruby script will
+be able to access your AWS credentials. We recommend that you either
+do not whitelist your script at all (don't click "Always Allow"), or
+use a dedicated keychain with an auto-lock interval of less than five
+minutes. Keychains created with `aws-creds` will automatically be
+configured to auto-lock at 5 minutes.
 ## Contributing

data/aws-keychain-util.gemspec CHANGED

@@ -1,11 +1,10 @@
 # -*- encoding: utf-8 -*-
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'aws-keychain-util/version'
 Gem::Specification.new do |gem|
   gem.name          = "aws-keychain-util"
-  gem.version       = '0.0.3'
+  gem.version       = '0.0.4'
   gem.authors       = ["Zach Wily"]
   gem.email         = ["zach@zwily.com"]
   gem.description   = %q{Helps manage a keychain of AWS credentials on OS X.}

data/bin/aws-creds CHANGED

@@ -16,14 +16,19 @@ end
 PREFS_FILE = File.expand_path "~/.aws-keychain-util"
 def load_keychain
-  unless File.exist? PREFS_FILE
-    puts "You have not set up aws-creds yet. To do so, run:"
-    puts "    #{$0} init"
-    exit 1
+  keychain = if File.exist? PREFS_FILE
+    prefs = JSON.parse(File.read(PREFS_FILE))
+    Keychain.open(prefs['aws_keychain_name'])
+  else
+    Keychain.default
   end
-  prefs = JSON.parse(File.read(PREFS_FILE))
-  Keychain.open(prefs['aws_keychain_name'])
+  if keychain.lock_interval > 300
+    $stderr.puts "Your keychain is *not* set to lock automatically in under five minutes. This could be dangerous."
+    if !File.exist? PREFS_FILE
+      $stderr.puts "You should probably run `#{$0} init` to create a new, secure keychain."
+    end
+  end
+  keychain
 end
 def get_item(name)

data/lib/aws-keychain-util/credential_provider.rb ADDED

@@ -0,0 +1,20 @@
+require 'keychain'
+module AwsKeychainUtil
+  class CredentialProvider
+    include AWS::Core::CredentialProviders::Provider
+    def initialize(item = 'AWS', keychain = nil)
+      @item, @keychain = item, keychain
+    end
+    def get_credentials
+      keychain = @keychain ? Keychain.open(@keychain) : Keychain.default
+      item = keychain.generic_passwords.where(:label => @item).first
+      {
+        access_key_id: item.attributes[:account],
+        secret_access_key: item.password
+      }
+    end
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-keychain-util
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-03-07 00:00:00.000000000 Z
+date: 2013-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-keychain
@@ -58,6 +58,7 @@ files:
 - Rakefile
 - aws-keychain-util.gemspec
 - bin/aws-creds
+- lib/aws-keychain-util/credential_provider.rb
 homepage: ''
 licenses: []
 post_install_message: