aws-keychain-util 0.0.3 → 0.0.4

data/README.md

@@ -46,6 +46,21 @@ set in the environment:
 
     $ aws-creds shell <name>
 
+To automatically grab AWS credentials from your keychain when using
+the aws-sdk gem, add the following code:
+
+    AWS.config(:credential_provider => AwsKeychainUtil::CredentialProvider.new('<name>', 'keychain name'))
+
+## Security
+
+Unfortunately, when Keychain whitelists either the `aws-creds` script
+or a ruby application that uses the CredentialProvider for aws-sdk,
+it whitelists `ruby` as a whole. This means *any* ruby script will
+be able to access your AWS credentials. We recommend that you either
+do not whitelist your script at all (don't click "Always Allow"), or
+use a dedicated keychain with an auto-lock interval of less than five
+minutes. Keychains created with `aws-creds` will automatically be
+configured to auto-lock at 5 minutes.
 
 ## Contributing
 

data/aws-keychain-util.gemspec

@@ -1,11 +1,10 @@
 # -*- encoding: utf-8 -*-
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'aws-keychain-util/version'
 
 Gem::Specification.new do |gem|
   gem.name          = "aws-keychain-util"
-  gem.version       = '0.0.3'
+  gem.version       = '0.0.4'
   gem.authors       = ["Zach Wily"]
   gem.email         = ["zach@zwily.com"]
   gem.description   = %q{Helps manage a keychain of AWS credentials on OS X.}

data/bin/aws-creds

@@ -16,14 +16,19 @@ end
 PREFS_FILE = File.expand_path "~/.aws-keychain-util"
 
 def load_keychain
-  unless File.exist? PREFS_FILE
-    puts "You have not set up aws-creds yet. To do so, run:"
-    puts "    #{$0} init"
-    exit 1
+  keychain = if File.exist? PREFS_FILE
+    prefs = JSON.parse(File.read(PREFS_FILE))
+    Keychain.open(prefs['aws_keychain_name'])
+  else
+    Keychain.default
   end
-
-  prefs = JSON.parse(File.read(PREFS_FILE))
-  Keychain.open(prefs['aws_keychain_name'])
+  if keychain.lock_interval > 300
+    $stderr.puts "Your keychain is *not* set to lock automatically in under five minutes. This could be dangerous."
+    if !File.exist? PREFS_FILE
+      $stderr.puts "You should probably run `#{$0} init` to create a new, secure keychain."
+    end
+  end
+  keychain
 end
 
 def get_item(name)

data/lib/aws-keychain-util/credential_provider.rb

@@ -0,0 +1,20 @@
+require 'keychain'
+
+module AwsKeychainUtil
+  class CredentialProvider
+    include AWS::Core::CredentialProviders::Provider
+
+    def initialize(item = 'AWS', keychain = nil)
+      @item, @keychain = item, keychain
+    end
+
+    def get_credentials
+      keychain = @keychain ? Keychain.open(@keychain) : Keychain.default
+      item = keychain.generic_passwords.where(:label => @item).first
+      {
+        access_key_id: item.attributes[:account],
+        secret_access_key: item.password
+      }
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-keychain-util
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-07 00:00:00.000000000 Z
+date: 2013-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-keychain
@@ -58,6 +58,7 @@ files:
 - Rakefile
 - aws-keychain-util.gemspec
 - bin/aws-creds
+- lib/aws-keychain-util/credential_provider.rb
 homepage: ''
 licenses: []
 post_install_message: