aws-mfa-secure 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +7 -7
- data/lib/aws_mfa_secure.rb +4 -0
- data/lib/aws_mfa_secure/base.rb +5 -6
- data/lib/aws_mfa_secure/clean.rb +12 -0
- data/lib/aws_mfa_secure/cli.rb +6 -0
- data/lib/aws_mfa_secure/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8c9d8a66e1c28de429063690051bc89c34d92aa9aa0667e538d95083ea4f72c3
|
|
4
|
+
data.tar.gz: fe4597dcaf3cb1cdfacf99e21a86403a5c5e2cd122e16a0fc971d1ddd5cc1a2f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e13b9de3cde7d9e39405acf453288a8f387bdb5b60998079e73295f80bbd7595147a75e15694b27cb18cfc88d4b13f0114852fd34bfdbb62949d362317f5b801
|
|
7
|
+
data.tar.gz: dc110c7877b6e525e7890e3278b6bd41a74f471d7e5a5573c4f95bdd24d313e66ed431574740c7a284a65f5bcd10cb78ec59c8d2846c3df706f1813f11df6fae
|
data/CHANGELOG.md
CHANGED
|
@@ -3,5 +3,9 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
|
5
5
|
|
|
6
|
+
## [0.2.0]
|
|
7
|
+
- add clean command
|
|
8
|
+
- flush memo cache for updated aws tokens
|
|
9
|
+
|
|
6
10
|
## [0.1.0]
|
|
7
11
|
- Initial release.
|
data/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
[](http://badge.fury.io/rb/aws-mfa-secure)
|
|
4
4
|
|
|
5
|
-
Surprisingly, the [aws cli](https://docs.aws.amazon.com/cli/latest/reference/) does not yet support MFA for normal IAM users. See: https://github.com/boto/botocore/pull/1399 The aws-mfa-secure tool decorates the AWS CLI or API to handle MFA authentication. The MFA prompt only activates if `mfa_serial` is configured.
|
|
5
|
+
Surprisingly, the [aws cli](https://docs.aws.amazon.com/cli/latest/reference/) does not yet support MFA for normal IAM users. See: [boto/botocore/pull/1399](https://github.com/boto/botocore/pull/1399) The aws-mfa-secure tool decorates the AWS CLI or API to handle MFA authentication. The MFA prompt only activates if `mfa_serial` is configured.
|
|
6
6
|
|
|
7
7
|
## Installation
|
|
8
8
|
|
|
@@ -18,7 +18,7 @@ Prerequisite: The [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/) i
|
|
|
18
18
|
|
|
19
19
|
1. Configure `~/.aws/credentials` with `mfa_serial`
|
|
20
20
|
2. Set up bash alias
|
|
21
|
-
3. Use aws cli like
|
|
21
|
+
3. Use aws cli like you normally would
|
|
22
22
|
|
|
23
23
|
### Configure ~/.aws/credentials with mfa_serial
|
|
24
24
|
|
|
@@ -31,7 +31,7 @@ Set up `mfa_serial` in credentials file for the profile section that requires it
|
|
|
31
31
|
aws_secret_access_key = ABCDl4hXikfOHTvNqFAnb2Ea62bUuu/eUEXAMPLE
|
|
32
32
|
mfa_serial = arn:aws:iam::112233445566:mfa/MFAUser
|
|
33
33
|
|
|
34
|
-
Note: AWS already supports `mfa_serial` assumed roles: [AWS Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). The aws-mfa-secure tool does not decorate for assumed roles and lets the AWS CLI or SDK handle it.
|
|
34
|
+
Note: AWS already supports `mfa_serial` for assumed roles: [AWS Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). The aws-mfa-secure tool does not decorate for assumed roles and lets the AWS CLI or SDK handle it. The aws-mfa-secure tool adds support for standard IAM users, which is not currently supported. See: [boto/botocore/pull/1399](https://github.com/boto/botocore/pull/1399)
|
|
35
35
|
|
|
36
36
|
### Set up bash alias
|
|
37
37
|
|
|
@@ -41,7 +41,7 @@ You may want to add the alias to your `~/.bash_profile`
|
|
|
41
41
|
|
|
42
42
|
Autocompletion still works with the alias.
|
|
43
43
|
|
|
44
|
-
### Use aws cli like
|
|
44
|
+
### Use aws cli like usual
|
|
45
45
|
|
|
46
46
|
Call `aws` command like you usually would:
|
|
47
47
|
|
|
@@ -78,7 +78,7 @@ Except `aws-mfa-secure session` will use the temporary session environment `AWS_
|
|
|
78
78
|
|
|
79
79
|
## Exports
|
|
80
80
|
|
|
81
|
-
You can also generate
|
|
81
|
+
You can also generate an exports script. The exports technique is useful for tools that do not yet support MFA. Using `AWS_*` env variables for credentials should allow those tools to work. Though, it may depend on the tool as they sometimes hardcode a credentials configuration. Example:
|
|
82
82
|
|
|
83
83
|
$ aws-mfa-secure exports
|
|
84
84
|
Please provide your MFA code: 147280
|
|
@@ -107,11 +107,11 @@ This patches the aws-sdk-ruby library and adds MFA support.
|
|
|
107
107
|
|
|
108
108
|
You can also set the MFA info with env variables. They take the highest precedence and override what's in `~/.aws/credentials`. Example:
|
|
109
109
|
|
|
110
|
-
AWS_MFA_TOKEN=112233 arn:aws:iam::112233445566:mfa/MFAUser aws s3 ls
|
|
110
|
+
AWS_MFA_TOKEN=112233 AWS_MFA_SERIAL=arn:aws:iam::112233445566:mfa/MFAUser aws s3 ls
|
|
111
111
|
|
|
112
112
|
## How It Works
|
|
113
113
|
|
|
114
|
-
|
|
114
|
+
Docs: [How It Works](docs/how-it-works.md)
|
|
115
115
|
|
|
116
116
|
## Related
|
|
117
117
|
|
data/lib/aws_mfa_secure.rb
CHANGED
|
@@ -1,11 +1,15 @@
|
|
|
1
1
|
$:.unshift(File.expand_path("../", __FILE__))
|
|
2
2
|
require "aws_mfa_secure/version"
|
|
3
|
+
require "active_support/core_ext/hash"
|
|
4
|
+
require "active_support/core_ext/string"
|
|
5
|
+
require "fileutils"
|
|
3
6
|
require "rainbow/ext/string"
|
|
4
7
|
|
|
5
8
|
require "aws_mfa_secure/autoloader"
|
|
6
9
|
AwsMfaSecure::Autoloader.setup
|
|
7
10
|
|
|
8
11
|
module AwsMfaSecure
|
|
12
|
+
SESSIONS_PATH = "#{ENV['HOME']}/.aws/aws-mfa-secure-sessions"
|
|
9
13
|
class Error < StandardError; end
|
|
10
14
|
end
|
|
11
15
|
|
data/lib/aws_mfa_secure/base.rb
CHANGED
|
@@ -1,10 +1,7 @@
|
|
|
1
1
|
require "aws-sdk-core"
|
|
2
|
-
require "fileutils"
|
|
3
2
|
require "json"
|
|
4
3
|
require "memoist"
|
|
5
4
|
require "time"
|
|
6
|
-
require "active_support/core_ext/string"
|
|
7
|
-
require "active_support/core_ext/hash"
|
|
8
5
|
|
|
9
6
|
module AwsMfaSecure
|
|
10
7
|
class MfaError < StandardError; end
|
|
@@ -44,10 +41,11 @@ module AwsMfaSecure
|
|
|
44
41
|
def save_creds(credentials)
|
|
45
42
|
FileUtils.mkdir_p(File.dirname(session_creds_path))
|
|
46
43
|
IO.write(session_creds_path, JSON.pretty_generate(credentials))
|
|
44
|
+
flush_cache # Clear memo cache. Not needed for brand new temp credentials, but needed when updating existing ones
|
|
47
45
|
end
|
|
48
46
|
|
|
49
47
|
def session_creds_path
|
|
50
|
-
"#{
|
|
48
|
+
"#{SESSIONS_PATH}/#{@aws_profile}"
|
|
51
49
|
end
|
|
52
50
|
|
|
53
51
|
def get_session_token(shell: false)
|
|
@@ -61,7 +59,7 @@ module AwsMfaSecure
|
|
|
61
59
|
options[:duration_seconds] = ENV['AWS_MFA_TTL'] if ENV['AWS_MFA_TTL']
|
|
62
60
|
|
|
63
61
|
if shell
|
|
64
|
-
shell_get_session_token(options
|
|
62
|
+
shell_get_session_token(options) # mimic ruby sdk
|
|
65
63
|
else # ruby sdk
|
|
66
64
|
sts.get_session_token(options)
|
|
67
65
|
end
|
|
@@ -87,7 +85,8 @@ module AwsMfaSecure
|
|
|
87
85
|
$stdin.gets.strip
|
|
88
86
|
end
|
|
89
87
|
|
|
90
|
-
|
|
88
|
+
# Credentials class uses this version of get-session-token to allow the AWS Ruby SDK itself to be patched.
|
|
89
|
+
def shell_get_session_token(options)
|
|
91
90
|
args = options.map { |k,v| "--#{k.to_s.gsub('_','-')} #{v}" }.join(' ')
|
|
92
91
|
command = "aws sts get-session-token #{args} 2>&1"
|
|
93
92
|
# puts "=> #{command}" # uncomment for debugging
|
data/lib/aws_mfa_secure/cli.rb
CHANGED
|
@@ -18,6 +18,12 @@ module AwsMfaSecure
|
|
|
18
18
|
Unsets.new(options).run
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
+
desc "clean", "Cleans/purges the ~/.aws/aws-mfa-secure-sessions"
|
|
22
|
+
long_desc Help.text(:clean)
|
|
23
|
+
def clean
|
|
24
|
+
Clean.new(options).run
|
|
25
|
+
end
|
|
26
|
+
|
|
21
27
|
desc "completion *PARAMS", "Prints words for auto-completion."
|
|
22
28
|
long_desc Help.text("completion")
|
|
23
29
|
def completion(*params)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-mfa-secure
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-11-
|
|
11
|
+
date: 2019-11-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -188,6 +188,7 @@ files:
|
|
|
188
188
|
- lib/aws_mfa_secure.rb
|
|
189
189
|
- lib/aws_mfa_secure/autoloader.rb
|
|
190
190
|
- lib/aws_mfa_secure/base.rb
|
|
191
|
+
- lib/aws_mfa_secure/clean.rb
|
|
191
192
|
- lib/aws_mfa_secure/cli.rb
|
|
192
193
|
- lib/aws_mfa_secure/command.rb
|
|
193
194
|
- lib/aws_mfa_secure/completer.rb
|