aws-mfa-secure 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +7 -7
- data/lib/aws_mfa_secure.rb +4 -0
- data/lib/aws_mfa_secure/base.rb +5 -6
- data/lib/aws_mfa_secure/clean.rb +12 -0
- data/lib/aws_mfa_secure/cli.rb +6 -0
- data/lib/aws_mfa_secure/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8c9d8a66e1c28de429063690051bc89c34d92aa9aa0667e538d95083ea4f72c3
|
|
4
|
+
data.tar.gz: fe4597dcaf3cb1cdfacf99e21a86403a5c5e2cd122e16a0fc971d1ddd5cc1a2f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e13b9de3cde7d9e39405acf453288a8f387bdb5b60998079e73295f80bbd7595147a75e15694b27cb18cfc88d4b13f0114852fd34bfdbb62949d362317f5b801
|
|
7
|
+
data.tar.gz: dc110c7877b6e525e7890e3278b6bd41a74f471d7e5a5573c4f95bdd24d313e66ed431574740c7a284a65f5bcd10cb78ec59c8d2846c3df706f1813f11df6fae
|
data/CHANGELOG.md
CHANGED
|
@@ -3,5 +3,9 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
|
|
5
5
|
|
|
6
|
+
## [0.2.0]
|
|
7
|
+
- add clean command
|
|
8
|
+
- flush memo cache for updated aws tokens
|
|
9
|
+
|
|
6
10
|
## [0.1.0]
|
|
7
11
|
- Initial release.
|
data/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
[](http://badge.fury.io/rb/aws-mfa-secure)
|
|
4
4
|
|
|
5
|
-
Surprisingly, the [aws cli](https://docs.aws.amazon.com/cli/latest/reference/) does not yet support MFA for normal IAM users. See: https://github.com/boto/botocore/pull/1399 The aws-mfa-secure tool decorates the AWS CLI or API to handle MFA authentication. The MFA prompt only activates if `mfa_serial` is configured.
|
|
5
|
+
Surprisingly, the [aws cli](https://docs.aws.amazon.com/cli/latest/reference/) does not yet support MFA for normal IAM users. See: [boto/botocore/pull/1399](https://github.com/boto/botocore/pull/1399) The aws-mfa-secure tool decorates the AWS CLI or API to handle MFA authentication. The MFA prompt only activates if `mfa_serial` is configured.
|
|
6
6
|
|
|
7
7
|
## Installation
|
|
8
8
|
|
|
@@ -18,7 +18,7 @@ Prerequisite: The [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/) i
|
|
|
18
18
|
|
|
19
19
|
1. Configure `~/.aws/credentials` with `mfa_serial`
|
|
20
20
|
2. Set up bash alias
|
|
21
|
-
3. Use aws cli like
|
|
21
|
+
3. Use aws cli like you normally would
|
|
22
22
|
|
|
23
23
|
### Configure ~/.aws/credentials with mfa_serial
|
|
24
24
|
|
|
@@ -31,7 +31,7 @@ Set up `mfa_serial` in credentials file for the profile section that requires it
|
|
|
31
31
|
aws_secret_access_key = ABCDl4hXikfOHTvNqFAnb2Ea62bUuu/eUEXAMPLE
|
|
32
32
|
mfa_serial = arn:aws:iam::112233445566:mfa/MFAUser
|
|
33
33
|
|
|
34
|
-
Note: AWS already supports `mfa_serial` assumed roles: [AWS Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). The aws-mfa-secure tool does not decorate for assumed roles and lets the AWS CLI or SDK handle it.
|
|
34
|
+
Note: AWS already supports `mfa_serial` for assumed roles: [AWS Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). The aws-mfa-secure tool does not decorate for assumed roles and lets the AWS CLI or SDK handle it. The aws-mfa-secure tool adds support for standard IAM users, which is not currently supported. See: [boto/botocore/pull/1399](https://github.com/boto/botocore/pull/1399)
|
|
35
35
|
|
|
36
36
|
### Set up bash alias
|
|
37
37
|
|
|
@@ -41,7 +41,7 @@ You may want to add the alias to your `~/.bash_profile`
|
|
|
41
41
|
|
|
42
42
|
Autocompletion still works with the alias.
|
|
43
43
|
|
|
44
|
-
### Use aws cli like
|
|
44
|
+
### Use aws cli like usual
|
|
45
45
|
|
|
46
46
|
Call `aws` command like you usually would:
|
|
47
47
|
|
|
@@ -78,7 +78,7 @@ Except `aws-mfa-secure session` will use the temporary session environment `AWS_
|
|
|
78
78
|
|
|
79
79
|
## Exports
|
|
80
80
|
|
|
81
|
-
You can also generate
|
|
81
|
+
You can also generate an exports script. The exports technique is useful for tools that do not yet support MFA. Using `AWS_*` env variables for credentials should allow those tools to work. Though, it may depend on the tool as they sometimes hardcode a credentials configuration. Example:
|
|
82
82
|
|
|
83
83
|
$ aws-mfa-secure exports
|
|
84
84
|
Please provide your MFA code: 147280
|
|
@@ -107,11 +107,11 @@ This patches the aws-sdk-ruby library and adds MFA support.
|
|
|
107
107
|
|
|
108
108
|
You can also set the MFA info with env variables. They take the highest precedence and override what's in `~/.aws/credentials`. Example:
|
|
109
109
|
|
|
110
|
-
AWS_MFA_TOKEN=112233 arn:aws:iam::112233445566:mfa/MFAUser aws s3 ls
|
|
110
|
+
AWS_MFA_TOKEN=112233 AWS_MFA_SERIAL=arn:aws:iam::112233445566:mfa/MFAUser aws s3 ls
|
|
111
111
|
|
|
112
112
|
## How It Works
|
|
113
113
|
|
|
114
|
-
|
|
114
|
+
Docs: [How It Works](docs/how-it-works.md)
|
|
115
115
|
|
|
116
116
|
## Related
|
|
117
117
|
|
data/lib/aws_mfa_secure.rb
CHANGED
|
@@ -1,11 +1,15 @@
|
|
|
1
1
|
$:.unshift(File.expand_path("../", __FILE__))
|
|
2
2
|
require "aws_mfa_secure/version"
|
|
3
|
+
require "active_support/core_ext/hash"
|
|
4
|
+
require "active_support/core_ext/string"
|
|
5
|
+
require "fileutils"
|
|
3
6
|
require "rainbow/ext/string"
|
|
4
7
|
|
|
5
8
|
require "aws_mfa_secure/autoloader"
|
|
6
9
|
AwsMfaSecure::Autoloader.setup
|
|
7
10
|
|
|
8
11
|
module AwsMfaSecure
|
|
12
|
+
SESSIONS_PATH = "#{ENV['HOME']}/.aws/aws-mfa-secure-sessions"
|
|
9
13
|
class Error < StandardError; end
|
|
10
14
|
end
|
|
11
15
|
|
data/lib/aws_mfa_secure/base.rb
CHANGED
|
@@ -1,10 +1,7 @@
|
|
|
1
1
|
require "aws-sdk-core"
|
|
2
|
-
require "fileutils"
|
|
3
2
|
require "json"
|
|
4
3
|
require "memoist"
|
|
5
4
|
require "time"
|
|
6
|
-
require "active_support/core_ext/string"
|
|
7
|
-
require "active_support/core_ext/hash"
|
|
8
5
|
|
|
9
6
|
module AwsMfaSecure
|
|
10
7
|
class MfaError < StandardError; end
|
|
@@ -44,10 +41,11 @@ module AwsMfaSecure
|
|
|
44
41
|
def save_creds(credentials)
|
|
45
42
|
FileUtils.mkdir_p(File.dirname(session_creds_path))
|
|
46
43
|
IO.write(session_creds_path, JSON.pretty_generate(credentials))
|
|
44
|
+
flush_cache # Clear memo cache. Not needed for brand new temp credentials, but needed when updating existing ones
|
|
47
45
|
end
|
|
48
46
|
|
|
49
47
|
def session_creds_path
|
|
50
|
-
"#{
|
|
48
|
+
"#{SESSIONS_PATH}/#{@aws_profile}"
|
|
51
49
|
end
|
|
52
50
|
|
|
53
51
|
def get_session_token(shell: false)
|
|
@@ -61,7 +59,7 @@ module AwsMfaSecure
|
|
|
61
59
|
options[:duration_seconds] = ENV['AWS_MFA_TTL'] if ENV['AWS_MFA_TTL']
|
|
62
60
|
|
|
63
61
|
if shell
|
|
64
|
-
shell_get_session_token(options
|
|
62
|
+
shell_get_session_token(options) # mimic ruby sdk
|
|
65
63
|
else # ruby sdk
|
|
66
64
|
sts.get_session_token(options)
|
|
67
65
|
end
|
|
@@ -87,7 +85,8 @@ module AwsMfaSecure
|
|
|
87
85
|
$stdin.gets.strip
|
|
88
86
|
end
|
|
89
87
|
|
|
90
|
-
|
|
88
|
+
# Credentials class uses this version of get-session-token to allow the AWS Ruby SDK itself to be patched.
|
|
89
|
+
def shell_get_session_token(options)
|
|
91
90
|
args = options.map { |k,v| "--#{k.to_s.gsub('_','-')} #{v}" }.join(' ')
|
|
92
91
|
command = "aws sts get-session-token #{args} 2>&1"
|
|
93
92
|
# puts "=> #{command}" # uncomment for debugging
|
data/lib/aws_mfa_secure/cli.rb
CHANGED
|
@@ -18,6 +18,12 @@ module AwsMfaSecure
|
|
|
18
18
|
Unsets.new(options).run
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
+
desc "clean", "Cleans/purges the ~/.aws/aws-mfa-secure-sessions"
|
|
22
|
+
long_desc Help.text(:clean)
|
|
23
|
+
def clean
|
|
24
|
+
Clean.new(options).run
|
|
25
|
+
end
|
|
26
|
+
|
|
21
27
|
desc "completion *PARAMS", "Prints words for auto-completion."
|
|
22
28
|
long_desc Help.text("completion")
|
|
23
29
|
def completion(*params)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-mfa-secure
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tung Nguyen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-11-
|
|
11
|
+
date: 2019-11-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -188,6 +188,7 @@ files:
|
|
|
188
188
|
- lib/aws_mfa_secure.rb
|
|
189
189
|
- lib/aws_mfa_secure/autoloader.rb
|
|
190
190
|
- lib/aws_mfa_secure/base.rb
|
|
191
|
+
- lib/aws_mfa_secure/clean.rb
|
|
191
192
|
- lib/aws_mfa_secure/cli.rb
|
|
192
193
|
- lib/aws_mfa_secure/command.rb
|
|
193
194
|
- lib/aws_mfa_secure/completer.rb
|