aws-rotate 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: adf6a451f691065bc62e8feb7b43704bc603a438b05b9a3f092bc336ea8e3288
+  data.tar.gz: fa9607d7253c854924f471fec41e6526239a7c1b0e1609590b6d07691fcc6e25
+SHA512:
+  metadata.gz: c981cc84a81b3efe9e7901a2942f155f36723f51afd4996e55285839127cc4865283844cf6e16987afe305e08b3d9d208fe1ccb7d2a31827652a4f767afa4623
+  data.tar.gz: 2be376dcc9cb074db6b214c83c6e74b794185b50bb144dcd58e5607360a78f67bbb59c5d17497c32fc0b33282fbc8e39f300ee6c5f4c1d48806c78ee56698416

data/.gitignore

@@ -0,0 +1,16 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+_yardoc
+coverage
+doc/
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format documentation

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+
+## [0.1.0]
+- Initial release.

data/Gemfile

@@ -0,0 +1,9 @@
+source "https://rubygems.org"
+
+# Specify your gem dependencies in aws-rotate.gemspec
+gemspec
+
+group :test do
+  gem "codeclimate-test-reporter", require: nil
+  gem "webmock"
+end

data/Gemfile.lock

@@ -0,0 +1,95 @@
+PATH
+  remote: .
+  specs:
+    aws-rotate (0.1.0)
+      activesupport
+      aws-sdk-core
+      aws-sdk-iam
+      rainbow
+      thor
+      zeitwerk
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.6.0)
+      public_suffix (>= 2.0.2, < 4.0)
+    aws-eventstream (1.0.3)
+    aws-partitions (1.201.0)
+    aws-sdk-core (3.62.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+      aws-partitions (~> 1.0)
+      aws-sigv4 (~> 1.1)
+      jmespath (~> 1.0)
+    aws-sdk-iam (1.29.0)
+      aws-sdk-core (~> 3, >= 3.61.1)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.1.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+    byebug (11.0.1)
+    cli_markdown (0.1.0)
+    codeclimate-test-reporter (1.0.9)
+      simplecov (<= 0.13)
+    concurrent-ruby (1.1.5)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.3)
+    docile (1.1.5)
+    hashdiff (1.0.0)
+    i18n (1.6.0)
+      concurrent-ruby (~> 1.0)
+    jmespath (1.4.0)
+    json (2.2.0)
+    minitest (5.11.3)
+    public_suffix (3.1.1)
+    rainbow (3.0.0)
+    rake (12.3.3)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.2)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.4)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.2)
+    safe_yaml (1.0.5)
+    simplecov (0.13.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    webmock (3.6.2)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+    zeitwerk (2.1.9)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  aws-rotate!
+  bundler
+  byebug
+  cli_markdown
+  codeclimate-test-reporter
+  rake
+  rspec
+  webmock
+
+BUNDLED WITH
+   2.0.2

data/Guardfile

@@ -0,0 +1,19 @@
+guard "bundler", cmd: "bundle" do
+  watch("Gemfile")
+  watch(/^.+\.gemspec/)
+end
+
+guard :rspec, cmd: "bundle exec rspec" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2019 Tung Nguyen
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,103 @@
+# AwsRotate
+
+[![Gem Version](https://badge.fury.io/rb/aws-rotate.png)](http://badge.fury.io/rb/aws-rotate)
+[![Support](https://img.shields.io/badge/get-support-blue.svg)](https://boltops.com?utm_source=badge&utm_medium=badge&utm_campaign=aws-rotate)
+
+Rotates your AWS keys configured in `~/.aws/credentials`.
+
+## Usage
+
+    aws-rotate list # list profiles in ~/.aws
+    aws-rotate key  # rotates single key. Uses AWS_PROFILE env var
+    aws-rotate keys # rotates **all** keys for all profiles in ~/.aws/credentials
+
+## aws-rotate keys
+
+IMPORTANT: The `aws-rotate keys` command will update **all** the profiles found in `~/.aws/credentials`.  You may want to run an `--noop` to first test. Example:
+
+    aws-rotate keys --noop
+
+### select filter option
+
+If you would like to selectively update profiles, you can use the `--select` option. The `-s` option is also shorthand for the `--select` option. Example:
+
+    aws-rotate keys --select dev-
+
+The `--select dev-` results in only profiles with the `dev-` found in the profile name to be updated.  Example:
+
+~/.aws/credentials:
+
+    [my-dev-account1]
+    aws_access_key_id=EXAMPLE1
+    aws_secret_access_key=EXAMPLE1
+
+    [my-dev-account2]
+    aws_access_key_id=EXAMPLE2
+    aws_secret_access_key=EXAMPLE2
+
+    [my-prod-account]
+    aws_access_key_id=EXAMPLE3
+    aws_secret_access_key=EXAMPLE3
+
+Will only update `my-dev-account1` and `my-dev-account1`, since they both include the `dev-` pattern.
+
+The select option can take multiple selects. Example:
+
+    aws-rotate keys --select dev- test-
+
+Also, the select option is internally converted to an ruby regexp. So you can use patterns. Example:
+
+    aws-rotate keys --select ^dev-
+
+In this case the match is stricter and must start with "dev"
+
+### reject filter option
+
+There is also a `--reject` and `-r` option that does the opposite of the `--select` option.
+
+    aws-rotate keys --reject ^prod-
+
+Will rotate all profiles that do not match `^prod-`.
+
+You can use both `--select` and `--reject` options together.
+
+## Backups
+
+A backup of your `~/.aws/credentials` file is taken and stored in `~/.aws/credentials-bak-[timestamp]` before it is updated. However, please take precaution and take your own backup measures.  You can also disable backups with the `--no-backup` option.
+
+## Assume Roles
+
+Note: assumed role profiles are skipped as they don't have access keys.
+
+## Automatically Updating with Cron
+
+You can add a crontab to your system to automatically rotate the keys:
+
+    crontab -e
+
+You can add something like this:
+
+    30 20 * * * bash -l -c 'aws-rotate keys --select dev-aws-profile test-aws-profile --no-backup >> /var/log/cron-aws-rotate.log 2>&1' # rotate AWS keys daily
+
+Create a `/var/log/cron/aws-rotate.log` that is writable with your user:
+
+    sudo touch /var/log/cron-aws-rotate.log
+    sudo chown `whoami`:`whoami` /var/log/cron-aws-rotate.log
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem "aws-rotate"
+
+## Requirements
+
+The [aws cli](https://aws.amazon.com/cli/) is use to set the access keys and is required.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am "Add some feature"`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,14 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task default: :spec
+
+RSpec::Core::RakeTask.new
+
+require_relative "lib/aws-rotate"
+require "cli_markdown"
+desc "Generates cli reference docs as markdown"
+task :docs do
+  mkdir_p "docs/_includes"
+  CliMarkdown::Creator.create_all(cli_class: AwsRotate::CLI, cli_name: "aws-rotate")
+end

data/aws-rotate.gemspec

@@ -0,0 +1,33 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "aws_rotate/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "aws-rotate"
+  spec.version       = AwsRotate::VERSION
+  spec.authors       = ["Tung Nguyen"]
+  spec.email         = ["tongueroo@gmail.com"]
+  spec.summary       = "Easy way to rotate all your AWS keys in your ~/.aws/credentials"
+  spec.homepage      = "https://github.com/tongueroo/aws-rotate"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport"
+  spec.add_dependency "aws-sdk-iam"
+  spec.add_dependency "aws-sdk-core" # for sts
+  spec.add_dependency "rainbow"
+  spec.add_dependency "thor"
+  spec.add_dependency "zeitwerk"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "byebug"
+  spec.add_development_dependency "cli_markdown"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+end

data/exe/aws-rotate

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+# Trap ^C
+Signal.trap("INT") {
+  puts "\nCtrl-C detected. Exiting..."
+  sleep 0.1
+  exit
+}
+
+$:.unshift(File.expand_path("../../lib", __FILE__))
+require "aws-rotate"
+require "aws_rotate/cli"
+
+AwsRotate::CLI.start(ARGV)

data/lib/aws-rotate.rb

@@ -0,0 +1 @@
+require_relative "aws_rotate"

data/lib/aws_rotate.rb

@@ -0,0 +1,10 @@
+$:.unshift(File.expand_path("../", __FILE__))
+require "aws_rotate/version"
+require "rainbow/ext/string"
+
+require "aws_rotate/autoloader"
+AwsRotate::Autoloader.setup
+
+module AwsRotate
+  class Error < StandardError; end
+end

data/lib/aws_rotate/autoloader.rb

@@ -0,0 +1,22 @@
+require "zeitwerk"
+
+module AwsRotate
+  class Autoloader
+    class Inflector < Zeitwerk::Inflector
+      def camelize(basename, _abspath)
+        map = { cli: "CLI", version: "VERSION" }
+        map[basename.to_sym] || super
+      end
+    end
+
+    class << self
+      def setup
+        loader = Zeitwerk::Loader.new
+        loader.inflector = Inflector.new
+        loader.push_dir(File.dirname(__dir__)) # lib
+        loader.ignore("#{File.dirname(__dir__)}/aws-rotate.rb")
+        loader.setup
+      end
+    end
+  end
+end

data/lib/aws_rotate/aws_services.rb

@@ -0,0 +1,17 @@
+require "aws-sdk-iam"
+require "aws-sdk-sts"
+
+module AwsRotate
+  module AwsServices
+    # Memoization takes into account different AWS_PROFILE
+    @@iam = {}
+    def iam
+      @@iam[ENV['AWS_PROFILE']] ||= Aws::IAM::Client.new
+    end
+
+    @@sts = {}
+    def sts
+      @@sts[ENV['AWS_PROFILE']] ||= Aws::STS::Client.new
+    end
+  end
+end

data/lib/aws_rotate/backup.rb

@@ -0,0 +1,15 @@
+module AwsRotate
+  class Backup < Base
+    def run
+      return if @options[:noop] || @options[:backup] == false
+      return unless credentials_exist?
+      backup_path = @credentials_path + ".bak-#{Time.now.strftime("%F-%T")}"
+      FileUtils.cp(@credentials_path, backup_path)
+      puts "Backed up credentials file at: #{backup_path}"
+    end
+
+    def credentials_exist?
+      File.exist?(@credentials_path)
+    end
+  end
+end

data/lib/aws_rotate/base.rb

@@ -0,0 +1,30 @@
+module AwsRotate
+  class Base
+    include AwsServices
+
+    def initialize(options={})
+      @options = options
+      @config_path = options[:config] || "#{ENV['HOME']}/.aws/config"
+      @credentials_path = options[:credentials] || "#{ENV['HOME']}/.aws/credentials"
+      @profile = ENV['AWS_PROFILE'] || default_profile
+    end
+
+  private
+    def default_profile
+      if ENV['AWS_PROFILE'].nil?
+        lines = IO.readlines(@credentials_path)
+        default_found = lines.detect { |l| l =~ /\[default\]/ }
+        'default'
+      else
+        abort("AWS_PROFILE must be set")
+      end
+    end
+
+    def sh(command)
+      # no puts so we dont puts out the secret key value
+      # puts "=> #{command}" # uncomment to debug
+      success = system(command)
+      raise unless success
+    end
+  end
+end