aws-rotate 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: adf6a451f691065bc62e8feb7b43704bc603a438b05b9a3f092bc336ea8e3288
-  data.tar.gz: fa9607d7253c854924f471fec41e6526239a7c1b0e1609590b6d07691fcc6e25
+  metadata.gz: 207cf2ce3e4f6e03f138a2757ba3d64cad3dc825793db640cb90505a0890b077
+  data.tar.gz: f5990b39c5d8ffc3c1a53a93b91e8fd0dfe194dfdaadd7080fc32b8ba3c61770
 SHA512:
-  metadata.gz: c981cc84a81b3efe9e7901a2942f155f36723f51afd4996e55285839127cc4865283844cf6e16987afe305e08b3d9d208fe1ccb7d2a31827652a4f767afa4623
-  data.tar.gz: 2be376dcc9cb074db6b214c83c6e74b794185b50bb144dcd58e5607360a78f67bbb59c5d17497c32fc0b33282fbc8e39f300ee6c5f4c1d48806c78ee56698416
+  metadata.gz: c0b8b7ccbc346a5453af992b8134cf35038cda8bf996d936b73255c2af46dd9ddf29b1ddaf0b940d2cc98ae3919311a2d88b1c5c79545565855548381118a583
+  data.tar.gz: 7a9df313347d41310662b9c7896f962d42dd7992c4fa443710b363e211f33c2fe6942c2daf444ce0648da561d8c075162767d6d99b39e794f3caaca9e5b756f6

data/CHANGELOG.md

@@ -3,5 +3,9 @@
 All notable changes to this project will be documented in this file.
 This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [0.2.0]
+- continue rotating when hit max keys limit on a profile
+- improve GetIamUserError message for key command
+
 ## [0.1.0]
 - Initial release.

data/README.md

@@ -17,6 +17,25 @@ IMPORTANT: The `aws-rotate keys` command will update **all** the profiles found
 
     aws-rotate keys --noop
 
+Example output:
+
+    $ aws-rotate keys
+    Backed up credentials file at: /home/ec2-user/.aws/credentials.bak-2019-08-14-16:45:36
+    Updating access key for AWS_PROFILE=profile1
+    Created new access key: AKIAXZ6ODJLQWYW3575A
+    Updated profile profile1 in /home/ec2-user/.aws/credentials with new key: AKIAXZ6ODJLQWYW3575A
+    Old access key deleted: AKIAXZ6ODJLQ3Q5TJUHN
+    Please note, it sometimes take a few seconds or even minutes before the new IAM access key is usable.
+    Updating access key for AWS_PROFILE=default
+    Updated profile default in /home/ec2-user/.aws/credentials with new key: AKIAXZ6ODJLQWYW3575A
+    Please note, it sometimes take a few seconds or even minutes before the new IAM access key is usable.
+    Updating access key for AWS_PROFILE=profile2
+    Created new access key: AKIAXCGZM5KIS35XPH5R
+    Updated profile profile2 in /home/ec2-user/.aws/credentials with new key: AKIAXCGZM5KIS35XPH5R
+    Old access key deleted: AKIAXCGZM5KI63JFCKFD
+    Please note, it sometimes take a few seconds or even minutes before the new IAM access key is usable.
+    $
+
 ### select filter option
 
 If you would like to selectively update profiles, you can use the `--select` option. The `-s` option is also shorthand for the `--select` option. Example:

data/lib/aws_rotate/base.rb

@@ -14,7 +14,7 @@ module AwsRotate
       if ENV['AWS_PROFILE'].nil?
         lines = IO.readlines(@credentials_path)
         default_found = lines.detect { |l| l =~ /\[default\]/ }
-        'default'
+        'default' if default_found
       else
         abort("AWS_PROFILE must be set")
       end

data/lib/aws_rotate/key.rb

@@ -11,7 +11,9 @@ module AwsRotate
       @user = get_iam_user # will only rotate keys that belong to an actual IAM user
       return unless @user
 
-      check_max_keys_limit
+      at_max = check_max_keys_limit
+      return false if at_max
+
       message = "Updating access key for AWS_PROFILE=#{@profile}"
       message = "NOOP: #{message}" if @options[:noop]
       puts message.color(:green)
@@ -25,10 +27,18 @@ module AwsRotate
       true
     end
 
+    def get_iam_user
+      get_iam_user!
+    rescue GetIamUserError
+      message = @options[:noop] ? "Will not be able to update key" : "Unable to update key"
+      puts "WARN: #{message} for AWS_PROFILE=#{@profile}".color(:yellow)
+      return false
+    end
+
     # Returns IAM username.
     # Returns nil unless this profile is actually associated with an user.
     # Skips assume role profiles.
-    def get_iam_user
+    def get_iam_user!
       resp = sts.get_caller_identity
       arn = resp.arn
       # Example arns:
@@ -55,15 +65,18 @@ module AwsRotate
 
     # Check if there are 2 keys, cannot rotate if there are 2 keys already.
     # Raise error if there are 2 keys.
+    # Returns false if not at max limit
     MAX_KEYS = 2
     def check_max_keys_limit!
       resp = iam.list_access_keys(user_name: @user)
-      return if resp.access_key_metadata.size < MAX_KEYS
+      return false if resp.access_key_metadata.size < MAX_KEYS # not at max limit
       raise MaxKeysError
     end
 
     # Check if there are 2 keys, cannot rotate if there are 2 keys already.
     # Display info message for user to reduce it to 1 key.
+    # Returns false if not at max limit
+    # Returns true if at max limit
     def check_max_keys_limit
       check_max_keys_limit!
     rescue MaxKeysError
@@ -71,7 +84,7 @@ module AwsRotate
         This user #{@user} in the AWS_PROFILE=#{@profile} has 2 access keys. This is the max number of keys allowed.
         Please remove at least one of the keys so aws-rotate can rotate the key.
       EOL
-      exit 1
+      true # at max limit
     end
 
     @@cache = {}
@@ -96,7 +109,7 @@ module AwsRotate
 
       # store in cache to help with multiple profiles using the same aws access key
       old_key_id = aws_configure_get(:aws_access_key_id)
-      @@cache[old_key_id] = CacheKey.new(old_key_id, key.access_key_id, key.secret_access_key)
+      @@cache[old_key_id] = OldKey.new(old_key_id, key.access_key_id, key.secret_access_key)
 
       puts "Created new access key: #{key.access_key_id}"
       key

data/lib/aws_rotate/keys.rb

@@ -6,7 +6,7 @@ module AwsRotate
         next unless filter_match?(profile)
 
         ENV['AWS_PROFILE'] = profile
-        update_key
+        Key.new(@options).run
       end
     end
 
@@ -31,12 +31,5 @@ module AwsRotate
       end
       selected
     end
-
-    def update_key
-      Key.new(@options).run
-    rescue Key::GetIamUserError
-      message = @options[:noop] ? "Will not be able to update key" : "Unable to update key"
-      puts "WARN: #{message} for AWS_PROFILE=#{@profile}".color(:yellow)
-    end
   end
 end

data/lib/aws_rotate/old_key.rb

@@ -0,0 +1,3 @@
+module AwsRotate
+  OldKey = Struct.new(:old_key_id, :access_key_id, :secret_access_key)
+end

data/lib/aws_rotate/version.rb

@@ -1,3 +1,3 @@
 module AwsRotate
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/spec/lib/key_spec.rb

@@ -3,7 +3,7 @@ describe AwsRotate::Key do
     rotater = AwsRotate::Key.new
     # The methods that are commented out have stubs at lower-levels.
     # allow(rotater).to receive(:get_iam_user).and_return('tung')
-    allow(rotater).to receive(:check_max_keys_limit).and_return(null)
+    allow(rotater).to receive(:check_max_keys_limit).and_return(false)
     allow(rotater).to receive(:cache_access_key).and_return(cache_access_key)
     # allow(rotater).to receive(:create_access_key).and_return(create_access_key)
     allow(rotater).to receive(:update_aws_credentials_file).and_return(null)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-rotate
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Tung Nguyen
@@ -189,7 +189,6 @@ files:
 - lib/aws_rotate/aws_services.rb
 - lib/aws_rotate/backup.rb
 - lib/aws_rotate/base.rb
-- lib/aws_rotate/cache_key.rb
 - lib/aws_rotate/cli.rb
 - lib/aws_rotate/command.rb
 - lib/aws_rotate/completer.rb
@@ -204,6 +203,7 @@ files:
 - lib/aws_rotate/key.rb
 - lib/aws_rotate/keys.rb
 - lib/aws_rotate/list.rb
+- lib/aws_rotate/old_key.rb
 - lib/aws_rotate/version.rb
 - spec/fixtures/home/.aws/config
 - spec/fixtures/home/.aws/credentials

data/lib/aws_rotate/cache_key.rb

@@ -1,3 +0,0 @@
-module AwsRotate
-  CacheKey = Struct.new(:old_key_id, :access_key_id, :secret_access_key)
-end