aws-session-credentials 1.0.0.pre.2 → 1.0.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    ZWJiNTBkOGI2ZDFkNmExM2JkNTFiOWNmMmM3OGI3ZTUzY2JiN2M2OA==
+    Mjk2MmNjOTU3YTczYTY3MjIxNWY4NzM3MDA2MDI1OTQ1MjEzMjllMg==
   data.tar.gz: !binary |-
-    YzRlMTJjYzA0MzQ4MmFkNGI0YjlhMGEyZTFhNTJmNTE2NDYwNWQ5Mw==
+    MzMxZDgyYmY5YzBhMTZlMDU4NzE5MGFjNDc4NDk3NzE3OGQ1NmI1Nw==
 SHA512:
   metadata.gz: !binary |-
-    NWExNTE2ZjQyMzg1M2I0ZDdmNmYyNGQ0NDE4YWE3MTM2YTA4ZGQyMGNiNTRm
-    YWJkOTFkNmQ3MTI4NDI5MzlhMWM3MWJkODM2ZDYyMDgxMzBiNDY3YzAxODk0
-    YzEyNzY2YjAxMGRkMDU3NmIwZGRkNjAzN2Y3YWI1NjQ1MTlkY2I=
+    NzhjNDI4ZjFlZGE4N2QxNjc2MTYxOWI1Mzg4NWI0NWNiMzM1MDI5ZWQ1MTM0
+    NDYyYzQzN2YxNjEwNmI0YTM1NmExN2RkZjU1MjI2ZjBmZDZiOTg3N2ZlNDMy
+    MTExOWE5NWZhNzk5ZGMwOTY2ZWY3NzQ0NjZlYTlkNDgzNmIzNWQ=
   data.tar.gz: !binary |-
-    NDQyZmQ1ZjcwMTQ1YTdhMzcwYWRkMTZmNjU1NmZhMzkyMmMyMzJjNmI0NDQx
-    N2E2YjEwODdmYmY4M2UyMzU5YTMwMTc4YzA1YWEwNjBiYjVhOWIzOGZmZjU1
-    NWZlMTc1ODU5MmM3YzE2MWExMjUzOTllNWVkNTNhNzQ3N2VkMmY=
+    MzgyNTcxN2Q4YTU2YTRlMTVlZjZhYjgwOTZhNzc4ODk2YzJiYWY3MjA4OGE1
+    MTYyNjk2NTI0YzllYmQ3Y2FlNTM1NWY2MjRlMTJlNzM0ZTMzZThhNzc0MzNm
+    MDRlNzRmZjI4NzdhOGE5NDFjODhiNGEwZjA0ZTE1OGUzYWI1MTA=

data/README.md

@@ -25,6 +25,14 @@ Or install it yourself as:
 
     $ gem install aws-session-credentials
 
+### Building native extensions for dependencies
+
+On Ubuntu, you may need to run the following before installing this gem:
+
+```
+$ sudo apt-get install libccid libpcsclite-dev pcscd pcsc-tools
+```
+
 ## Usage
 
 ### Generating new session credentials

data/aws-session-credentials.gemspec

@@ -29,5 +29,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'inifile', '~> 3.0'
   spec.add_runtime_dependency 'smartcard'
   spec.add_runtime_dependency 'thor', '~> 0.19'
-  spec.add_runtime_dependency 'yubioath'
+  spec.add_runtime_dependency 'yubioath', '~> 1.0.0'
 end

data/lib/aws/session/credentials.rb

@@ -14,11 +14,13 @@ require 'aws/session/credentials/mfa_device/generic_mfa_device'
 require 'aws/session/credentials/mfa_device/yubikey_mfa_device'
 
 require 'aws/session/credentials/profile_storage'
+require 'aws/session/credentials/role_storage'
 
 require 'aws/session/credentials/cache'
 require 'aws/session/credentials/config'
 require 'aws/session/credentials/credential_file'
 require 'aws/session/credentials/profile'
+require 'aws/session/credentials/role'
 require 'aws/session/credentials/session_builder'
 require 'aws/session/credentials/session_manager'
 

data/lib/aws/session/credentials/cli.rb

@@ -56,18 +56,30 @@ module Aws
           SessionManager.new.new_session(cli_opts)
         end
 
-        method_option 'role_arn',
+        method_option 'role-alias',
                       type: :string,
-                      desc: 'The ARN of the role to assume',
-                      required: true
-        method_option 'role_session_name',
+                      desc: 'Name of stored role settings to use',
+                      default: nil
+        method_option 'role-account',
+                      type: :string,
+                      desc: 'Account ID',
+                      default: nil
+        method_option 'role-name',
+                      type: :string,
+                      desc: 'Name of role to assume',
+                      default: nil
+        method_option 'role-arn',
+                      type: :string,
+                      desc: 'The ARN of the role to assume; alternative to providing role-account and role-name',
+                      default: nil
+        method_option 'role-session-name',
                       type: :string,
                       desc: 'An identifier for the assumed role session',
-                      required: true
+                      default: nil
         method_option 'profile',
                       type: :string,
                       desc: 'Profile that session token will be loaded into',
-                      default: 'default'
+                      default: nil
         method_option 'duration',
                       type: :numeric,
                       desc: 'Duration, in seconds, that credentials should remain valid',
@@ -91,7 +103,16 @@ module Aws
         desc 'assume-role', 'Assumes a role'
         def assume_role
           cli_opts = options.transform_keys { |key| key.sub(/-/, '_') }
-          SessionManager.new.assume_role(cli_opts)
+
+          if cli_opts['role_alias']
+            cf = Config.new(path: cli_opts['config_file'])
+            rl = cf.role(cli_opts['role_alias'].to_sym)
+            cli_opts = rl.to_h.deep_stringify_keys.deep_merge(cli_opts)
+          end
+
+          cli_opts['role_arn'] ||= make_role_arn(cli_opts['role_account'], cli_opts['role_name'])
+
+          SessionManager.new.assume_role(cli_opts.deep_symbolize_keys)
         end
 
         method_option 'aws-access-key-id',
@@ -138,7 +159,7 @@ module Aws
           cli_opts['aws_secret_access_key'] ||= ask('AWS Secret Access Key:', echo: false)
           puts '' # BUG: No LF printed when echo is set to false
           cli_opts['aws_region'] ||= ask('AWS region:')
-          cli_opts['duration'] ||= ask('Session duration (in seconds):')
+          cli_opts['duration'] ||= ask('Session duration (in seconds):').to_i
 
           puts ''
           if yes?('Configure MFA (y/n)?')
@@ -156,6 +177,138 @@ module Aws
           cf.set_profile(cli_opts[:source_profile], prof)
         end
 
+        method_option 'role-account',
+                      type: :string,
+                      desc: 'Account ID',
+                      default: nil
+        method_option 'role-name',
+                      type: :string,
+                      desc: 'Name of role to assume',
+                      default: nil
+        method_option 'role-arn',
+                      type: :string,
+                      desc: 'The ARN of the role to assume; alternative to providing role-account and role-name',
+                      default: nil
+        method_option 'role-session-name',
+                      type: :string,
+                      desc: 'An identifier for the assumed role session',
+                      default: nil
+        method_option 'config-file',
+                      type: :string,
+                      desc: 'YAML file to load config from',
+                      default: '~/.aws/aws-session-config.yml'
+        method_option 'role-alias',
+                      type: :string,
+                      desc: 'Name/alias associated with role',
+                      default: nil
+        method_option 'profile',
+                      type: :string,
+                      desc: 'Profile that will used when assuming role',
+                      default: nil
+        method_option 'duration',
+                      type: :numeric,
+                      desc: 'Duration, in seconds, that credentials for assumed role should remain valid',
+                      default: nil
+        method_option 'mfa-device',
+                      type: :string,
+                      desc: 'ARN of MFA device',
+                      default: nil
+        method_option 'mfa-code',
+                      type: :string,
+                      desc: 'Six digit code from MFA device',
+                      default: nil
+        method_option 'yubikey-name',
+                      type: :string,
+                      desc: 'Name of yubikey device',
+                      default: 'Yubikey'
+        method_option 'oath-credential',
+                      type: :string,
+                      desc: 'Name of OATH credential',
+                      default: nil
+        desc 'configure-role', 'Configures a new role'
+        def configure_role
+          cli_opts = options.transform_keys { |key| key.sub(/-/, '_') }
+          cli_opts['role_alias'] ||= ask('Provide an alias for this role:')
+
+          if cli_opts['role_account'] && cli_opts['role_name']
+            cli_opts['role_arn'] = make_role_arn(cli_opts['role_account'], cli_opts['role_name'])
+          elsif !cli_opts['role_arn']
+            puts ''
+            if yes?('Provide role account and name instead of role ARN (y/n)?')
+              account = ask('Role account ID:')
+              role_name = ask('Name of role:')
+              cli_opts['role_arn'] = make_role_arn(account, role_name)
+            else
+              cli_opts['role_arn'] = ask('Role ARN:')
+            end
+          end
+
+          unless cli_opts['role_session_name']
+            if yes?('Customise role session name (y/n)?')
+              cli_opts['role_session_name'] = ask('Role session name:')
+            else
+              account, role_name = split_role_arn(cli_opts['role_arn'])
+              cli_opts['role_session_name'] = "#{role_name} @ #{account}"
+            end
+          end
+
+          cli_opts['profile'] ||= ask('Profile to use when assuming role (leave blank to use "default"):')
+          cli_opts['profile'] = 'default' if cli_opts['profile'].empty?
+
+          cli_opts['duration'] ||= ask('Duration in seconds of assumed role:')
+
+          rl = Role.new(cli_opts.except('config_file'))
+          cf = Config.new(path: cli_opts['config_file'])
+          cf.set_role(cli_opts[:role_alias], rl)
+        end
+
+        desc 'list-profiles', 'Lists profiles/sessions'
+        def list_profiles
+          store = CredentialFile.new
+
+          puts "Available profiles in #{store.path}:"
+          store.profiles.each { |name, _|  puts "  * #{name}" }
+        end
+
+        method_option 'config-file',
+                      type: :string,
+                      desc: 'YAML file to load config from',
+                      default: '~/.aws/aws-session-config.yml'
+        desc 'list-roles', 'Lists roles that have been saved'
+        def list_roles
+          store = Config.new(path: options['config-file'])
+
+          puts "Stored roles in #{store.path}:"
+          store.roles.each { |name, _|  puts "  * #{name}" }
+        end
+
+        method_option 'config-file',
+                      type: :string,
+                      desc: 'YAML file to load config from',
+                      default: '~/.aws/aws-session-config.yml'
+        desc 'list-source-profiles', 'Lists source profiles that have been saved'
+        def list_source_profiles
+          store = Config.new(path: options['config-file'])
+
+          puts "Available source profiles in #{store.path}:"
+          store.profiles.each { |name, _|  puts "  * #{name}" }
+        end
+
+        desc 'version', 'Prints the current version'
+        def version
+          puts "aws-session-credentials #{Aws::Session::Credentials::VERSION}"
+        end
+
+        no_tasks do
+          def make_role_arn(account, role_name)
+            "arn:aws:iam::#{account}:role/#{role_name}"
+          end
+
+          def split_role_arn(role_arn)
+            role_arn.scan(%r{arn:aws:iam::(.+):role/(.+)}).first
+          end
+        end
+
         default_task :new
       end
     end

data/lib/aws/session/credentials/config.rb

@@ -4,6 +4,7 @@ module Aws
       # Holds configuration
       class Config
         include ProfileStorage
+        include RoleStorage
         include FileProvider::YamlFileProvider
 
         attr_reader :path
@@ -25,6 +26,16 @@ module Aws
         def profiles_hash=(hsh)
           self[:profiles] = hsh
         end
+
+        # @return [Hash<String,Hash>]
+        def roles_hash
+          self[:roles] || {}
+        end
+
+        # @param [Hash] hsh
+        def roles_hash=(hsh)
+          self[:roles] = hsh
+        end
       end
     end
   end

data/lib/aws/session/credentials/role.rb

@@ -0,0 +1,7 @@
+module Aws
+  module Session
+    module Credentials
+      class Role < OpenStruct; end
+    end
+  end
+end

data/lib/aws/session/credentials/role_storage.rb

@@ -0,0 +1,41 @@
+module Aws
+  module Session
+    module Credentials
+      # Mixin to store roles
+      module RoleStorage
+        # @return [Hash<String,Role>]
+        def roles
+          rls = {}
+          roles_hash.each do |name, options|
+            rls[name] = Role.new(options)
+          end
+          rls
+        end
+
+        # @param [Hash<String,Role>] rls
+        def roles=(rls)
+          hash = {}
+          rls.each do |name, rl|
+            hash[name] = rl.to_h
+          end
+          self.roles_hash = hash
+        end
+
+        # @param [String] name
+        # @return [Role]
+        def role(name)
+          roles[name]
+        end
+
+        # @param [String] name
+        # @param [Role] rl
+        def set_role(name, rl)
+          rls = roles.dup
+          rls[name] = rl
+          self.roles = rls
+          rl
+        end
+      end
+    end
+  end
+end

data/lib/aws/session/credentials/version.rb

@@ -1,7 +1,7 @@
 module Aws
   module Session
     module Credentials
-      VERSION = '1.0.0.pre.2'
+      VERSION = '1.0.0'
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-session-credentials
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.2
+  version: 1.0.0
 platform: ruby
 authors:
 - Ben Vidulich
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-11-15 00:00:00.000000000 Z
+date: 2015-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -140,16 +140,16 @@ dependencies:
   name: yubioath
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.0
 description: Command-line tool to generate AWS session credentials.
 email:
 - ben@vidulich.co.nz
@@ -181,6 +181,8 @@ files:
 - lib/aws/session/credentials/mfa_device/yubikey_mfa_device.rb
 - lib/aws/session/credentials/profile.rb
 - lib/aws/session/credentials/profile_storage.rb
+- lib/aws/session/credentials/role.rb
+- lib/aws/session/credentials/role_storage.rb
 - lib/aws/session/credentials/session_builder.rb
 - lib/aws/session/credentials/session_manager.rb
 - lib/aws/session/credentials/version.rb
@@ -199,9 +201,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>'
+  - - ! '>='
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.4.5