aws_assume_role 1.0.4 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +34 -14
- data/lib/aws_assume_role/runner.rb +1 -1
- data/lib/aws_assume_role/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6eeca5db569d6bae9338ddd0b61d633ad984386c1c08d9742fe95ace3b69f819
|
|
4
|
+
data.tar.gz: d0d5ceed4de70104a8a93174724b27c9de0996f563e7cfd6115bdbd0f3641238
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 68f56960cb5620daafd0d7db8b034c92ad0c1934c75ab824601a1a8ae0e82d76f2b3766cf5be23f533599e5586256096f0b1e45ad950ceb544ed09baf9cf90a8
|
|
7
|
+
data.tar.gz: c3ae138676f4b0e89d49ddba559f1a34e1c45a8b1d49a48ad6ea631bdcb2a6eb6e06a684f3abe2e67bc52b1a93b36e6e961065dce4ebba5dbb9aec21826322bb
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -9,7 +9,7 @@ aws-assume-role is a utility intended for developer and operator environments
|
|
|
9
9
|
who need to use 2FA and role assumption to access AWS services.
|
|
10
10
|
|
|
11
11
|
aws-assume-role can store both AWS access keys and ephemeral session tokens in
|
|
12
|
-
OS credential vaults - Keychain on OSX and
|
|
12
|
+
OS credential vaults - Keychain on OSX and Keyring on Gnome.
|
|
13
13
|
|
|
14
14
|
Why?
|
|
15
15
|
---
|
|
@@ -45,7 +45,7 @@ require introspection bindings as well as Gnone Keyring, by installing one of th
|
|
|
45
45
|
|
|
46
46
|
``` sh
|
|
47
47
|
# Debian/Ubuntu
|
|
48
|
-
apt-get install gnome-keyring libgirepository1.0-dev
|
|
48
|
+
apt-get install gnome-keyring libgirepository1.0-dev libgnome-keyring-common libgnome-keyring-dev
|
|
49
49
|
|
|
50
50
|
# Fedora
|
|
51
51
|
dnf install gobject-introspection-devel
|
|
@@ -65,14 +65,14 @@ aws-assume-role works best if you also store permanent credentials in your keyst
|
|
|
65
65
|
``` sh
|
|
66
66
|
> aws-assume-role configure
|
|
67
67
|
Enter the profile name to save into configuration
|
|
68
|
-
|
|
68
|
+
company_sso
|
|
69
69
|
Enter the AWS region you would like to default to:
|
|
70
70
|
eu-west-1
|
|
71
71
|
Enter the AWS Access Key ID to use for this profile:
|
|
72
72
|
1234567890010
|
|
73
73
|
Enter the AWS Secret Access Key to use for this profile:
|
|
74
74
|
abcdefghijklmnopqrstuvwzyx1
|
|
75
|
-
Profile `
|
|
75
|
+
Profile `company_sso` saved to '/home/growthsmith/.aws/config'
|
|
76
76
|
```
|
|
77
77
|
|
|
78
78
|
### Configuring roles
|
|
@@ -80,7 +80,7 @@ Now that you've set up permanent credentials in your OS credential store, you ca
|
|
|
80
80
|
set up a role that you will assume in every day use:
|
|
81
81
|
|
|
82
82
|
``` sh
|
|
83
|
-
> aws-assume-role configure role -p company-dev --source-profile
|
|
83
|
+
> aws-assume-role configure role -p company-dev --source-profile company_sso \
|
|
84
84
|
--role-arn=arn:aws:iam::000000000001:role/ViewEC2 --role-session-name=growthsmith \
|
|
85
85
|
--mfa-serial automatic
|
|
86
86
|
```
|
|
@@ -101,9 +101,9 @@ token without prompting for user input. To use this specify
|
|
|
101
101
|
`--yubikey-oath-name` when calling configure role.
|
|
102
102
|
|
|
103
103
|
``` sh
|
|
104
|
-
> aws-assume-role configure role -p company-dev --source-profile
|
|
104
|
+
> aws-assume-role configure role -p company-dev --source-profile company_sso \
|
|
105
105
|
--role-arn=arn:aws:iam::000000000001:role/ViewEC2 --role-session-name=growthsmith \
|
|
106
|
-
--mfa-serial automatic --yubikey-oath-name "Amazon Web Services:myuser@
|
|
106
|
+
--mfa-serial automatic --yubikey-oath-name "Amazon Web Services:myuser@company_sso"
|
|
107
107
|
```
|
|
108
108
|
|
|
109
109
|
_Yubikey Support_: `aws-assume-role` uses the [smartcard gem](https://rubygems.org/gems/smartcard)
|
|
@@ -111,6 +111,17 @@ to connect to the Yubikey, this itself depends upon some C libraries being insta
|
|
|
111
111
|
[platform specific instructions](https://github.com/costan/smartcard/blob/master/BUILD#L19)
|
|
112
112
|
for installing these libraries PC/SC.
|
|
113
113
|
|
|
114
|
+
Testing a profile
|
|
115
|
+
-----------------
|
|
116
|
+
You can test a profile using
|
|
117
|
+
```sh
|
|
118
|
+
> aws-assume-role test -p company_sso
|
|
119
|
+
Logged in as:
|
|
120
|
+
User: 9999999999
|
|
121
|
+
Account: arn:aws:iam::3333333333:user/username
|
|
122
|
+
ARN: AIDAIOSWINGTB
|
|
123
|
+
|
|
124
|
+
```
|
|
114
125
|
|
|
115
126
|
Running applications
|
|
116
127
|
--------------------
|
|
@@ -132,15 +143,24 @@ Please provide an MFA token
|
|
|
132
143
|
000000
|
|
133
144
|
```
|
|
134
145
|
|
|
146
|
+
Listing available profiles
|
|
147
|
+
--------------------------
|
|
148
|
+
Configured profiles can be listed:
|
|
149
|
+
```sh
|
|
150
|
+
> aws-assume-role list
|
|
151
|
+
company_sso
|
|
152
|
+
company2_sso
|
|
153
|
+
company3_sso
|
|
154
|
+
```
|
|
135
155
|
|
|
136
156
|
Deleting a profile
|
|
137
157
|
------------------
|
|
138
158
|
If a set of credentials key needs revoking, or the profile isn't relevant anymore:
|
|
139
159
|
``` sh
|
|
140
|
-
> aws-assume-role delete -p
|
|
141
|
-
Please type the name of the profile, i.e.
|
|
142
|
-
|
|
143
|
-
Profile
|
|
160
|
+
> aws-assume-role delete -p company_sso
|
|
161
|
+
Please type the name of the profile, i.e. company_sso , to continue deletion.
|
|
162
|
+
company_sso
|
|
163
|
+
Profile company_sso deleted
|
|
144
164
|
```
|
|
145
165
|
|
|
146
166
|
Migrating AWS CLI profiles
|
|
@@ -149,8 +169,8 @@ It's better to revoke the existing keys and generate new ones. We try to overwri
|
|
|
149
169
|
file with random data, but this does not take care of ~/.aws/credentials and does not account for SSD wear
|
|
150
170
|
levelling or copy-on-write snapshots.
|
|
151
171
|
```
|
|
152
|
-
aws-assume-role migrate -p
|
|
153
|
-
Profile '
|
|
172
|
+
aws-assume-role migrate -p company_sso
|
|
173
|
+
Profile 'company_sso' migrated to keyring.
|
|
154
174
|
```
|
|
155
175
|
|
|
156
176
|
Exporting environment variables
|
|
@@ -184,7 +204,7 @@ Given that `aws-assume-role` has knowledge of your role ARNs via AWS CLI profile
|
|
|
184
204
|
get to the AWS console for that role/account using
|
|
185
205
|
|
|
186
206
|
``` sh
|
|
187
|
-
> aws-assume-role console -p
|
|
207
|
+
> aws-assume-role console -p company_sso
|
|
188
208
|
```
|
|
189
209
|
|
|
190
210
|
`aws-assume-role` will first attempt to log in and get a federated UI link, and
|
|
@@ -14,7 +14,7 @@ class AwsAssumeRole::Runner < Dry::Struct
|
|
|
14
14
|
|
|
15
15
|
def initialize(options)
|
|
16
16
|
super(options)
|
|
17
|
-
command_to_exec = command.join(" ")
|
|
17
|
+
command_to_exec = command.map(&:shellescape).join(" ")
|
|
18
18
|
process_credentials unless credentials.blank?
|
|
19
19
|
system environment, command_to_exec
|
|
20
20
|
exit_status = $CHILD_STATUS.exitstatus
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws_assume_role
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jon Topper
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date: 2017-
|
|
17
|
+
date: 2017-12-21 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: activesupport
|
|
@@ -431,7 +431,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
431
431
|
version: '0'
|
|
432
432
|
requirements: []
|
|
433
433
|
rubyforge_project:
|
|
434
|
-
rubygems_version: 2.7.
|
|
434
|
+
rubygems_version: 2.7.3
|
|
435
435
|
signing_key:
|
|
436
436
|
specification_version: 4
|
|
437
437
|
summary: Manage AWS STS credentials with MFA
|