aws_assume_role 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 199475f5c68d701119ec803d1af1e677583341c1
+  data.tar.gz: 925d022c466217e38ae89c9345607963156de362
+SHA512:
+  metadata.gz: 6d898f41a279403a627b7b16b80747c76402e643af7fcd22311898e116afa96747b22345938430d4621d1d1663f3eda67e237027b354f60806d497258f0b1ebc
+  data.tar.gz: ca9f4c76a16552e30bbd94f66997675b99c60e1cea48fb0faca796bbf2e57973b1e533f5f07a5dd3865269a8ffa77200f25819555bd64fe3c7b5f42b19bdb1e4

data/.gitignore

@@ -0,0 +1,6 @@
+.bundle/
+*.swp
+vendor/
+pkg/
+Gemfile.lock
+spec/reports/

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,37 @@
+---
+AllCops:
+    DisplayCopNames: true
+
+Metrics/MethodLength:
+    Enabled: false
+
+Style/IndentationWidth:
+    Width: 4
+
+Style/TrailingCommaInArguments:
+    EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInLiteral:
+    EnforcedStyleForMultiline: comma
+
+Style/EmptyLinesAroundModuleBody:
+    EnforcedStyle: empty_lines
+
+Style/EmptyLinesAroundClassBody:
+    EnforcedStyle: empty_lines
+
+Style/EmptyLinesAroundMethodBody:
+    Enabled: false
+
+Style/EmptyLinesAroundBlockBody:
+    Enabled: false
+
+Metrics/ClassLength:
+    Enabled: false
+
+Metrics/AbcSize:
+    Enabled: false
+
+Metrics/PerceivedComplexity:
+    Enabled: false
+

data/Gemfile

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+source 'https://rubygems.org'
+
+gemspec
+
+case Gem::Platform.local.os
+when 'linux'
+    gem 'gir_ffi-gnome_keyring', '~> 0.0.3'
+when 'darwin'
+    gem 'ruby-keychain', '~> 0.3.2'
+end
+
+# Development dependencies - didn't seem to get installed when
+# referenced in the gemspec, find out why.
+gem 'bundler'
+gem 'rake'
+gem 'rspec'
+gem 'rubocop', require: false

data/LICENSE.md

@@ -0,0 +1,19 @@
+The MIT License (MIT)
+Copyright (c) 2016 The Scale Factory Limited
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,143 @@
+# aws-assume-role
+
+This will get role credentials for you, managing 2FA devices, and set those
+credentials in environments. It stores the fetched credentials in Gnome Keyring
+or OSX Keychain so they are not readable from disk.
+
+## Install
+
+`gem install aws_assume_role`
+
+### Platform notes
+
+Gnome Keyring uses the [GirFFI](https://github.com/mvz/gir_ffi) bindings, which
+requires the introspection bindings to be installed (as well as gnome-keyring).
+`apt-get install gnome-keyring libgirepository1.0-dev` for Debian/Ubuntu.
+
+## Config file
+
+Create a config file, the default is `~/.aws/assume.yaml`
+
+```yaml
+---
+default:
+    set_environment: false
+    # credentials come from .aws/credentials default profile or environment
+
+scalefactory:
+    # if this profile is passed don't set the environment credentials
+    set_environment: false
+    # load credentials from sf_sso profile in .aws/credentials
+    profile: sf_sso
+
+
+# These use the scalefactory profile above
+xx_mgmt:
+    parent: scalefactory
+    set_environment: true
+    type: assume_role
+    region: eu-west-1
+    role_arn: arn:aws:iam::123456789012:role/RoleNameHere
+
+xx_test:
+    parent: scalefactory
+    set_environment: true
+    type: assume_role
+    role_arn: arn:aws:iam::123456789012:role/RoleNameHere
+
+xx:
+    type: list
+    set_environment: true
+    list:
+     - name:       xx_test
+       env_prefix: TEST_
+     - name:       xx_mgmt
+       env_prefix: MGMT_
+
+
+# These use the default above
+yy_mgmt:
+   set_environment: true
+   type: assume_role
+   role_arn: arn:aws:iam::123456789012:role/RoleNameHere
+
+yy_test:
+   set_environment: true
+   type: assume_role
+   role_arn: arn:aws:iam::123456789012:role/RoleNameHere
+
+xx:
+   type: list
+   set_environment: true
+   list:
+    - name:       xx_test
+      env_prefix: TEST_
+    - name:       xx_mgmt
+      env_prefix: MGMT_
+
+
+```
+
+
+
+
+## How to use?
+
+### In Environment variable
+
+```
+export AWS_ACCESS_KEY_ID=1234567890010
+export AWS_SECRET_ACCESS_KEY=abcdefghijklmnopqrstuvwzyx1
+export AWS_DEFAULT_REGION=eu-west-1
+```
+
+Then run the `aws-assume-role` command.
+
+### in credentials file
+
+I have the following entry in `~/.aws/credentials`:
+
+```
+[sf_sso]
+aws_access_key_id = 1234567890010
+aws_secret_access_key = abcdefghijklmnopqrstuvwzyx1
+region = eu-west-1
+```
+
+### Environment Variables Set
+
+If `region` is defined for an `assume_role` type the environment variable
+`AWS_DEFAULT_REGION` will be set with that value, otherwise it will be left
+blank.
+
+`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` will all
+be set.
+
+If a type of `list` is called the environment variables will all be set with the
+provided prefix, e.g.
+
+```
+MGMT_AWS_ACCESS_KEY_ID=122343534535435435
+MGMT_AWS_DEFAULT_REGION=eu-west-1
+MGMT_AWS_SECRET_ACCESS_KEY=+4324234234235454353535353535
+MGMT_AWS_SESSION_TOKEN=F353453535345345345345345353534
+TEST_AWS_ACCESS_KEY_ID=53454353453453453534
+TEST_AWS_SECRET_ACCESS_KEY=3534534534534534534534
+TEST_AWS_SESSION_TOKEN=5435345353453
+```
+
+If you use the `-v` or `--verbose` flag it will print out any AWS environment
+variables set at the end of the action.
+
+### Calling another application
+
+You can call another application by passing a bare double dash followed by the
+target command.
+
+```
+aws-assume-role --profile yy_mgmt -- aws ec2 describe-instances --query "Reservations[*].Instances[*].PrivateIpAddress" --output=text 
+10.254.4.20
+10.254.4.15
+10.254.0.10
+10.254.4.5
+```

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler/gem_tasks'
+task default: :spec

data/aws_assume_role.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+    spec.name          = 'aws_assume_role'
+    spec.version       = '0.0.2'
+    spec.authors       = ['Jon Topper', 'Jack Thomas']
+    spec.email         = ['jon@scalefactory.com', 'jack@scalefactory.com']
+
+    spec.description   = 'Used to fetch multiple AWS Role Credential '\
+                         'Keys using different Session Keys '\
+                         'and store them securely using Gnome Keyring '\
+                         'or OSX keychain'
+    spec.summary       = 'Manage AWS STS credentials with MFA'
+    spec.homepage      = 'https://github.com/scalefactory/aws_assume_role'
+    spec.license       = 'MIT'
+
+    spec.files         = `git ls-files -z`.split("\x0").reject { |f|
+        f.match(%r{^(test|spec|features)/})
+    }
+    spec.bindir        = 'bin'
+    spec.executables   = spec.files.grep(%r{^bin/aws}) { |f| File.basename(f) }
+    spec.require_paths = ['lib']
+
+    spec.add_runtime_dependency 'aws-sdk'
+    spec.add_runtime_dependency 'inifile'
+    spec.add_runtime_dependency 'keyring', '~> 0.4.1'
+
+    # spec.add_development_dependency 'bundler', '~> 1.12'
+    # spec.add_development_dependency 'rake', '~> 10.0'
+end

data/bin/aws-assume-role

@@ -0,0 +1,66 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift File.expand_path('../lib/', __FILE__)
+
+require 'optparse'
+require 'aws_assume_role'
+
+options = {}
+optparse = OptionParser.new do |opts|
+
+    options[:config] = "#{ENV['HOME']}/.aws/assume.yaml"
+    opts.on('-c', '--config file', 'Config file. defaults to' \
+                  '~/.aws/assume.yaml.') do |c|
+        options[:config] = c
+    end
+    
+    options[:profile] = false
+    opts.on('--profile name', 'Load the credentials for a profile into AWS ' \
+            'environment variables. If this is not specified the ') do |c|
+        options[:profile] = c
+    end
+
+    options[:debug] = false
+    opts.on('-d', '--debug', 'Enable debugging') do
+        options[:debug] = true
+    end
+
+    options[:verbose] = false
+    opts.on('-v', '--verbose', 'Get more words') do
+        options[:verbose] = true
+    end
+
+end
+
+optdata = optparse.parse!
+
+if options[:debug]
+    AWSAssumeRole::Profile.logger.level = Logger::DEBUG
+else
+    AWSAssumeRole::Profile.logger.level = Logger::WARN
+end
+
+
+begin
+    AWSAssumeRole::Profile.load_profiles
+    AWSAssumeRole::Profile.load_config_file(options[:config])
+rescue Errno::ENOENT
+    puts "No config file at options[:config]. Please create one!"
+    exit 1
+end
+
+
+if options[:profile] != false
+    profile = AWSAssumeRole::Profile.get_by_name(options[:profile] )
+    profile.use
+
+    if options[:verbose]
+        system('env | grep "AWS" | sort')
+    end
+end
+
+unless optdata.empty?
+    cmd = optdata.join(' ')
+    AWSAssumeRole::Profile.logger.debug "Executing Command '#{cmd}'"
+    system(cmd)
+end

data/bin/test.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift File.expand_path('../lib/', __FILE__)
+
+require 'aws_assume_role'
+
+test_profiles_yaml = <<EOF
+---
+default:
+    set_environment: false
+    # credentials come from .aws/credentials or environment
+
+mgmt:
+    set_environment: true
+    type: assume_role
+    role_arn: arn:aws:iam::339253004131:role/TerraformUser
+
+test:
+    set_environment: true
+    type: assume_role
+    role_arn: arn:aws:iam::542043528869:role/TerraformUser
+
+tf_test:
+    type: list
+    list:
+     - name:       test
+       env_prefix: TEST_
+     - name:       mgmt
+       env_prefix: MGMT_
+
+EOF
+
+AWSAssumeRole::Profile.logger.level = Logger::DEBUG
+AWSAssumeRole::Profile.parse_config(test_profiles_yaml)
+
+p = AWSAssumeRole::Profile.get_by_name('tf_test')
+p.use
+
+system('env | grep "AWS" | sort')

data/lib/aws_assume_role.rb

@@ -0,0 +1,3 @@
+require 'aws_assume_role/logging'
+require 'aws_assume_role/profile'
+require 'aws_assume_role/credentials'

data/lib/aws_assume_role/credentials.rb

@@ -0,0 +1,88 @@
+# AWSAssumeRole
+module AWSAssumeRole
+
+    require 'keyring'
+    require 'json'
+    require 'time'
+
+    # Represents credentials, used for serialising into keychain
+    class Credentials
+
+        include Logging
+
+        def self.load_from_keyring(key)
+
+            logger.debug("Keyring: load '#{key}'")
+
+            keyring = Keyring.new
+            json_session = keyring.get_password('AWSAssumeRole', key)
+
+            unless json_session
+                logger.info('No JSON session data in keyring')
+                return nil
+            end
+
+            hash = JSON.parse(json_session, symbolize_names: true)
+
+            unless hash
+                logger.info('Couldn\'t parse keyring data as JSON')
+                return nil
+            end
+
+            hash[:expiration] = Time.parse(hash[:expiration])
+
+            logger.debug("Loaded #{hash}")
+            AWSAssumeRole::Credentials.new(hash)
+
+        end
+
+        def self.create_from_sdk(object)
+
+            raise TypeError unless object.is_a?(Aws::STS::Types::Credentials)
+            AWSAssumeRole::Credentials.new(object.to_h)
+
+        end
+
+        @credentials = nil
+
+        def initialize(hash)
+            @credentials = hash
+        end
+
+        def secret_access_key
+            @credentials[:secret_access_key]
+        end
+
+        def access_key_id
+            @credentials[:access_key_id]
+        end
+
+        def session_token
+            @credentials[:session_token]
+        end
+
+        def expiration
+            @credentials[:expiration]
+        end
+
+        def store_in_keyring(key)
+            keyring = Keyring.new
+            logger.debug("Keyring: store '#{key}' with #{@credentials.to_json}")
+            keyring.set_password('AWSAssumeRole', key, @credentials.to_json)
+        end
+
+        def delete_from_keyring(key)
+            keyring = Keyring.new
+            logger.debug("Keyring: delete '#{key}'")
+            keyring.delete_password('AWSAssumeRole', key)
+        end
+
+        def expired?
+            logger.debug("Checking expiry: #{@credentials[:expiration]} "\
+                         '<= Time.now')
+            @credentials[:expiration] <= Time.now
+        end
+
+    end
+
+end

data/lib/aws_assume_role/logging.rb

@@ -0,0 +1,36 @@
+# Mixin to provide global logging object
+module AWSAssumeRole
+
+    module Logging
+
+        require 'logger'
+
+        class << self
+
+            def logger
+                @logger ||= Logger.new($stderr)
+            end
+
+            attr_writer :logger
+
+        end
+
+        def self.included(base)
+
+            class << base
+
+                def logger # rubocop:disable Lint/NestedMethodDefinition
+                    Logging.logger
+                end
+
+            end
+
+        end
+
+        def logger
+            Logging.logger
+        end
+
+    end
+
+end

data/lib/aws_assume_role/profile.rb

@@ -0,0 +1,183 @@
+require 'keyring'
+
+module AWSAssumeRole
+
+    # Base Profile superclass
+    class Profile
+
+        include Logging
+
+        # Class methods for dispatch to individual Profile strategy
+
+        @implementations = {}
+        @named_profiles  = {}
+        @config_file     = '-'
+
+        class << self
+
+            attr_accessor :implementations
+            attr_accessor :named_profiles
+            attr_accessor :config_file
+
+        end
+
+        def self.register_implementation(type, impl)
+            logger.info('Registering implementation ' \
+                        "for type '#{type}': #{impl}")
+            AWSAssumeRole::Profile.implementations[type] = impl
+        end
+
+        def self.load_profiles
+            Dir.glob(
+                File.expand_path('profile/*.rb', File.dirname(__FILE__)),
+            ).each do |profile_class|
+                require profile_class
+            end
+        end
+
+        def self.create(name, options)
+
+            options['type'] = 'basic' unless options.key?('type')
+
+            if implementations.key?(options['type'])
+                logger.info("Creating profile '#{name}' "\
+                            "with type #{options['type']}")
+                i = implementations[options['type']].new(name, options)
+                named_profiles[name] = i
+                return i
+            end
+
+            STDERR.puts 'No implementation for profiles of type '\
+                "'#{options['type']}'"
+            exit -1 # rubocop:disable Lint/AmbiguousOperator
+
+        end
+
+        def self.get_by_name(name)
+            unless named_profiles.key?(name)
+                STDERR.puts "No profile '#{name}' found"
+                exit -1 # rubocop:disable Lint/AmbiguousOperator
+            end
+            named_profiles[name]
+        end
+
+        def self.load_config_file(config_path)
+            @config_file = config_path
+            logger.info("Loading configuration from #{config_path}")
+            parse_config(File.open(config_path))
+        end
+
+        def self.parse_config(yaml)
+
+            require 'yaml'
+
+            profiles = YAML.load(yaml)
+            profiles.each do |name, options|
+                options['config_file'] = config_file
+                options['name']        = name
+                AWSAssumeRole::Profile.create(name, options)
+            end
+
+        end
+
+        # Superclass for Profile strategies
+
+        def set_env(prefix = '') # rubocop:disable Style/AccessorMethodName
+
+            logger.info("Setting environment with prefix '#{prefix}'")
+
+            ENV["#{prefix}AWS_ACCESS_KEY_ID"]     = access_key_id
+            ENV["#{prefix}AWS_SECRET_ACCESS_KEY"] = secret_access_key
+            ENV["#{prefix}AWS_DEFAULT_REGION"]    = region
+
+            return unless respond_to?(:session_token)
+
+            logger.info(':session_token available, setting environment')
+            ENV["#{prefix}AWS_SESSION_TOKEN"] = session_token
+
+        end
+
+        def access_key_id
+            raise NotImplementedError
+        end
+
+        def secret_access_key
+            raise NotImplementedError
+        end
+
+        def region
+            raise NotImplementedError
+        end
+
+        def sts_client
+            raise NotImplementedError
+        end
+
+        attr_reader :name
+
+        def use
+            raise NotImplementedError
+        end
+
+        def token_code
+            puts "Enter your MFA's time-based one time password: "
+            token_code = STDIN.gets
+            token_code.chomp!
+        end
+
+        def keyring_key
+            "#{@options['config_file']}|#{@options['name']}"
+        end
+
+        def session(duration = 3600)
+
+            # See if we already have a non-expired session cached in this
+            # object.
+
+            unless @session.nil?
+
+                logger.info('Found session cached in object')
+                return @session unless @session.expired?
+                logger.info('Session expired, deleting keyring key '\
+                            "'#{keyring_key}'")
+                @session.delete_from_keyring(keyring_key)
+
+            end
+
+            # See if there's a non-exipred session cached in the keyring
+
+            @session = AWSAssumeRole::Credentials.load_from_keyring(keyring_key)
+
+            unless @session.nil?
+
+                logger.info("Found session in keyring for '#{keyring_key}'")
+                return @session unless @session.expired?
+                logger.info('Session expired, deleting keyring key '\
+                            "'#{keyring_key}'")
+                @session.delete_from_keyring(keyring_key)
+
+            end
+
+            identity  = sts_client.get_caller_identity
+            user_name = identity.arn.split('/')[1]
+            mfa_arn   = "arn:aws:iam::#{identity.account}:mfa/#{user_name}"
+
+            mfa_token_code = token_code
+
+            session = sts_client.get_session_token(
+                duration_seconds: duration,
+                serial_number:    mfa_arn,
+                token_code:       mfa_token_code,
+            )
+
+            @session = Credentials.create_from_sdk(session.credentials)
+            logger.info("Storing session in keyring '#{keyring_key}'")
+            @session.store_in_keyring(keyring_key)
+
+            @session
+
+        end
+
+    end
+
+end

data/lib/aws_assume_role/profile/assume_role.rb

@@ -0,0 +1,117 @@
+# AWSAssumeRole
+module AWSAssumeRole
+
+    class Profile
+
+        # A Profile implementation for assuming roles using STS
+        class AssumeRole < Profile
+
+            include Logging
+
+            register_implementation('assume_role', self)
+
+            @sts_client = nil
+            @role       = nil
+            @options    = nil
+            @name       = nil
+
+            def default_options
+                {
+                    'parent'   => 'default',
+                    'duration' => 3600,
+                }
+            end
+
+            def initialize(name, options = {})
+
+                require 'aws-sdk'
+
+                @options = default_options.merge(options)
+                @name    = name
+
+            end
+
+            def sts_client
+
+                return @sts_client unless @sts_client.nil?
+
+                parent = AWSAssumeRole::Profile.get_by_name(@options['parent'])
+
+                @sts_client = Aws::STS::Client.new(
+                    access_key_id:     parent.session.access_key_id,
+                    secret_access_key: parent.session.secret_access_key,
+                    session_token:     parent.session.session_token,
+                )
+
+                @sts_client
+
+            rescue Aws::Errors::MissingRegionError
+
+                STDERR.puts 'No region was given. \
+                    Set one in the credentials file or environment'
+                exit -1 # rubocop:disable Lint/AmbiguousOperator
+
+            end
+
+            def role_credentials
+
+                # Check for non-expired session cached here
+
+                unless @role_credentials.nil?
+
+                    return @role_credentials unless @role_credentials.expired?
+                    @role_credentials.delete_from_keyring(keyring_key)
+
+                end
+
+                # See if here's a non-exipred session in the keyring
+
+                @role_credentials = Credentials.load_from_keyring(keyring_key)
+
+                unless @role_credentials.nil?
+
+                    return @role_credentials unless @role_credentials.expired?
+                    @role_credentials.delete_from_keyring(keyring_key)
+
+                end
+
+                role = sts_client.assume_role(
+                    role_arn:          @options['role_arn'],
+                    role_session_name: name, # use something else?
+                    duration_seconds:  @options['duration'],
+                )
+
+                @role_credentials =
+                    Credentials.create_from_sdk(role.credentials)
+
+                @role_credentials.store_in_keyring(keyring_key)
+
+                @role_credentials
+
+            end
+
+            def access_key_id
+                role_credentials.access_key_id
+            end
+
+            def secret_access_key
+                role_credentials.secret_access_key
+            end
+
+            def session_token
+                role_credentials.session_token
+            end
+
+            def region
+                @options['region']
+            end
+
+            def use
+                set_env if @options['set_environment']
+            end
+
+        end
+
+    end
+
+end

data/lib/aws_assume_role/profile/basic.rb

@@ -0,0 +1,92 @@
+# AWSAssumeRole
+module AWSAssumeRole
+
+    class Profile
+
+        # Profile implementation which takes credentials from either
+        # passed options, from the environment, or from .aws/credentials
+        # file (per the standard behaviour of Aws::STS::Client)
+        class Basic < Profile
+
+            include Logging
+
+            register_implementation('basic', self)
+
+            @sts_client = nil
+            @options    = nil
+            @name       = nil
+
+            def initialize(name, options = {})
+
+                require 'aws-sdk'
+
+                @options = options
+                @name    = name
+
+            end
+
+            def sts_client
+
+                return @sts_client unless @sts_client.nil?
+
+                if @options.key?('access_key_id') &&
+                   @options.key?('secret_access_key')
+
+                    if @options.key?('region')
+
+                        @sts_client = Aws::STS::Client.new(
+                            access_key_id:     @options['access_key_id'],
+                            secret_access_key: @options['secret_access_key'],
+                            region:            @options['region'],
+                        )
+
+                    else
+
+                        @sts_client = Aws::STS::Client.new(
+                            access_key_id:     @options['access_key_id'],
+                            secret_access_key: @options['secret_access_key'],
+                        )
+
+                    end
+                
+                elsif @options.key?('profile')
+
+                    logger.info("Loading profile #{@options['profile']} from ~/.aws/credentials")
+                    # Attempt to load with profile name suplied
+                    @sts_client = Aws::STS::Client.new(
+                        profile: @options['profile'],
+                    )
+
+                else
+
+                    @sts_client = Aws::STS::Client.new
+
+                end
+
+                @sts_client
+
+            rescue Aws::Errors::MissingRegionError
+
+                STDERR.puts 'No region was given. \
+                    Set one in the credentials file or environment'
+                exit -1 # rubocop:disable Lint/AmbiguousOperator
+
+            end
+
+            def access_key_id
+                @options['access_key_id']
+            end
+
+            def secret_access_key
+                @options['secret_access_key']
+            end
+
+            def region
+                @options['region']
+            end
+
+        end
+
+    end
+
+end

data/lib/aws_assume_role/profile/list.rb

@@ -0,0 +1,57 @@
+# AWSAssumeRole
+module AWSAssumeRole
+
+    class Profile
+
+        # A Profile implementation which aggregates other profiles.
+        # Used to setenv for multiple credentials, but with different
+        # prefixed.
+        class List < Profile
+
+            include Logging
+
+            register_implementation('list', self)
+
+            @options = nil
+            @name    = nil
+
+            def initialize(name, options)
+
+                # TODO: validate options
+
+                @options = options
+                @name    = name
+
+            end
+
+            def use
+
+                @options['list'].each do |i|
+
+                    profile = Profile.get_by_name(i['name'])
+
+                    next unless @options['set_environment']
+
+                    if i['env_prefix']
+                        profile.set_env(i['env_prefix'])
+                    end
+
+                    if i['map_names']
+                        i['map_names'].each do |name,env|
+                            call = name.to_sym
+                            if profile.respond_to?(call)
+                                ENV[env] = profile.send(call)
+                            end
+                        end
+                    end
+
+                end
+
+
+            end
+
+        end
+
+    end
+
+end

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: aws_assume_role
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Jon Topper
+- Jack Thomas
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-12-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: inifile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: keyring
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.1
+description: Used to fetch multiple AWS Role Credential Keys using different Session
+  Keys and store them securely using Gnome Keyring or OSX keychain
+email:
+- jon@scalefactory.com
+- jack@scalefactory.com
+executables:
+- aws-assume-role
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- Gemfile
+- LICENSE.md
+- README.md
+- Rakefile
+- aws_assume_role.gemspec
+- bin/aws-assume-role
+- bin/test.rb
+- lib/aws_assume_role.rb
+- lib/aws_assume_role/credentials.rb
+- lib/aws_assume_role/logging.rb
+- lib/aws_assume_role/profile.rb
+- lib/aws_assume_role/profile/assume_role.rb
+- lib/aws_assume_role/profile/basic.rb
+- lib/aws_assume_role/profile/list.rb
+homepage: https://github.com/scalefactory/aws_assume_role
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Manage AWS STS credentials with MFA
+test_files: []