aws_assume_role 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 199475f5c68d701119ec803d1af1e677583341c1
-  data.tar.gz: 925d022c466217e38ae89c9345607963156de362
+  metadata.gz: 55cb1bdbca27ae7dfaf53948e1ad746a66afcc25
+  data.tar.gz: 43b7ce33d786b7ebfabbedb921b2c9b3a5f28cf1
 SHA512:
-  metadata.gz: 6d898f41a279403a627b7b16b80747c76402e643af7fcd22311898e116afa96747b22345938430d4621d1d1663f3eda67e237027b354f60806d497258f0b1ebc
-  data.tar.gz: ca9f4c76a16552e30bbd94f66997675b99c60e1cea48fb0faca796bbf2e57973b1e533f5f07a5dd3865269a8ffa77200f25819555bd64fe3c7b5f42b19bdb1e4
+  metadata.gz: ee94a33205511ab48a1c1f0e458ef98a20267b496cc556fd5cc35d87dbb4311d0d305374839348966e5b981ca29dee5ab0848ffa344215f5e20abc4ae864c815
+  data.tar.gz: 636303eb8f232061473a6d3de6a5809cc8eea20f3579c2f0eef8cd2e4964e08c569cce83c7b2fe05014c0980e76926038c67a998d7a10fc0201c5194b8ccd194

data/README.md

@@ -1,8 +1,35 @@
 # aws-assume-role
 
 This will get role credentials for you, managing 2FA devices, and set those
-credentials in environments. It stores the fetched credentials in Gnome Keyring
-or OSX Keychain so they are not readable from disk.
+credentials in environment variables then execute a provided command. It stores
+the fetched credentials in Gnome Keyring or OSX Keychain so they are not
+readable from disk.
+
+### Why?
+
+This keeps your credentials safe in the keystore, and they are set as
+environment variables for the duration and context of the executing command.
+This helps prevent credential leaking and theft, and means they aren't stored on
+disk as unencrypted files.
+
+It allows easy credential management and roll assumption with a 2FA/MFA device.
+
+For security and account management purposes we don't want to be managing users
+in multiple accounts, just centrally then allowing them to assume roles in
+other accounts.
+
+###
+
+Assumptions:
+
+- You have a parent/master account which you authenticate against with a 2FA
+  device.
+- You then assume a role in another account.
+
+This is easy to achieve in a web console, but you probably want to use tools
+like Terraform of AWS Cli. This makes using those tools easy, without having to
+constantly fetch and manage credentials for assumed roles, or provide
+users/access keys for each account.
 
 ## Install
 
@@ -83,6 +110,31 @@ xx:
 
 ## How to use?
 
+You need a key and secret for each `basic` role (a `parent`). You can set this
+in the environment variable or in the `~/.aws/credentials` file.
+
+It is recommended that you set this in the environment variable, the first time
+aws-assume-role runs it will place these values in the keystore so they are
+safe.
+
+### Add the basic/profile credentials to keystore
+
+You can add the credentials that the system will use to assume roles to the
+keystore. This is the recommended way of using `aws-assume-role`.
+
+To add(or update) credentials use:
+
+```shell
+$ aws-assume-role --profile scalefactory --add
+Enter your AWS_ACCESS_KEY_ID: 
+1234567890010
+Enter your AWS_SECRET_ACCESS_KEY: 
+abcdefghijklmnopqrstuvwzyx1
+Enter a AWS Region:
+eu-west-1
+
+```
+
 ### In Environment variable
 
 ```
@@ -141,3 +193,13 @@ aws-assume-role --profile yy_mgmt -- aws ec2 describe-instances --query "Reserva
 10.254.0.10
 10.254.4.5
 ```
+
+
+## Deleting keystore values
+
+Maybe you have a new keypair?
+
+```
+aws-assume-role --profile yy_mgmt --delete
+aws-assume-role --profile scalefactory --delete
+```

data/aws_assume_role.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
     spec.name          = 'aws_assume_role'
-    spec.version       = '0.0.2'
+    spec.version       = '0.0.3'
     spec.authors       = ['Jon Topper', 'Jack Thomas']
     spec.email         = ['jon@scalefactory.com', 'jack@scalefactory.com']
 

data/bin/aws-assume-role

@@ -15,13 +15,25 @@ optparse = OptionParser.new do |opts|
     end
     
     options[:profile] = false
-    opts.on('--profile name', 'Load the credentials for a profile into AWS ' \
-            'environment variables. If this is not specified the ') do |c|
+    opts.on('-p', '--profile name', 'Load the credentials for a profile into AWS ' \
+            'environment variables.') do |c|
         options[:profile] = c
     end
 
+    options[:add] = false
+    opts.on('-a', '--add', 'Add basic/parent account credentials to keystore' \
+            'environment variables. Must provide a profile name') do |c|
+        options[:add] = c
+    end
+
+    options[:delete] = false
+    opts.on('-d', '--delete', 'Delete credentials from keystore. Must ' \
+                  'provide a profile name.') do
+        options[:delete] = true
+    end
+
     options[:debug] = false
-    opts.on('-d', '--debug', 'Enable debugging') do
+    opts.on('--debug', 'Enable debugging') do
         options[:debug] = true
     end
 
@@ -45,14 +57,20 @@ begin
     AWSAssumeRole::Profile.load_profiles
     AWSAssumeRole::Profile.load_config_file(options[:config])
 rescue Errno::ENOENT
-    puts "No config file at options[:config]. Please create one!"
-    exit 1
+    STDERR.puts "No config file at options[:config]. Please create one!"
+    exit -1 # rubocop:disable Lint/AmbiguousOperator
 end
 
-
 if options[:profile] != false
     profile = AWSAssumeRole::Profile.get_by_name(options[:profile] )
-    profile.use
+
+    if options[:delete]
+        profile.remove
+    elsif options[:add]
+        profile.add
+    else
+        profile.use
+    end
 
     if options[:verbose]
         system('env | grep "AWS" | sort')

data/lib/aws_assume_role/credentials.rb

@@ -29,7 +29,7 @@ module AWSAssumeRole
                 return nil
             end
 
-            hash[:expiration] = Time.parse(hash[:expiration])
+            hash[:expiration] = Time.parse(hash[:expiration]) unless hash[:expiration].nil? 
 
             logger.debug("Loaded #{hash}")
             AWSAssumeRole::Credentials.new(hash)
@@ -65,6 +65,10 @@ module AWSAssumeRole
             @credentials[:expiration]
         end
 
+        def region
+            @credentials[:region]
+        end
+
         def store_in_keyring(key)
             keyring = Keyring.new
             logger.debug("Keyring: store '#{key}' with #{@credentials.to_json}")

data/lib/aws_assume_role/profile/assume_role.rb

@@ -110,6 +110,16 @@ module AWSAssumeRole
                 set_env if @options['set_environment']
             end
 
+            def remove
+                Credentials.new({}).delete_from_keyring(keyring_key)
+            end
+
+            def add
+                STDERR.puts "You can't add credentials to an assume_role "\
+                    'just basic/parent accounts.'
+                exit -1 # rubocop:disable Lint/AmbiguousOperator
+            end
+
         end
 
     end

data/lib/aws_assume_role/profile/basic.rb

@@ -26,30 +26,11 @@ module AWSAssumeRole
             end
 
             def sts_client
+                logger.debug("Calling STS client")
 
                 return @sts_client unless @sts_client.nil?
 
-                if @options.key?('access_key_id') &&
-                   @options.key?('secret_access_key')
-
-                    if @options.key?('region')
-
-                        @sts_client = Aws::STS::Client.new(
-                            access_key_id:     @options['access_key_id'],
-                            secret_access_key: @options['secret_access_key'],
-                            region:            @options['region'],
-                        )
-
-                    else
-
-                        @sts_client = Aws::STS::Client.new(
-                            access_key_id:     @options['access_key_id'],
-                            secret_access_key: @options['secret_access_key'],
-                        )
-
-                    end
-                
-                elsif @options.key?('profile')
+                if @options.key?('profile')
 
                     logger.info("Loading profile #{@options['profile']} from ~/.aws/credentials")
                     # Attempt to load with profile name suplied
@@ -57,6 +38,18 @@ module AWSAssumeRole
                         profile: @options['profile'],
                     )
 
+                elsif access_key_id && secret_access_key
+
+                    logger.debug("Access Key: #{access_key_id}")
+                    logger.debug("Secret Key: #{secret_access_key}")
+                    logger.debug("Region: #{region}")
+
+                    @sts_client = Aws::STS::Client.new(
+                        access_key_id:     access_key_id,
+                        secret_access_key: secret_access_key,
+                        region:            region,
+                    )
+
                 else
 
                     @sts_client = Aws::STS::Client.new
@@ -73,18 +66,85 @@ module AWSAssumeRole
 
             end
 
+            def basic_credentials
+                logger.debug("Loading basic credentials")
+                # Check for profile creds in keyring first
+                @basic_credentials = Credentials.load_from_keyring("#{keyring_key}|basic")
+
+                return @basic_credentials unless @basic_credentials.nil?
+
+                creds = {
+                    :access_key_id     => ENV['AWS_ACCESS_KEY_ID'],
+                    :secret_access_key => ENV['AWS_SECRET_ACCESS_KEY'],
+                }
+
+                if creds[:access_key_id].nil? or creds[:secret_access_key].nil?
+                    STDERR.puts 'No AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY ' \
+                                'found in the environment.'
+                    exit -1 # rubocop:disable Lint/AmbiguousOperator
+                end
+
+                unless @options['region'].nil?
+                    creds[:region] = @options['region']
+                else
+                    creds[:region] = ENV['AWS_DEFAULT_REGION']
+                end
+
+                @basic_credentials = AWSAssumeRole::Credentials.new(creds)
+
+                @basic_credentials
+            end
+
             def access_key_id
-                @options['access_key_id']
+                @options['access_key_id'] || basic_credentials.access_key_id
             end
 
             def secret_access_key
-                @options['secret_access_key']
+                @options['secret_access_key'] || basic_credentials.secret_access_key
             end
 
             def region
-                @options['region']
+                @options['region'] || basic_credentials.region
+            end
+
+            def remove
+                Credentials.new({}).delete_from_keyring(keyring_key)
+                Credentials.new({}).delete_from_keyring("#{keyring_key}|basic")
             end
 
+            def add
+                if @options['profile']
+                    puts "WARNING: Storing credentials but a profile is specified and used for #{@name}"
+                end
+                if @options['access_key_id'] or @options['secret_access_key']
+                    puts "WARNING: Storing credentials but they are specified in config for #{@name}"
+                end
+
+                @basic_credentials = Credentials.load_from_keyring("#{keyring_key}|basic")
+                new_creds = get_credentials
+                @basic_credentials.delete_from_keyring(keyring_key) unless @basic_credentials.nil?
+                @basic_credentials = AWSAssumeRole::Credentials.new(new_creds)
+                @basic_credentials.store_in_keyring("#{keyring_key}|basic")
+            end
+
+            def get_credentials
+                puts "Enter your AWS_ACCESS_KEY_ID: "
+                id = STDIN.gets
+                id.chomp!
+                puts "Enter your AWS_SECRET_ACCESS_KEY: "
+                secret = STDIN.gets
+                secret.chomp!
+                puts "Enter a AWS Region:"
+                region = STDIN.gets
+                region.chomp!
+
+                creds = {
+                    :access_key_id     => id,
+                    :secret_access_key => secret,
+                    :region            => region,
+                }
+                creds
+            end
         end
 
     end

data/lib/aws_assume_role/profile.rb

@@ -119,6 +119,14 @@ module AWSAssumeRole
             raise NotImplementedError
         end
 
+        def add
+            raise NotImplementedError
+        end
+
+        def remove
+            raise NotImplementedError
+        end
+
         def token_code
             puts "Enter your MFA's time-based one time password: "
             token_code = STDIN.gets
@@ -158,17 +166,29 @@ module AWSAssumeRole
 
             end
 
-            identity  = sts_client.get_caller_identity
+            begin
+                identity  = sts_client.get_caller_identity
+            rescue Aws::Errors::MissingCredentialsError
+                STDERR.puts "No credentials found. Set one in the credentials file "\
+                     "or environment."
+                exit -1 # rubocop:disable Lint/AmbiguousOperator
+            end
             user_name = identity.arn.split('/')[1]
             mfa_arn   = "arn:aws:iam::#{identity.account}:mfa/#{user_name}"
 
             mfa_token_code = token_code
 
-            session = sts_client.get_session_token(
-                duration_seconds: duration,
-                serial_number:    mfa_arn,
-                token_code:       mfa_token_code,
-            )
+            begin
+                session = sts_client.get_session_token(
+                    duration_seconds: duration,
+                    serial_number:    mfa_arn,
+                    token_code:       mfa_token_code,
+                )
+            rescue Aws::STS::Errors::AccessDenied
+                STDERR.puts 'MultiFactorAuthentication failed with invalid MFA ' \
+                            'one time pass code.'
+                exit -1 # rubocop:disable Lint/AmbiguousOperator
+            end
 
             @session = Credentials.create_from_sdk(session.credentials)
             logger.info("Storing session in keyring '#{keyring_key}'")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_assume_role
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Jon Topper
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-09 00:00:00.000000000 Z
+date: 2016-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk