aws_assume_role 1.0.4 → 1.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +34 -14
- data/lib/aws_assume_role/runner.rb +1 -1
- data/lib/aws_assume_role/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6eeca5db569d6bae9338ddd0b61d633ad984386c1c08d9742fe95ace3b69f819
|
|
4
|
+
data.tar.gz: d0d5ceed4de70104a8a93174724b27c9de0996f563e7cfd6115bdbd0f3641238
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 68f56960cb5620daafd0d7db8b034c92ad0c1934c75ab824601a1a8ae0e82d76f2b3766cf5be23f533599e5586256096f0b1e45ad950ceb544ed09baf9cf90a8
|
|
7
|
+
data.tar.gz: c3ae138676f4b0e89d49ddba559f1a34e1c45a8b1d49a48ad6ea631bdcb2a6eb6e06a684f3abe2e67bc52b1a93b36e6e961065dce4ebba5dbb9aec21826322bb
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -9,7 +9,7 @@ aws-assume-role is a utility intended for developer and operator environments
|
|
|
9
9
|
who need to use 2FA and role assumption to access AWS services.
|
|
10
10
|
|
|
11
11
|
aws-assume-role can store both AWS access keys and ephemeral session tokens in
|
|
12
|
-
OS credential vaults - Keychain on OSX and
|
|
12
|
+
OS credential vaults - Keychain on OSX and Keyring on Gnome.
|
|
13
13
|
|
|
14
14
|
Why?
|
|
15
15
|
---
|
|
@@ -45,7 +45,7 @@ require introspection bindings as well as Gnone Keyring, by installing one of th
|
|
|
45
45
|
|
|
46
46
|
``` sh
|
|
47
47
|
# Debian/Ubuntu
|
|
48
|
-
apt-get install gnome-keyring libgirepository1.0-dev
|
|
48
|
+
apt-get install gnome-keyring libgirepository1.0-dev libgnome-keyring-common libgnome-keyring-dev
|
|
49
49
|
|
|
50
50
|
# Fedora
|
|
51
51
|
dnf install gobject-introspection-devel
|
|
@@ -65,14 +65,14 @@ aws-assume-role works best if you also store permanent credentials in your keyst
|
|
|
65
65
|
``` sh
|
|
66
66
|
> aws-assume-role configure
|
|
67
67
|
Enter the profile name to save into configuration
|
|
68
|
-
|
|
68
|
+
company_sso
|
|
69
69
|
Enter the AWS region you would like to default to:
|
|
70
70
|
eu-west-1
|
|
71
71
|
Enter the AWS Access Key ID to use for this profile:
|
|
72
72
|
1234567890010
|
|
73
73
|
Enter the AWS Secret Access Key to use for this profile:
|
|
74
74
|
abcdefghijklmnopqrstuvwzyx1
|
|
75
|
-
Profile `
|
|
75
|
+
Profile `company_sso` saved to '/home/growthsmith/.aws/config'
|
|
76
76
|
```
|
|
77
77
|
|
|
78
78
|
### Configuring roles
|
|
@@ -80,7 +80,7 @@ Now that you've set up permanent credentials in your OS credential store, you ca
|
|
|
80
80
|
set up a role that you will assume in every day use:
|
|
81
81
|
|
|
82
82
|
``` sh
|
|
83
|
-
> aws-assume-role configure role -p company-dev --source-profile
|
|
83
|
+
> aws-assume-role configure role -p company-dev --source-profile company_sso \
|
|
84
84
|
--role-arn=arn:aws:iam::000000000001:role/ViewEC2 --role-session-name=growthsmith \
|
|
85
85
|
--mfa-serial automatic
|
|
86
86
|
```
|
|
@@ -101,9 +101,9 @@ token without prompting for user input. To use this specify
|
|
|
101
101
|
`--yubikey-oath-name` when calling configure role.
|
|
102
102
|
|
|
103
103
|
``` sh
|
|
104
|
-
> aws-assume-role configure role -p company-dev --source-profile
|
|
104
|
+
> aws-assume-role configure role -p company-dev --source-profile company_sso \
|
|
105
105
|
--role-arn=arn:aws:iam::000000000001:role/ViewEC2 --role-session-name=growthsmith \
|
|
106
|
-
--mfa-serial automatic --yubikey-oath-name "Amazon Web Services:myuser@
|
|
106
|
+
--mfa-serial automatic --yubikey-oath-name "Amazon Web Services:myuser@company_sso"
|
|
107
107
|
```
|
|
108
108
|
|
|
109
109
|
_Yubikey Support_: `aws-assume-role` uses the [smartcard gem](https://rubygems.org/gems/smartcard)
|
|
@@ -111,6 +111,17 @@ to connect to the Yubikey, this itself depends upon some C libraries being insta
|
|
|
111
111
|
[platform specific instructions](https://github.com/costan/smartcard/blob/master/BUILD#L19)
|
|
112
112
|
for installing these libraries PC/SC.
|
|
113
113
|
|
|
114
|
+
Testing a profile
|
|
115
|
+
-----------------
|
|
116
|
+
You can test a profile using
|
|
117
|
+
```sh
|
|
118
|
+
> aws-assume-role test -p company_sso
|
|
119
|
+
Logged in as:
|
|
120
|
+
User: 9999999999
|
|
121
|
+
Account: arn:aws:iam::3333333333:user/username
|
|
122
|
+
ARN: AIDAIOSWINGTB
|
|
123
|
+
|
|
124
|
+
```
|
|
114
125
|
|
|
115
126
|
Running applications
|
|
116
127
|
--------------------
|
|
@@ -132,15 +143,24 @@ Please provide an MFA token
|
|
|
132
143
|
000000
|
|
133
144
|
```
|
|
134
145
|
|
|
146
|
+
Listing available profiles
|
|
147
|
+
--------------------------
|
|
148
|
+
Configured profiles can be listed:
|
|
149
|
+
```sh
|
|
150
|
+
> aws-assume-role list
|
|
151
|
+
company_sso
|
|
152
|
+
company2_sso
|
|
153
|
+
company3_sso
|
|
154
|
+
```
|
|
135
155
|
|
|
136
156
|
Deleting a profile
|
|
137
157
|
------------------
|
|
138
158
|
If a set of credentials key needs revoking, or the profile isn't relevant anymore:
|
|
139
159
|
``` sh
|
|
140
|
-
> aws-assume-role delete -p
|
|
141
|
-
Please type the name of the profile, i.e.
|
|
142
|
-
|
|
143
|
-
Profile
|
|
160
|
+
> aws-assume-role delete -p company_sso
|
|
161
|
+
Please type the name of the profile, i.e. company_sso , to continue deletion.
|
|
162
|
+
company_sso
|
|
163
|
+
Profile company_sso deleted
|
|
144
164
|
```
|
|
145
165
|
|
|
146
166
|
Migrating AWS CLI profiles
|
|
@@ -149,8 +169,8 @@ It's better to revoke the existing keys and generate new ones. We try to overwri
|
|
|
149
169
|
file with random data, but this does not take care of ~/.aws/credentials and does not account for SSD wear
|
|
150
170
|
levelling or copy-on-write snapshots.
|
|
151
171
|
```
|
|
152
|
-
aws-assume-role migrate -p
|
|
153
|
-
Profile '
|
|
172
|
+
aws-assume-role migrate -p company_sso
|
|
173
|
+
Profile 'company_sso' migrated to keyring.
|
|
154
174
|
```
|
|
155
175
|
|
|
156
176
|
Exporting environment variables
|
|
@@ -184,7 +204,7 @@ Given that `aws-assume-role` has knowledge of your role ARNs via AWS CLI profile
|
|
|
184
204
|
get to the AWS console for that role/account using
|
|
185
205
|
|
|
186
206
|
``` sh
|
|
187
|
-
> aws-assume-role console -p
|
|
207
|
+
> aws-assume-role console -p company_sso
|
|
188
208
|
```
|
|
189
209
|
|
|
190
210
|
`aws-assume-role` will first attempt to log in and get a federated UI link, and
|
|
@@ -14,7 +14,7 @@ class AwsAssumeRole::Runner < Dry::Struct
|
|
|
14
14
|
|
|
15
15
|
def initialize(options)
|
|
16
16
|
super(options)
|
|
17
|
-
command_to_exec = command.join(" ")
|
|
17
|
+
command_to_exec = command.map(&:shellescape).join(" ")
|
|
18
18
|
process_credentials unless credentials.blank?
|
|
19
19
|
system environment, command_to_exec
|
|
20
20
|
exit_status = $CHILD_STATUS.exitstatus
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws_assume_role
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jon Topper
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date: 2017-
|
|
17
|
+
date: 2017-12-21 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: activesupport
|
|
@@ -431,7 +431,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
431
431
|
version: '0'
|
|
432
432
|
requirements: []
|
|
433
433
|
rubyforge_project:
|
|
434
|
-
rubygems_version: 2.7.
|
|
434
|
+
rubygems_version: 2.7.3
|
|
435
435
|
signing_key:
|
|
436
436
|
specification_version: 4
|
|
437
437
|
summary: Manage AWS STS credentials with MFA
|