aws_role_creds 0.0.3 → 0.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/aws_role_creds.gemspec +1 -2
- data/bin/aws_role_creds +43 -0
- data/lib/aws_role_creds.rb +158 -133
- metadata +2 -3
- data/lib/aws_role_creds/version.rb +0 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 90f2cfa18dace72e0c3a31bcee06d4c90bf59ed5
|
4
|
+
data.tar.gz: 5dd592fa50a7618c896eb5b07b08ceb73f5a647f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 264bce1ca434be3ea91f30b478b84e0b7ce25301f653df59c33974e2f075191b75e1e1c69bd2fa59ad3de37855e5048d45c4b1719f36656fa607f86a755e5fe9
|
7
|
+
data.tar.gz: 11f56f0179cf3c9e1be208dddb8aa3a3de58f947ba8feb953a79fa84d0024fd5133e22bfa00dd2df8d0fbb20acd5e05ace78af8fcf988df5bb65dd3eceeaacfc
|
data/aws_role_creds.gemspec
CHANGED
@@ -1,11 +1,10 @@
|
|
1
1
|
# coding: utf-8
|
2
2
|
lib = File.expand_path('../lib', __FILE__)
|
3
3
|
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
-
require 'aws_role_creds/version'
|
5
4
|
|
6
5
|
Gem::Specification.new do |spec|
|
7
6
|
spec.name = "aws_role_creds"
|
8
|
-
spec.version =
|
7
|
+
spec.version = "0.0.4"
|
9
8
|
spec.authors = ["Jack Thomas"]
|
10
9
|
spec.email = ["jackdavidthomas@gmail.com"]
|
11
10
|
|
data/bin/aws_role_creds
CHANGED
@@ -1,2 +1,45 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
|
+
require 'optparse'
|
3
|
+
require 'logger'
|
2
4
|
require 'aws_role_creds'
|
5
|
+
|
6
|
+
options = {}
|
7
|
+
optparse = OptionParser.new do |opts|
|
8
|
+
|
9
|
+
options[:in_config] = "#{ENV['HOME']}/.aws/config.yaml"
|
10
|
+
opts.on('-c', '--config file', 'Config file.') do |c|
|
11
|
+
options[:config] = c
|
12
|
+
end
|
13
|
+
|
14
|
+
options[:out_config] = "#{ENV['HOME']}/.aws/config"
|
15
|
+
opts.on('--out-config file', 'AWS config file to use') do |c|
|
16
|
+
options[:out_config] = c
|
17
|
+
end
|
18
|
+
|
19
|
+
options[:cred_config] = "#{ENV['HOME']}/.aws/credentials"
|
20
|
+
opts.on('--credentials-out file', 'AWS credentials file to use') do |c|
|
21
|
+
options[:cred_config] = c
|
22
|
+
end
|
23
|
+
|
24
|
+
options[:debug] = false
|
25
|
+
opts.on('-d', '--debug', 'Enable debugging') do
|
26
|
+
options[:debug] = true
|
27
|
+
end
|
28
|
+
|
29
|
+
end
|
30
|
+
|
31
|
+
optparse.parse!
|
32
|
+
log = Logger.new(STDERR)
|
33
|
+
|
34
|
+
if options[:debug]
|
35
|
+
log.level = Logger::DEBUG
|
36
|
+
else
|
37
|
+
log.level = Logger::INFO
|
38
|
+
end
|
39
|
+
|
40
|
+
|
41
|
+
arc = AwsRoleCreds.new( :config_in_file => options[:in_config],
|
42
|
+
:config_out_file => options[:out_config],
|
43
|
+
:credentials_out_file => options[:cred_config],
|
44
|
+
:logger => log)
|
45
|
+
arc.run()
|
data/lib/aws_role_creds.rb
CHANGED
@@ -1,162 +1,187 @@
|
|
1
|
-
require "aws_role_creds/version"
|
2
1
|
require 'aws-sdk'
|
3
2
|
require 'yaml'
|
4
3
|
require 'time'
|
5
4
|
require 'inifile'
|
6
5
|
require 'fileutils'
|
7
6
|
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
7
|
+
IN_FILE = "#{ENV['HOME']}/.aws/config.yaml"
|
8
|
+
# The config file we write out
|
9
|
+
CONFIG_OUT_FILE = "#{ENV['HOME']}/.aws/config"
|
10
|
+
CREDENTIALS_OUT_FILE = "#{ENV['HOME']}/.aws/credentials"
|
11
|
+
SESSION_CREDS_FILE = "#{ENV['HOME']}/.aws/session.yaml"
|
12
|
+
SESSION_DURATION = 86400
|
13
|
+
ROLE_DURATION = 3600
|
14
|
+
REGION = 'eu-west-1'
|
15
|
+
|
16
|
+
class AwsRoleCreds
|
17
|
+
|
18
|
+
# Options hash should be:
|
19
|
+
# config_in_file
|
20
|
+
# config_out_file
|
21
|
+
# credentials_out_file
|
22
|
+
# logger
|
23
|
+
def initialize( options )
|
24
|
+
|
25
|
+
@log = options[:logger] or Logger.new( STDERR )
|
26
|
+
|
27
|
+
if File.exists?( options[:config_in_file] )
|
28
|
+
@config = YAML::load( File.open( options[:config_in_file] ) )
|
29
|
+
else
|
30
|
+
@log.error "Please create a yaml config file in #{options[:config_in_file]}"
|
31
|
+
exit!(1)
|
32
|
+
end
|
33
|
+
|
34
|
+
if File.exists?(SESSION_CREDS_FILE)
|
35
|
+
@session_credentials = YAML::load( File.open( SESSION_CREDS_FILE ) ) || {}
|
36
|
+
else
|
37
|
+
@session_credentials = {}
|
38
|
+
end
|
39
|
+
|
40
|
+
@role_credentials = {}
|
41
|
+
@config_out_file = options[:config_out_file] || CONFIG_OUT_FILE
|
42
|
+
@credentials_out_file = options[:credentials_out_file] || CREDENTIALS_OUT_FILE
|
25
43
|
|
26
|
-
if File.exists?(SESSION_CREDS_FILE)
|
27
|
-
@session_credentials = YAML::load( File.open( SESSION_CREDS_FILE ) ) || {}
|
28
|
-
else
|
29
|
-
@session_credentials = {}
|
30
44
|
end
|
31
45
|
|
32
|
-
|
46
|
+
attr :session_credentials
|
47
|
+
attr :role_credentials
|
48
|
+
attr :config_out_file
|
49
|
+
attr :credentials_out_file
|
50
|
+
attr :config
|
33
51
|
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
52
|
+
def run()
|
53
|
+
self.generate
|
54
|
+
self.save
|
55
|
+
end
|
56
|
+
|
57
|
+
def generate()
|
58
|
+
# Get session credentials for each 'master' account
|
59
|
+
@config['default'].each do |p|
|
60
|
+
name = p['name']
|
61
|
+
region = p['region'] || REGION
|
62
|
+
duration = p['duration'] || SESSION_DURATION
|
63
|
+
if @session_credentials.key?(name)
|
64
|
+
next if @session_credentials[name]['expiration'] > Time.now
|
65
|
+
end
|
66
|
+
|
67
|
+
if p['id'] and p['key']
|
68
|
+
client = Aws::STS::Client.new(
|
69
|
+
access_key_id: p['id'],
|
70
|
+
secret_access_key: p['key'],
|
71
|
+
region: region
|
72
|
+
)
|
73
|
+
else
|
74
|
+
client = Aws::STS::Client.new(region: region)
|
75
|
+
end
|
76
|
+
|
77
|
+
if p['mfa_arn']
|
78
|
+
puts "Enter MFA token code for #{name} using #{p['mfa_arn']}"
|
79
|
+
token = gets
|
80
|
+
|
81
|
+
session_credentials = client.get_session_token(
|
82
|
+
duration_seconds: duration,
|
83
|
+
serial_number: p['mfa_arn'],
|
84
|
+
token_code: token.chomp
|
85
|
+
)
|
86
|
+
else
|
87
|
+
session_credentials = client.get_session_token(
|
88
|
+
duration_seconds: duration
|
89
|
+
)
|
90
|
+
end
|
91
|
+
|
92
|
+
@session_credentials[name] = {
|
93
|
+
'access_key_id' => session_credentials.credentials.access_key_id,
|
94
|
+
'secret_access_key' => session_credentials.credentials.secret_access_key,
|
95
|
+
'session_token' => session_credentials.credentials.session_token,
|
96
|
+
'expiration' => session_credentials.credentials.expiration,
|
97
|
+
'region' => region
|
98
|
+
}
|
41
99
|
end
|
42
|
-
|
43
|
-
|
100
|
+
|
101
|
+
# Cache session credentials
|
102
|
+
File.open( SESSION_CREDS_FILE, 'w' ) { |f|
|
103
|
+
f.write @session_credentials.to_yaml
|
104
|
+
}
|
105
|
+
|
106
|
+
# For each role we want to assume grab some assumed credentials using approriate session
|
107
|
+
@config['profiles'].each do |p|
|
108
|
+
name = p['name']
|
109
|
+
default = p['default']
|
110
|
+
region = p['region'] || REGION
|
111
|
+
duration = p['duration'] || ROLE_DURATION
|
112
|
+
session_credentials = @session_credentials[default]
|
113
|
+
@log.debug "Getting credentials for #{name} using #{p['role_arn']}"
|
114
|
+
|
44
115
|
client = Aws::STS::Client.new(
|
45
|
-
access_key_id:
|
46
|
-
secret_access_key:
|
116
|
+
access_key_id: session_credentials['access_key_id'],
|
117
|
+
secret_access_key: session_credentials['secret_access_key'],
|
118
|
+
session_token: session_credentials['session_token'],
|
47
119
|
region: region
|
48
120
|
)
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
if p['mfa_arn']
|
54
|
-
puts "Enter MFA token code for #{name} using #{p['mfa_arn']}"
|
55
|
-
token = gets
|
56
|
-
|
57
|
-
session_credentials = client.get_session_token(
|
121
|
+
|
122
|
+
role_credentials = client.assume_role(
|
123
|
+
role_arn: p['role_arn'],
|
124
|
+
role_session_name: name,
|
58
125
|
duration_seconds: duration,
|
59
|
-
serial_number: p['mfa_arn'],
|
60
|
-
token_code: token.chomp
|
61
|
-
)
|
62
|
-
else
|
63
|
-
session_credentials = client.get_session_token(
|
64
|
-
duration_seconds: duration
|
65
126
|
)
|
127
|
+
|
128
|
+
@role_credentials[name] = {
|
129
|
+
'role' => p['role_arn'],
|
130
|
+
'access_key_id' => role_credentials.credentials.access_key_id,
|
131
|
+
'secret_access_key' => role_credentials.credentials.secret_access_key,
|
132
|
+
'session_token' => role_credentials.credentials.session_token,
|
133
|
+
'expiration' => role_credentials.credentials.expiration,
|
134
|
+
'region' => region
|
135
|
+
}
|
66
136
|
end
|
67
|
-
|
68
|
-
@session_credentials[name] = {
|
69
|
-
'access_key_id' => session_credentials.credentials.access_key_id,
|
70
|
-
'secret_access_key' => session_credentials.credentials.secret_access_key,
|
71
|
-
'session_token' => session_credentials.credentials.session_token,
|
72
|
-
'expiration' => session_credentials.credentials.expiration,
|
73
|
-
'region' => region
|
74
|
-
}
|
75
137
|
end
|
76
138
|
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
}
|
81
|
-
|
82
|
-
# For each role we want to assume grab some assumed credentials using approriate session
|
83
|
-
@config['profiles'].each do |p|
|
84
|
-
name = p['name']
|
85
|
-
default = p['default']
|
86
|
-
region = p['region'] || REGION
|
87
|
-
duration = p['duration'] || ROLE_DURATION
|
88
|
-
session_credentials = @session_credentials[default]
|
89
|
-
puts "Getting credentials for #{name} using #{p['role_arn']}"
|
90
|
-
|
91
|
-
client = Aws::STS::Client.new(
|
92
|
-
access_key_id: session_credentials['access_key_id'],
|
93
|
-
secret_access_key: session_credentials['secret_access_key'],
|
94
|
-
session_token: session_credentials['session_token'],
|
95
|
-
region: region
|
96
|
-
)
|
97
|
-
|
98
|
-
role_credentials = client.assume_role(
|
99
|
-
role_arn: p['role_arn'],
|
100
|
-
role_session_name: name,
|
101
|
-
duration_seconds: duration,
|
102
|
-
)
|
103
|
-
|
104
|
-
@role_credentials[name] = {
|
105
|
-
'role' => p['role_arn'],
|
106
|
-
'access_key_id' => role_credentials.credentials.access_key_id,
|
107
|
-
'secret_access_key' => role_credentials.credentials.secret_access_key,
|
108
|
-
'session_token' => role_credentials.credentials.session_token,
|
109
|
-
'expiration' => role_credentials.credentials.expiration,
|
110
|
-
'region' => region
|
111
|
-
}
|
112
|
-
end
|
139
|
+
def save()
|
140
|
+
# Write out config file
|
141
|
+
# first make a backup
|
113
142
|
|
143
|
+
FileUtils.cp( config_out_file, "#{config_out_file}.backup" )
|
144
|
+
FileUtils.cp( credentials_out_file, "#{credentials_out_file}.backup" )
|
114
145
|
|
115
|
-
|
116
|
-
|
146
|
+
# create a new ini file object
|
147
|
+
config = IniFile.new
|
148
|
+
config.filename = config_out_file
|
117
149
|
|
118
|
-
|
119
|
-
|
150
|
+
credentials = IniFile.new
|
151
|
+
credentials.filename = credentials_out_file
|
120
152
|
|
121
|
-
|
122
|
-
config = IniFile.new
|
123
|
-
config.filename = CONFIG_OUT_FILE
|
153
|
+
config['default'] = { "region" => REGION }
|
124
154
|
|
125
|
-
|
126
|
-
|
155
|
+
# set properties
|
156
|
+
@session_credentials.each do |k, c|
|
157
|
+
profile = {
|
158
|
+
"aws_access_key_id" => "#{c['access_key_id']}",
|
159
|
+
"aws_secret_access_key" => "#{c['secret_access_key']}",
|
160
|
+
"aws_security_token" => "#{c['session_token']}",
|
161
|
+
"region" => "#{c['region']}",
|
162
|
+
}
|
163
|
+
|
164
|
+
config["profile #{k}"] = profile
|
165
|
+
credentials["#{k}"] = profile
|
166
|
+
end
|
127
167
|
|
128
|
-
|
168
|
+
@role_credentials.each do |k, c|
|
169
|
+
profile = {
|
170
|
+
"aws_access_key_id" => "#{c['access_key_id']}",
|
171
|
+
"aws_secret_access_key" => "#{c['secret_access_key']}",
|
172
|
+
"aws_security_token" => "#{c['session_token']}",
|
173
|
+
"region" => "#{c['region']}",
|
174
|
+
}
|
175
|
+
|
176
|
+
config["profile #{k}"] = profile
|
177
|
+
credentials["#{k}"] = profile
|
178
|
+
end
|
129
179
|
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
"aws_security_token" => "#{c['session_token']}",
|
136
|
-
"region" => "#{c['region']}",
|
137
|
-
}
|
138
|
-
|
139
|
-
config["profile #{k}"] = profile
|
140
|
-
credentials["#{k}"] = profile
|
141
|
-
end
|
180
|
+
# save file
|
181
|
+
config.write()
|
182
|
+
@log.debug "#{config_out_file} updated"
|
183
|
+
credentials.write()
|
184
|
+
@log.debug "#{credentials_out_file} updated"
|
142
185
|
|
143
|
-
@role_credentials.each do |k, c|
|
144
|
-
profile = {
|
145
|
-
"aws_access_key_id" => "#{c['access_key_id']}",
|
146
|
-
"aws_secret_access_key" => "#{c['secret_access_key']}",
|
147
|
-
"aws_security_token" => "#{c['session_token']}",
|
148
|
-
"region" => "#{c['region']}",
|
149
|
-
}
|
150
|
-
|
151
|
-
config["profile #{k}"] = profile
|
152
|
-
credentials["#{k}"] = profile
|
153
186
|
end
|
154
|
-
|
155
|
-
# save file
|
156
|
-
config.write()
|
157
|
-
puts "#{CONFIG_OUT_FILE} updated"
|
158
|
-
credentials.write()
|
159
|
-
puts "#{CREDENTIALS_OUT_FILE} updated"
|
160
|
-
|
161
|
-
|
162
187
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_role_creds
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jack Thomas
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-07-
|
11
|
+
date: 2016-07-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk
|
@@ -84,7 +84,6 @@ files:
|
|
84
84
|
- bin/aws_role_creds
|
85
85
|
- bin/setup
|
86
86
|
- lib/aws_role_creds.rb
|
87
|
-
- lib/aws_role_creds/version.rb
|
88
87
|
homepage: https://github.com/MrPrimate/aws_role_keys
|
89
88
|
licenses:
|
90
89
|
- MIT
|