aws_role_creds 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: fd22edec6ed2ef8b88158dad1699d24ffbe9204f
+  data.tar.gz: 5b2113869f655c4f7d2d490a8592885d05c3f870
+SHA512:
+  metadata.gz: 2524764e052f74bb59767dcca9c43d0d7caf3793d75c74eedb0a0584c29be5f6a02c7212cc41cc695722577283c9b0e39a11f9ba3dfd43886d3190457607df36
+  data.tar.gz: fa250abf2b813b45da0bb433bb5d92bb751c7a087e54684f2277f8c7382517f362a945ec1c2df719ccd81764c76298def76f28ee9610cfe4f4e0d812f06f74d6

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in aws_role_creds.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Jack Thomas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,51 @@
+# AwsRoleCreds
+
+Have several AWS accounts that you access through delegation? Want a id/key combo for each one? Need to use MFA? But want to use the cli?
+
+It can get frustrating managing so many accounts. If you have one (or even more) 'master' account that you assume roles in other accounts then this script will handle generating profiles and temporary session credentials, and keeping your MFA logins to a minimum.
+
+## Installation
+
+Install with
+
+    $ gem install aws_role_creds
+
+## Usage
+
+Create a YAML file to manage your profiles, and MFA device, at `~/.aws/config.yaml`
+
+```
+---
+default:
+  - name:
+    id:
+    key:
+    mfa_arn: (optional)
+    region: (optional)
+profiles:
+  - name:
+    id:
+    key:
+    role_arn:
+    region: (optional)
+    default: default profile to use
+```
+
+Run `aws_role_creds` and it will get credentials for your default accounts. It will then use these credentials to Assume Roles and get credentials for each of your profiles. 
+
+Default accounts get creds lasting 24 hours, and assumed role profiles can last an hour. If your credentials expire, run the script again and it will refresh them. It will only ask for you MFA if it is required, i.e. your session credentials have expired.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/MrPrimate/aws_role_creds.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/aws_role_creds.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'aws_role_creds/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "aws_role_creds"
+  spec.version       = AwsRoleCreds::VERSION
+  spec.authors       = ["Jack Thomas"]
+  spec.email         = ["jackdavidthomas@gmail.com"]
+
+  spec.description   = %q{Used to fetch multiple AWS Role Credential Keys using different Session Keys}
+  spec.summary       = %q{Manage AWS STS credentials with MFA}
+  spec.homepage      = "https://github.com/MrPrimate/aws_role_keys"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "bin"
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "aws-sdk"
+  spec.add_runtime_dependency "inifile"
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/bin/aws_role_creds

@@ -0,0 +1,2 @@
+#!/usr/bin/env ruby
+require 'aws_role_creds'

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/aws_role_creds.rb

@@ -0,0 +1,151 @@
+require "aws_role_creds/version"
+require 'aws-sdk'
+require 'yaml'
+require 'time'
+require 'inifile'
+require 'fileutils'
+
+module AwsRoleCreds
+    
+    IN_FILE = "#{ENV['HOME']}/.aws/config.yaml"
+    # The config file we write out
+    OUT_FILE = ["#{ENV['HOME']}/.aws/config", "#{ENV['HOME']}/.aws/credentials"]
+    SESSION_CREDS_FILE = "#{ENV['HOME']}/.aws/session.yaml"
+    SESSION_DURATION = 86400
+    ROLE_DURATION = 3600
+    REGION = 'eu-west-1'
+
+    if File.exists?( IN_FILE )
+        @config = YAML::load( File.open( IN_FILE ) )
+    else
+        puts "Please create a yaml config file in #{INFILE}"
+        exit!(1)
+    end
+
+    if File.exists?(SESSION_CREDS_FILE)
+        @session_credentials = YAML::load( File.open( SESSION_CREDS_FILE ) ) || {}
+    else
+        @session_credentials = {}
+    end
+
+    @role_credentials = {}
+
+    # Get session credentials for each 'master' account
+    @config['default'].each do |p|
+        name = p['name']
+        region = p['region'] || REGION
+        duration = p['duration'] || SESSION_DURATION
+        if @session_credentials.key?(name)
+            break if @session_credentials[name]['expiration'] > Time.now 
+        end
+        puts "#{name}"
+        
+        if p['id'] and p['key']
+            client = Aws::STS::Client.new(
+                access_key_id: p['id'],
+                secret_access_key: p['key'],
+                region: region
+            )
+        else
+            client = Aws::STS::Client.new(region: region)
+        end
+        
+        if p['mfa_arn']
+            puts "Enter MFA token code for #{name} using #{p['mfa_arn']}"
+            token = gets
+            
+            session_credentials = client.get_session_token(
+                duration_seconds: duration,
+                serial_number: p['mfa_arn'],
+                token_code: token.chomp
+            )
+        else
+            session_credentials = client.get_session_token(
+                duration_seconds: duration
+            )
+        end
+        
+        @session_credentials[name] = {
+            'access_key_id' => session_credentials.credentials.access_key_id,
+            'secret_access_key' => session_credentials.credentials.secret_access_key,
+            'session_token' => session_credentials.credentials.session_token,
+            'expiration' => session_credentials.credentials.expiration,
+            'region' => region
+        }
+    end
+
+    # Cache session credentials
+    File.open( SESSION_CREDS_FILE, 'w' ) { |f|
+        f.write @session_credentials.to_yaml
+    }
+
+    # For each role we want to assume grab some assumed credentials using approriate session
+    @config['profiles'].each do |p|
+        name = p['name']
+        default = p['default']
+        region =  p['region'] || REGION
+        duration = p['duration'] || ROLE_DURATION
+        session_credentials = @session_credentials[default]
+        puts "Getting credentials for #{name} using #{p['role_arn']}"
+        
+        client = Aws::STS::Client.new(
+            access_key_id: session_credentials['access_key_id'],
+            secret_access_key: session_credentials['secret_access_key'],
+            session_token: session_credentials['session_token'],
+            region: region
+        )
+
+        role_credentials = client.assume_role(
+            role_arn: p['role_arn'],
+            role_session_name: name,
+            duration_seconds: duration,
+        )
+        
+        @role_credentials[name] = {
+            'role' => p['role_arn'],
+            'access_key_id' => role_credentials.credentials.access_key_id,
+            'secret_access_key' => role_credentials.credentials.secret_access_key,
+            'session_token' => role_credentials.credentials.session_token,
+            'expiration' => role_credentials.credentials.expiration,
+            'region' => region
+        }
+    end
+
+
+    # Write out config file
+    # first make a backup
+    OUT_FILE.each do |o|
+        FileUtils.cp( o, "#{o}.backup" )
+
+        # create a new ini file object
+        config = IniFile.new
+        config.filename = o
+
+        config['default'] = { "region" => REGION }
+
+        # set properties
+        @session_credentials.each do |k, c|
+            config["profile #{k}"] = {
+                "aws_access_key_id" => "#{c['access_key_id']}",
+                "aws_secret_access_key" => "#{c['secret_access_key']}",
+                "aws_security_token" => "#{c['session_token']}",
+                "region" => "#{c['region']}",
+            }
+            puts "Profile #{k} created"
+        end
+
+        @role_credentials.each do |k, c|
+            config["profile #{k}"] = {
+                "aws_access_key_id" => "#{c['access_key_id']}",
+                "aws_secret_access_key" => "#{c['secret_access_key']}",
+                "aws_security_token" => "#{c['session_token']}",
+                "region" => "#{c['region']}",
+            }
+            puts "Profile #{k} created for role #{c['role']}"
+        end
+
+        # save file
+        config.write()
+    end
+
+end

data/lib/aws_role_creds/version.rb

@@ -0,0 +1,3 @@
+module AwsRoleCreds
+  VERSION = "0.0.1"
+end

metadata

@@ -0,0 +1,113 @@
+--- !ruby/object:Gem::Specification
+name: aws_role_creds
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Jack Thomas
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-07-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: inifile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Used to fetch multiple AWS Role Credential Keys using different Session
+  Keys
+email:
+- jackdavidthomas@gmail.com
+executables:
+- aws_role_creds
+- setup
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- aws_role_creds.gemspec
+- bin/aws_role_creds
+- bin/setup
+- lib/aws_role_creds.rb
+- lib/aws_role_creds/version.rb
+homepage: https://github.com/MrPrimate/aws_role_keys
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Manage AWS STS credentials with MFA
+test_files: []