aws_runas 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c0753f807b2e12d78b47b70a2c0ad8a794cdd909
-  data.tar.gz: fc978832ef89c676bd8369b078b261b201a6a6dd
+  metadata.gz: a1725b31ac831ab9d03534988e9503c9531933be
+  data.tar.gz: 77d0509bb39c0d274bedb21152c8de1c340ed9d2
 SHA512:
-  metadata.gz: ce7f192507b0633bd339a031d8dc630353358882a8eb1fb78dd51185835538ab2e5da2c8ca2740e3015dc0677f0e06858affc5b069997737603d1bceccfc2761
-  data.tar.gz: 7d16f79ea126d0485afa513404c02b3bdcac7437e8caa6ec97e6faf8c84584789d035800100fef32707d7e293ab7629822e1b1cd935d3d207d0aafa9ec0d054b
+  metadata.gz: c2d5095da3b865dc73abf72abf2492f12641d1ddef9b772f82ce6f68427354dcc10da2f1e4f81ec2766ee59133911f3a85a83239aca40f9b937eabc8c6b16122
+  data.tar.gz: 660afcfda580390e17abe2cf36e0dc1c91980121953209ffe5baf4bba83ebd08480a3304673e8987fc0120b675a3771ca29618303bccbcd576c5f068eaf62b9c

data/CHANGELOG.md

@@ -1,8 +1,18 @@
-aws_runas CHANGELOG
-====================
+## v0.3.0
 
-0.2.0 (Sat Jan 16 23:44:56 PST 2016)
--------------------------------------
+Add session only features:
+
+ * Add the `--no-role` command to load a profile and just get a
+   session token, instead of assuming a role.
+ * Changed default behaviour so that if `AWS_SESSION_TOKEN` exists, no MFA
+   is loaded - this allows the assumption of multiple roles from within
+   the same session.
+ * `--no-role` will fail if a MFA serial is not present (it's pretty much
+   useless - you will just be getting a session for the same access
+   key/secret key with the same level of privilege that you did before).
+
+
+## v0.2.0
 
  * `$SHELL` is now supported - if this environment variable exists, the shell
    in it will be launched.
@@ -11,14 +21,12 @@ aws_runas CHANGELOG
   * Fixes to support mingw32 such as IO flushing and detection of a lack of
     `noecho` support.
 
-0.1.3 (Fri 27 Nov 2015 08:05:45 PST)
--------------------------------------
+## v0.1.3
 
  * Fixed #3 (better handling of invalid profile name).
  * Added guard for invalid file as well.
 
-0.1.2 (Wed 25 Nov 2015 09:09:09 PST)
--------------------------------------
+## v0.1.2
 
  * Fixed #1 and #2 (default credentials fallback bug and overzealous version
    restrictions).

data/README.md

@@ -40,6 +40,7 @@ If COMMAND is omitted, the default shell ($SHELL, /bin/sh, or cmd.exe,
 depending on your system) will launch.
 
 [options] are:
+  -n, --no-role        Get a session token only, do not assume a role
   -p, --path=<s>       Path to the AWS config file
   -r, --profile=<s>    The AWS profile to load (default: default)
   -h, --help           Show this message

data/lib/aws_runas/cli.rb

@@ -36,6 +36,7 @@ module AwsRunAs
           [options] are:
         EOS
 
+        opt :no_role, 'Get a session token only, do not assume a role', type: TrueClass, default: nil
         opt :path, 'Path to the AWS config file', type: String
         opt :profile, 'The AWS profile to load', type: String, default: 'default'
         stop_on_unknown
@@ -47,7 +48,7 @@ module AwsRunAs
     def start
       opts = load_opts
       mfa_code = read_mfa_if_needed(path: opts[:path], profile: opts[:profile])
-      @main = AwsRunAs::Main.new(path: opts[:path], profile: opts[:profile], mfa_code: mfa_code)
+      @main = AwsRunAs::Main.new(path: opts[:path], profile: opts[:profile], mfa_code: mfa_code, no_role: opts[:no_role])
       @main.assume_role
       command = ARGV.shift
       @main.handoff(command: command, argv: ARGV)

data/lib/aws_runas/config.rb

@@ -46,7 +46,7 @@ module AwsRunAs
 
     # Checks to see if MFA is required for a specific profile.
     def mfa_required?
-      return true if load_config_value(key: 'mfa_serial')
+      return true if load_config_value(key: 'mfa_serial') && !ENV.include?('AWS_SESSION_TOKEN')
       false
     end
 

data/lib/aws_runas/main.rb

@@ -21,7 +21,7 @@ module AwsRunAs
   # and hands off environment to called process.
   class Main
     # Instantiate the object and set up the path, profile, and populate MFA
-    def initialize(path: nil, profile: default, mfa_code: nil)
+    def initialize(path: nil, profile: default, mfa_code: nil, no_role: nil)
       cfg_path = if path
                    path
                  else
@@ -29,6 +29,7 @@ module AwsRunAs
                  end
       @cfg = AwsRunAs::Config.new(path: cfg_path, profile: profile)
       @mfa_code = mfa_code
+      @no_role = no_role
     end
 
     def sts_client
@@ -43,14 +44,23 @@ module AwsRunAs
     def assume_role
       session_id = "aws-runas-session_#{Time.now.to_i}"
       role_arn = @cfg.load_config_value(key: 'role_arn')
-      mfa_serial = @cfg.load_config_value(key: 'mfa_serial')
-      @role_credentials = Aws::AssumeRoleCredentials.new(
-        client: sts_client,
-        role_arn: role_arn,
-        serial_number: mfa_serial,
-        token_code: @mfa_code,
-        role_session_name: session_id
-      ).credentials
+      mfa_serial = @cfg.load_config_value(key: 'mfa_serial') unless ENV.include?('AWS_SESSION_TOKEN')
+      if @no_role
+        raise 'No mfa_serial in selected profile, session will be useless' if mfa_serial.nil?
+        @role_credentials = sts_client.get_session_token(
+          duration_seconds: 3600,
+          serial_number: mfa_serial,
+          token_code: @mfa_code
+        ).credentials
+      else
+        @role_credentials = Aws::AssumeRoleCredentials.new(
+          client: sts_client,
+          role_arn: role_arn,
+          serial_number: mfa_serial,
+          token_code: @mfa_code,
+          role_session_name: session_id
+        ).credentials
+      end
     end
 
     def credentials_env

data/lib/aws_runas/version.rb

@@ -13,5 +13,5 @@
 # limitations under the License.
 
 module AwsRunAs
-  VERSION = '0.2.0'
+  VERSION = '0.3.0'
 end

data/spec/aws_runas/config_spec.rb

@@ -73,6 +73,12 @@ describe AwsRunAs::Config do
         expect(@cfg.instance_variable_get('@profile')).to eq('test-profile')
         expect(@cfg.mfa_required?).to be true
       end
+
+      it 'confirms MFA is not required if AWS_SESSION_TOKEN is set' do
+        expect(@cfg.instance_variable_get('@profile')).to eq('test-profile')
+        expect(@cfg.mfa_required?).to be true
+        ENV.store('AWS_SESSION_TOKEN', 'foo')
+      end
     end
 
     describe '#load_source_profile' do

data/spec/aws_runas/main_spec.rb

@@ -15,6 +15,8 @@
 require 'spec_helper'
 require 'aws_runas/main'
 
+MFA_ERROR = 'No mfa_serial in selected profile, session will be useless'.freeze
+
 describe AwsRunAs::Main do
   before(:context) do
     @main = AwsRunAs::Main.new(
@@ -35,6 +37,37 @@ describe AwsRunAs::Main do
       expect(Aws::AssumeRoleCredentials).to receive(:new).and_call_original
       @main.assume_role
     end
+
+    it 'calls out to Aws::STS::Client.get_session_token when no_role is set' do
+      expect_any_instance_of(Aws::STS::Client).to receive(:get_session_token).and_call_original
+      ENV.delete('AWS_SESSION_TOKEN')
+      @main = AwsRunAs::Main.new(
+        path: MOCK_AWS_CONFIGPATH,
+        profile: 'test-profile',
+        mfa_code: '123456',
+        no_role: true
+      )
+      @main.assume_role
+    end
+
+    it 'raises exception when no_role is set and there is no mfa_serial' do
+      expect do
+        ENV.delete('AWS_SESSION_TOKEN')
+        @main = AwsRunAs::Main.new(
+          path: MOCK_AWS_NO_MFA_PATH,
+          profile: 'test-profile',
+          mfa_code: '123456',
+          no_role: true
+        )
+        @main.assume_role
+      end.to raise_error(MFA_ERROR)
+    end
+
+    it 'calls out to Aws::AssumeRoleCredentials.new with no MFA when AWS_SESSION_TOKEN is set' do
+      expect(Aws::AssumeRoleCredentials).to receive(:new).with(hash_including(serial_number: nil)).and_call_original
+      ENV.store('AWS_SESSION_TOKEN', 'foo')
+      @main.assume_role
+    end
   end
 
   describe '#credentials_env' do

data/spec/helpers/config_spec.rb

@@ -15,3 +15,4 @@
 require 'spec_helper'
 
 MOCK_AWS_CONFIGPATH = File.expand_path('../files/aws_config', __FILE__)
+MOCK_AWS_NO_MFA_PATH = File.expand_path('../files/aws_config_nomfa', __FILE__)

data/spec/helpers/files/aws_config_nomfa

@@ -0,0 +1,7 @@
+[default]
+region = us-east-1
+
+[profile test-profile]
+role_arn = arn:aws:iam::123456789012:role/test-admin
+region = us-west-1
+source_profile = test-credentials

data.tar.gz.sig

@@ -1,3 +1,2 @@
-1Z
����8)2��#�����$�7%�A"�����g
-|*0t�ut�
-Q-\3da�Zs4�g�N�*ö2�.��a��\Fz� 
+;h�&���m��Nޭ��v}����5��}�[a\L/SX���u�,X��k,
+{(�T�f�cTT����fx3��&��8����B�*��+���[��4��a�m(�*�R�.zl�N-�	�f8&t�A0W78^m��&/�gҊ�M��)^���Do�N

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_runas
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Chris Marchesi
@@ -31,7 +31,7 @@ cert_chain:
   reriQxVYXGlD8ZDuaKlDyVqUbF026ZHIlHKIgg90O037qFPxCBACTtxtYTP2hwug
   Yis=
   -----END CERTIFICATE-----
-date: 2016-01-17 00:00:00.000000000 Z
+date: 2016-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -162,6 +162,7 @@ files:
 - spec/aws_runas/utils_spec.rb
 - spec/helpers/config_spec.rb
 - spec/helpers/files/aws_config
+- spec/helpers/files/aws_config_nomfa
 - spec/spec_helper.rb
 homepage: https://github.com/vancluever/aws-runas
 licenses:
@@ -183,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Run a command or shell under an assumed AWS IAM role
@@ -194,4 +195,5 @@ test_files:
 - spec/aws_runas/utils_spec.rb
 - spec/helpers/config_spec.rb
 - spec/helpers/files/aws_config
+- spec/helpers/files/aws_config_nomfa
 - spec/spec_helper.rb