awsecrets 1.12.0 → 1.15.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b54990850e5df4e092d8538d89878f1934c673de
-  data.tar.gz: 7d0daf9490919f0cf0f1934c47208e7f73b78ffd
+SHA256:
+  metadata.gz: c6921803a1e7e48a0978210ad5f5e2556dc62532c6d14b8e993617973f841204
+  data.tar.gz: 1326617d811ed46297c9ec920c88314ef56de724cee17b00850bfde22e3d943f
 SHA512:
-  metadata.gz: 322296f455e56ac109d36449db677a6ae0d8a5b1ab9d5a4ada5379242d5559a6df063bda85a3b3a156da3e7d18bbe1ed486b248ff226265d303ef96aa5190421
-  data.tar.gz: 7ec6789073641adf4017cc9ce14280aace8d8f1c8b606e96c90b8a134e6e36e9e046be5d9d86b55f21b02c56b329add66de9761e4fa8c35e94324fa34547255a
+  metadata.gz: f6924d54235df13e24c9fac09ab5e7ad23326c4aeedb47a312f491c11eade13f9d9f15148d3d953996376813b5e9ecbe0f04c4b61f65d359c74778573d81055b
+  data.tar.gz: 9997c7921799f9c9a64d83b1ad65d2df1444c059a7bd2379394eaf785446aab1a4426e2a8c03a63ae298644d39e82e81d844a6e3fd8b7f161d36dfb58ae02e4a

data/.gitignore

@@ -7,3 +7,4 @@
 /pkg/
 /spec/reports/
 /tmp/
+*.sw*

data/.rubocop.yml

@@ -1,9 +1,13 @@
+---
 AllCops:
   TargetRubyVersion: 2.1
 
 Lint/HandleExceptions:
   Enabled: false
 
+Lint/MissingCopEnableDirective:
+  Enabled: false
+
 Lint/UselessAssignment:
   Enabled: false
 
@@ -11,10 +15,10 @@ Metrics/AbcSize:
   Max: 50
 
 Metrics/ClassLength:
-  Max: 120
+  Max: 130
 
 Metrics/ModuleLength:
-  Max: 120
+  Max: 130
 
 Metrics/CyclomaticComplexity:
   Max: 15
@@ -66,3 +70,4 @@ Style/SymbolProc:
 
 Style/BracesAroundHashParameters:
   Enabled: false
+

data/.travis.yml

@@ -1,11 +1,22 @@
+---
 language: ruby
-rvm:
-  - 2.3.4
-  - 2.2.7
-
+matrix:
+  include:
+    - rvm: 2.6.2
+      env: RUBYGEMS_VERSION=
+    - rvm: 2.5.3
+      env: RUBYGEMS_VERSION=
+    - rvm: 2.4.5
+      env: RUBYGEMS_VERSION=
+    - rvm: 2.3.8
+      env: RUBYGEMS_VERSION=
+    - rvm: 2.2.10
+      env: RUBYGEMS_VERSION=2.7.8
+    - rvm: 2.1.10
+      env: RUBYGEMS_VERSION=2.7.8
 before_install:
-  - gem update bundler
-  
+  - gem update --system ${RUBYGEMS_VERSION}
+  - gem pristine bundler
+
 script:
   - bundle exec rake spec
-

data/README.md

@@ -9,6 +9,7 @@ AWS credentials loader
 3. YAML file (secrets.yml)
 4. The AWS credentials file
 5. The CLI configuration file
+6. Instance profile credentials
 
 (See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence)
 
@@ -30,7 +31,28 @@ Or install it yourself as:
 
 ## Usage example
 
-Create command line tool `ec2sample` like following code
+### Generate exception with wrong configuration
+
+For some use cases, awsecrets might raise an exception if (even after all
+attempts to configure access to an AWS account) there is missing configuration
+parameters.
+
+In other cases, this might not be desired.
+
+To have control on that, you can use the environment variable
+`DISABLE_AWS_CLIENT_CHECK`: if you set it to the string `'true'`, it will not
+attempt to early create an `Aws::EC2::Client` instance with the found
+parameters.
+
+By default, even if you don't set `DISABLE_AWS_CLIENT_CHECK` it will be treated
+like `true`.
+
+To enable this early checking, you **must** setup `DISABLE_AWS_CLIENT_CHECK`
+with the string `'false'`.
+
+### Basic example
+
+Create a command line tool `ec2sample` like following code:
 
 ```ruby
 #!/usr/bin/env ruby
@@ -40,17 +62,21 @@ ec2_client = Aws::EC2::Client.new
 puts ec2_client.describe_instances({ instance_ids: [ARGV.first] }).reservations.first.instances.first
 ```
 
-And execute
+Then execute it with command line parameters:
 
 ```sh
 $ ec2sample i-1aa1aaaa --profile mycreds --region ap-northeast-1
+```
 
-or
+or with environment variables configuration:
 
+```sh
 $ AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX AWS_REGION=ap-northeast-1 ec2sample i-1aa1aaaa
+```
 
-or
+or using an YAML file:
 
+```sh
 $ cat <<EOF > secrets.yml
 region: ap-northeast-1
 aws_access_key_id: XXXXXXXXXXXXXXXXXXXX
@@ -61,9 +87,9 @@ $ ec2sample i-1aa1aaaa
 
 ### Use AssumeRole
 
-Support `role_arn` `role_session_name` `source_profile`.
+Support `role_arn` `role_session_name` `source_profile` `external_id`.
 
-#### 1. .aws/config and .aws/credentials
+#### 1. `.aws/config` and `.aws/credentials`
 
 see http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
 
@@ -71,6 +97,7 @@ see http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
 # .aws/config
 [profile assumed]
 role_arn = arn:aws:iam::123456780912:role/assumed-role
+external_id = myfoo_id
 source_profile = assume_test
 ```
 
@@ -87,7 +114,7 @@ And execute
 $ ec2sample i-1aa1aaaa --profile assumed --region ap-northeast-1
 ```
 
-#### 2. secrets.yml
+#### 2. `secrets.yml`
 
 ```sh
 $ cat <<EOF > secrets.yml
@@ -103,11 +130,22 @@ And execute
 $ ec2sample i-1aa1aaaa
 ```
 
+### Disable load YAML (`secrets.yml`)
+
+```ruby
+Awsecrets.load(disable_load_secrets:true)
+```
+
+or
+
+```ruby
+Awsecrets.load(secrets_path:false)
+```
 
 ## Contributing
 
-1. Fork it ( https://github.com/k1LoW/awsecrets/fork )
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
+1. [Fork it]( https://github.com/k1LoW/awsecrets/fork ) !
+2. Create your feature branch (`git checkout -b my-new-feature`).
+3. Commit your changes (`git commit -am 'Add some feature'`).
+4. Push to the branch (`git push origin my-new-feature`).
+5. Create a new Pull Request.

data/Rakefile

@@ -9,10 +9,13 @@ begin
 rescue LoadError
 end
 
+desc 'Default task: run spec'
+task default: 'spec'
+
+desc 'Run spec:all - spec:core and spec:rubocop'
 task spec: 'spec:all'
 namespace :spec do
-  task all: ['spec:core',
-             'spec:rubocop']
+  task all: ['spec:core', 'spec:rubocop']
   RSpec::Core::RakeTask.new(:core)
   RuboCop::RakeTask.new
 end

data/awsecrets.gemspec

@@ -1,8 +1,6 @@
-# coding: utf-8
-
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'awsecrets/version'
+require_relative 'lib/awsecrets/version'
 
 Gem::Specification.new do |spec|
   spec.name          = 'awsecrets'
@@ -20,12 +18,12 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_runtime_dependency 'aws-sdk', '~> 2'
+  spec.add_runtime_dependency 'aws-sdk', '>= 2', '< 4'
   spec.add_runtime_dependency 'aws_config', '~> 0.1.0'
-  spec.add_development_dependency 'bundler', '~> 1.9'
-  spec.add_development_dependency 'rake', '~> 10.0'
-  spec.add_development_dependency 'rspec'
-  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'bundler', '>= 1.9', '< 3.0'
   spec.add_development_dependency 'octorelease'
   spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rake', '>= 12.3.3'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop', '0.57'
 end

data/bin/testcommand

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
-require 'awsecrets'
+require_relative '../lib/awsecrets'
 
 Awsecrets.load
 ec2_client = Aws::EC2::Client.new

data/lib/awsecrets.rb

@@ -1,16 +1,22 @@
-require 'awsecrets/version'
+require_relative 'awsecrets/version'
+require_relative 'awsecrets/utils'
 require 'optparse'
 require 'aws-sdk'
 require 'aws_config'
-require 'net/http'
 require 'yaml'
 
 module Awsecrets
-  def self.load(profile: nil, region: nil, secrets_path: nil)
-    @profile = profile
-    @region = region
-    @secrets_path = secrets_path
-    @credentials = @access_key_id = @secret_access_key = @session_token = @role_arn = @source_profile = nil
+  include Misc
+
+  def self.load(profile: nil, region: nil, secrets_path: nil, disable_load_secrets: false)
+    @profile              = profile
+    @region               = region
+    @secrets_path         = secrets_path
+    @disable_load_secrets = disable_load_secrets
+    @disable_load_secrets = true if secrets_path == false
+
+    @credentials = @access_key_id = @secret_access_key = @session_token = nil
+    @role_arn = @external_id = @source_profile = @role_session_name = nil
 
     # 1. Command Line Options
     load_options if load_method_args
@@ -41,46 +47,53 @@ module Awsecrets
       opt.parse!(ARGV)
     rescue OptionParser::InvalidOption
     end
-    return unless @profile
+    return true unless @profile
     @region ||= AWSConfig[@profile]['region']
+    true
   end
 
   def self.load_env
-    @region ||= ENV['AWS_REGION']
-    @region ||= ENV['AWS_DEFAULT_REGION']
-    @profile ||= ENV['AWS_PROFILE']
+    @region       ||= ENV['AWS_REGION']
+    @region       ||= ENV['AWS_DEFAULT_REGION']
+    @profile      ||= ENV['AWS_PROFILE']
     @secrets_path ||= ENV['AWS_SECRETS_PATH']
-    return if @access_key_id
+    return true if @access_key_id
     return unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
-    @access_key_id ||= ENV['AWS_ACCESS_KEY_ID']
+    @access_key_id     ||= ENV['AWS_ACCESS_KEY_ID']
     @secret_access_key ||= ENV['AWS_SECRET_ACCESS_KEY']
-    @session_token ||= ENV['AWS_SESSION_TOKEN']
+    @session_token     ||= ENV['AWS_SESSION_TOKEN']
+    true
   end
 
   def self.load_yaml
+    return false if @disable_load_secrets
     @secrets_path ||= 'secrets.yml'
     creds = YAML.load_file(@secrets_path) if File.exist?(File.expand_path(@secrets_path))
     @region ||= creds['region'] if creds && creds.include?('region')
-    return if @access_key_id
-    return unless creds &&
+    return true if @access_key_id
+    return true unless creds &&
                   creds.include?('aws_access_key_id') &&
                   creds.include?('aws_secret_access_key')
-    @access_key_id ||= creds['aws_access_key_id']
+    @access_key_id     ||= creds['aws_access_key_id']
     @secret_access_key ||= creds['aws_secret_access_key']
-    @session_token ||= creds['aws_session_token'] if creds.include?('aws_session_token')
-    @role_arn ||= creds['role_arn'] if creds.include?('role_arn')
+    @session_token     ||= creds['aws_session_token'] if creds.include?('aws_session_token')
+    @role_arn          ||= creds['role_arn'] if creds.include?('role_arn')
+    @external_id       ||= creds['external_id'] if creds.include?('external_id')
     @role_session_name ||= creds['role_session_name'] if creds.include?('role_session_name')
-    return unless @role_arn
-    @role_session_name ||= generate_session_name
-    @credentials ||= Aws::AssumeRoleCredentials.new(
+
+    return true unless @role_arn
+    @role_session_name ||= Misc.generate_session_name
+    @credentials ||= role_creds(
       client: Aws::STS::Client.new(
         region: @region,
         access_key_id: @access_key_id,
         secret_access_key: @secret_access_key
       ),
       role_arn: @role_arn,
-      role_session_name: @role_session_name
+      role_session_name: @role_session_name,
+      external_id: @external_id
     )
+    true
   end
 
   def self.load_config
@@ -90,30 +103,32 @@ module Awsecrets
                   AWSConfig['default']['region']
                 end
 
-    @role_arn ||= AWSConfig[@profile]['role_arn'] if AWSConfig[@profile]
+    @role_arn          ||= AWSConfig[@profile]['role_arn'] if AWSConfig[@profile]
     @role_session_name ||= AWSConfig[@profile]['role_session_name'] if AWSConfig[@profile]
-    @source_profile ||= AWSConfig[@profile]['source_profile'] if AWSConfig[@profile]
+    @external_id       ||= AWSConfig[@profile]['external_id'] if AWSConfig[@profile]
+    @source_profile    ||= AWSConfig[@profile]['source_profile'] if AWSConfig[@profile]
   end
 
   def self.set_aws_config
-    @region ||= self.current_region
+    @region ||= Misc.current_region
     Aws.config[:region] = @region
 
     if @role_arn && @source_profile
-      @role_session_name ||= generate_session_name
+      @role_session_name ||= Misc.generate_session_name
       region = if AWSConfig[@source_profile.name] && AWSConfig[@source_profile.name]['region']
                  AWSConfig[@source_profile.name]['region']
                else
                  AWSConfig['default']['region']
                end
 
-      @credentials ||= Aws::AssumeRoleCredentials.new(
+      @credentials ||= role_creds(
         client: Aws::STS::Client.new(
           region: region,
           credentials: Aws::SharedCredentials.new(profile_name: @source_profile.name)
         ),
         role_arn: @role_arn,
-        role_session_name: @role_session_name
+        role_session_name: @role_session_name,
+        external_id: @external_id
       )
     end
 
@@ -122,16 +137,11 @@ module Awsecrets
     @credentials ||= Aws::Credentials.new(@access_key_id, @secret_access_key, @session_token) if @access_key_id
     @credentials ||= Aws::InstanceProfileCredentials.new
 
+    Misc.validate_client
     Aws.config[:credentials] = @credentials
   end
 
-  def self.generate_session_name
-    "awsecrets-session-#{Time.now.to_i}"
-  end
-
-  def self.current_region
-    metadata_endpoint = 'http://169.254.169.254/latest/meta-data/'
-    az = Net::HTTP.get(URI.parse(metadata_endpoint + 'placement/availability-zone'))
-    az[0...-1]
+  def self.role_creds(args)
+    Aws::AssumeRoleCredentials.new(args)
   end
 end

data/lib/awsecrets/utils.rb

@@ -0,0 +1,25 @@
+require 'net/http'
+
+module Misc
+  def self.validate_client
+    return unless ENV.key?('DISABLE_AWS_CLIENT_CHECK') && (ENV['DISABLE_AWS_CLIENT_CHECK'] == 'false')
+
+    begin
+      Aws::EC2::Client.new
+    rescue Aws::Errors::MissingRegionError
+      raise 'Missing region: use "region" command line option or export ENV[\'AWS_REGION\'] or awscli configure'
+    rescue StandardError => e
+      raise "Oops, there is something wrong with AWS client configuration => #{e}"
+    end
+  end
+
+  def self.generate_session_name
+    "awsecrets-session-#{Time.now.to_i}"
+  end
+
+  def self.current_region
+    metadata_endpoint = 'http://169.254.169.254/latest/meta-data/'
+    az = Net::HTTP.get(URI.parse(metadata_endpoint + 'placement/availability-zone'))
+    az[0...-1]
+  end
+end

data/lib/awsecrets/version.rb

@@ -1,3 +1,3 @@
 module Awsecrets
-  VERSION = '1.12.0'
+  VERSION = '1.15.1'
 end

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: awsecrets
 version: !ruby/object:Gem::Version
-  version: 1.12.0
+  version: 1.15.1
 platform: ruby
 authors:
 - k1LoW
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-08-30 00:00:00.000000000 Z
+date: 2020-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: aws_config
   requirement: !ruby/object:Gem::Requirement
@@ -42,32 +48,38 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: octorelease
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -81,21 +93,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
-  name: octorelease
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -109,19 +121,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.57'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.57'
 description: AWS credentials loader
 email:
 - k1lowxb@gmail.com
@@ -142,6 +154,7 @@ files:
 - bin/setup
 - bin/testcommand
 - lib/awsecrets.rb
+- lib/awsecrets/utils.rb
 - lib/awsecrets/version.rb
 homepage: https://github.com/k1LoW/awsecrets
 licenses:
@@ -162,8 +175,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: AWS credentials loader