awsecrets 1.7.0 → 1.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +47 -0
  3. data/lib/awsecrets/version.rb +1 -1
  4. data/lib/awsecrets.rb +72 -41
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6aa36c0c318ed589c8b39dbddc201dd41b0d834a
4
- data.tar.gz: c8e27e1d1581142d600fbc48f6b9587e48a8cfb5
3
+ metadata.gz: 6c73c452155ea2f6e57b640272aed574718c74bc
4
+ data.tar.gz: 08928ae9c4c13605eb2834d0f57146062cf6e6ed
5
5
  SHA512:
6
- metadata.gz: e40f0989187b3a11af86f96ac1f7e7e8ea9bbdf8a6d9c344cffa1bde961494f05f61b4ce5ab087b58ab31d76aec7864cb95d5cf047efdd8109950c0fa8adfd39
7
- data.tar.gz: c4b93fd97b7e4f0cb541920a0e114218e1522303408262f2c31348ad258f7c0d26c43165b85e7c7976fe6b2acd67f1e84f2e0d50af2c71fd40cdc4c3440b60b3
6
+ metadata.gz: b36140f7f891eb7d4578fb434cd44c43de090305621668eb9eabf2b811d85f4fe2708c3536926ae62c1d6210898be35f35489bb5c7c663518a6a1ee02a5e2015
7
+ data.tar.gz: 1ea947503859e54e0c7bfe3b4214164b4768cedbb0e8b992762cc793a558a5c3d703280a41c396dd8d4a5532ee79f036d04d3ee85ad3ceb3ab0f025ed8e662db
data/README.md CHANGED
@@ -59,6 +59,53 @@ EOF
59
59
  $ ec2sample i-1aa1aaaa
60
60
  ```
61
61
 
62
+ ### Use AssumeRole
63
+
64
+ Support `role_arn` `role_session_name` `source_profile`.
65
+
66
+ #### 1. .aws/config and .aws/credentials
67
+
68
+ see http://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html
69
+
70
+ ```
71
+ # .aws/config
72
+ [profile assumed]
73
+ role_arn = arn:aws:iam::123456780912:role/assumed-role
74
+ role_session_name = awsecrets-assume-role
75
+ source_profile = assume_test
76
+ ```
77
+
78
+ ```
79
+ # .aws/credentials
80
+ [assume_test]
81
+ aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
82
+ aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
83
+ ```
84
+
85
+ And execute
86
+
87
+ ```sh
88
+ $ ec2sample i-1aa1aaaa --profile assumed --region ap-northeast-1
89
+ ```
90
+
91
+ #### 2. secrets.yml
92
+
93
+ ```sh
94
+ $ cat <<EOF > secrets.yml
95
+ region: ap-northeast-1
96
+ aws_access_key_id: XXXXXXXXXXXXXXXXXXXX
97
+ aws_secret_access_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
98
+ role_arn = arn:aws:iam::123456780912:role/assumed-role
99
+ role_session_name = awsecrets-assume-role
100
+ ```
101
+
102
+ And execute
103
+
104
+ ```sh
105
+ $ ec2sample i-1aa1aaaa
106
+ ```
107
+
108
+
62
109
  ## Contributing
63
110
 
64
111
  1. Fork it ( https://github.com/k1LoW/awsecrets/fork )
data/lib/awsecrets/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Awsecrets
2
- VERSION = '1.7.0'
2
+ VERSION = '1.8.0'
3
3
  end
data/lib/awsecrets.rb CHANGED
@@ -7,9 +7,9 @@ require 'yaml'
7
7
  module Awsecrets
8
8
  def self.load(profile: nil, region: nil, secrets_path: 'secrets.yml')
9
9
  @profile = profile
10
- @secrets_path = secrets_path
11
10
  @region = region
12
- @credentials = nil
11
+ @secrets_path = secrets_path
12
+ @credentials = @access_key_id = @secret_access_key = @session_token = @role_arn = @source_profile = nil
13
13
 
14
14
  # 1. Command Line Options
15
15
  load_options if load_method_args
@@ -22,74 +22,105 @@ module Awsecrets
22
22
  # 5. The CLI configuration file
23
23
  load_config
24
24
 
25
- Aws.config[:region] = @region
26
- Aws.config[:credentials] = @credentials
25
+ set_aws_config
27
26
  end
28
27
 
29
28
  def self.load_method_args
30
29
  return false unless @profile
31
- @region = AWSConfig[@profile]['region'] if AWSConfig[@profile]['region'] && @region.nil?
32
- @credentials = Aws::SharedCredentials.new(profile_name: @profile)
30
+ @region ||= AWSConfig[@profile]['region'] if AWSConfig[@profile]['region']
33
31
  true
34
32
  end
35
33
 
36
34
  def self.load_options
37
35
  opt = OptionParser.new
38
- opt.on('--profile PROFILE') { |v| @profile = v } unless @profile
39
- opt.on('--region REGION') { |v| @region = v } unless @region
40
- opt.on('--secrets_path SECRETS_PATH') { |v| @secrets_path = v } unless @secrets_path
36
+ opt.on('--profile PROFILE') { |v| @profile ||= v }
37
+ opt.on('--region REGION') { |v| @region ||= v }
38
+ opt.on('--secrets_path SECRETS_PATH') { |v| @secrets_path ||= v }
41
39
  begin
42
40
  opt.parse!(ARGV)
43
41
  rescue OptionParser::InvalidOption
44
42
  end
45
43
  return unless @profile
46
- @region = AWSConfig[@profile]['region'] if AWSConfig[@profile]['region'] && @region.nil?
47
- @credentials = Aws::SharedCredentials.new(profile_name: @profile)
44
+ @region ||= AWSConfig[@profile]['region']
48
45
  end
49
46
 
50
47
  def self.load_env
51
- @region = ENV['AWS_REGION'] unless @region
52
- @region = ENV['AWS_DEFAULT_REGION'] unless @region
53
- if @credentials.nil? && ENV['AWS_PROFILE']
54
- @credentials = Aws::SharedCredentials.new(profile_name: ENV['AWS_PROFILE'])
55
- @profile = ENV['AWS_PROFILE']
56
- end
57
- return unless @credentials.nil? && ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
58
- @credentials = Aws::Credentials.new(
59
- ENV['AWS_ACCESS_KEY_ID'],
60
- ENV['AWS_SECRET_ACCESS_KEY'],
61
- ENV['AWS_SESSION_TOKEN'] # Not necessary
62
- )
48
+ @region ||= ENV['AWS_REGION']
49
+ @region ||= ENV['AWS_DEFAULT_REGION']
50
+ @profile ||= ENV['AWS_PROFILE']
51
+ return if @access_key_id
52
+ return unless ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']
53
+ @access_key_id ||= ENV['AWS_ACCESS_KEY_ID']
54
+ @secret_access_key ||= ENV['AWS_SECRET_ACCESS_KEY']
55
+ @session_token ||= ENV['AWS_SESSION_TOKEN']
63
56
  end
64
57
 
65
58
  def self.load_yaml
66
59
  creds = YAML.load_file(@secrets_path) if File.exist?(@secrets_path)
67
- if @region.nil? && creds
68
- @region = creds['region'] if creds.include?('region')
69
- end
70
- return unless @credentials.nil? && creds &&
60
+ @region ||= creds['region'] if creds && creds.include?('region')
61
+ return if @access_key_id
62
+ return unless creds &&
71
63
  creds.include?('aws_access_key_id') &&
72
64
  creds.include?('aws_secret_access_key')
73
- session_token = nil
74
- session_token = creds['aws_session_token'] if creds.include?('aws_session_token')
75
- @credentials = Aws::Credentials.new(
76
- creds['aws_access_key_id'],
77
- creds['aws_secret_access_key'],
78
- session_token
65
+ @access_key_id ||= creds['aws_access_key_id']
66
+ @secret_access_key ||= creds['aws_secret_access_key']
67
+ @session_token ||= creds['aws_session_token'] if creds.include?('aws_session_token')
68
+ @role_arn ||= creds['role_arn'] if creds.include?('role_arn')
69
+ @role_session_name ||= creds['role_session_name'] if creds.include?('role_session_name')
70
+ return unless @role_arn && @role_session_name
71
+ @credentials ||= Aws::AssumeRoleCredentials.new(
72
+ client: Aws::STS::Client.new(
73
+ region: @region,
74
+ credentials: Aws::SharedCredentials.new(
75
+ region: @region,
76
+ access_key_id: @access_key_id,
77
+ secret_access_key: @secret_access_key
78
+ )
79
+ ),
80
+ role_arn: @role_arn,
81
+ role_session_name: @role_session_name
79
82
  )
80
83
  end
81
84
 
82
85
  def self.load_creds
83
- return unless @credentials.nil?
84
- @credentials = Aws::SharedCredentials.new(profile_name: nil)
85
86
  end
86
87
 
87
88
  def self.load_config
88
- return unless @region.nil?
89
- @region = if AWSConfig[@profile] && AWSConfig[@profile]['region']
90
- AWSConfig[@profile]['region']
91
- else
92
- AWSConfig['default']['region']
93
- end
89
+ @region ||= if AWSConfig[@profile] && AWSConfig[@profile]['region']
90
+ AWSConfig[@profile]['region']
91
+ else
92
+ AWSConfig['default']['region']
93
+ end
94
+
95
+ @role_arn ||= AWSConfig[@profile]['role_arn'] if AWSConfig[@profile]
96
+ @role_session_name ||= AWSConfig[@profile]['role_session_name'] if AWSConfig[@profile]
97
+ @source_profile ||= AWSConfig[@profile]['source_profile'] if AWSConfig[@profile]
98
+ end
99
+
100
+ def self.set_aws_config
101
+ Aws.config[:region] = @region
102
+
103
+ if @role_arn && @role_session_name && @source_profile
104
+ region = if AWSConfig[@source_profile.name] && AWSConfig[@source_profile.name]['region']
105
+ AWSConfig[@source_profile.name]['region']
106
+ else
107
+ AWSConfig['default']['region']
108
+ end
109
+
110
+ @credentials ||= Aws::AssumeRoleCredentials.new(
111
+ client: Aws::STS::Client.new(
112
+ region: region,
113
+ credentials: Aws::SharedCredentials.new(profile_name: @source_profile.name)
114
+ ),
115
+ role_arn: @role_arn,
116
+ role_session_name: @role_session_name
117
+ )
118
+ end
119
+
120
+ @credentials ||= Aws::SharedCredentials.new(profile_name: @profile) if @profile
121
+ @credentials ||= Aws::SharedCredentials.new(profile_name: 'default') unless @access_key_id
122
+ @credentials ||= Aws::Credentials.new(@access_key_id, @secret_access_key, @session_token)
123
+
124
+ Aws.config[:credentials] = @credentials
94
125
  end
95
126
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: awsecrets
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.0
4
+ version: 1.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - k1LoW
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2017-01-05 00:00:00.000000000 Z
11
+ date: 2017-01-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk