awskeyring 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 45a2721acc4cc5f198c2bf55ee253dcb9f519093
+  data.tar.gz: 6ea5cdc339047ba1e057a46a8733d90ea5af77da
+SHA512:
+  metadata.gz: 0ae669db134da8e9ba7ecff535bb3e3410e6f314358a818a925761e500f3eac220f63bd740ec72906c83040357dd324495c307550f30b91a4f7aab61834a4eee
+  data.tar.gz: 6b005ea78e4fb94f21566edc1c702d75c8e5f2308b21f8bac6fd02329332e0dbd71394d301bf2852c6f82aa2df42dc7b7ffbb6229fdd21ca9a618e90f7a15f04

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/bin/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,22 @@
+Metrics/AbcSize:
+  Max: 31
+
+Metrics/LineLength:
+  Max: 120
+
+Metrics/ClassLength:
+  Exclude:
+    - lib/awskeyring_command.rb
+    
+Metrics/MethodLength:
+  Max: 16
+
+Naming/FileName:
+  Exclude:
+    - Gemfile
+    - Rakefile
+    - aws-keychain-util.gemspec
+
+AllCops:
+  Exclude:
+    - bin/*

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.0.0
+before_install: gem install bundler -v 1.11.2

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,49 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at tristanmorgan@users.noreply.github.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in awskeyring.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Tristan Morgan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,51 @@
+# Awskeyring
+
+Awskeyring is a small tool to manage AWS account keys in the macOS Keychain.
+
+## Installation
+
+Install it with:
+
+    $ gem install awskeyring
+
+## Usage
+
+The CLI is using [Thor](http://whatisthor.com) with help provided interactivly.
+
+    Commands:
+    awskeyring --version, -v               # Prints the version
+    awskeyring add ACCOUNT                 # Adds an ACCOUNT to the keyring
+    awskeyring add-role ROLE               # Adds a ROLE to the keyring
+    awskeyring console ACCOUNT             # Open the AWS Console for the ACCOUNT
+    awskeyring env ACCOUNT                 # Outputs bourne shell environment exports for an ACCOUNT
+    awskeyring help [COMMAND]              # Describe available commands or one specific command
+    awskeyring initialise                  # Initialises a new KEYCHAIN
+    awskeyring list                        # Prints a list of accounts in the keyring
+    awskeyring list-role                   # Prints a list of roles in the keyring
+    awskeyring remove ACCOUNT              # Removes an ACCOUNT from the keyring
+    awskeyring remove-role ROLE            # Removes a ROLE from the keyring
+    awskeyring token ACCOUNT [ROLE] [MFA]  # Create an STS Token from a ROLE or an MFA code
+
+and autocomplete that can be installed with:
+
+    $ complete -C /usr/local/bin/aws-creds aws-creds
+
+To set your environment easily the following function helps:
+
+    awsenv() { eval "$(awskeyring env $1)"; }
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. Run `bundle exec awskeyring` to use the gem in this directory, ignoring other installed copies of this gem.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/tristanmorgan/awskeyring. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new do |rubocop|
+  rubocop.options = ['-D']
+end
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: %i[rubocop spec]

data/awskeyring.gemspec

@@ -0,0 +1,30 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'awskeyring/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'awskeyring'
+  spec.version       = Awskeyring::VERSION
+  spec.authors       = ['Tristan Morgan']
+  spec.email         = ['tristanmorgan@users.noreply.github.com']
+
+  spec.summary       = 'Manages AWS credentials in the OS X keychain'
+  spec.description   = 'Manages AWS credentials in the OS X keychain'
+  spec.homepage      = 'https://github.com/tristanmorgan/awskeyring'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency('aws-sdk-iam')
+  spec.add_dependency('highline')
+  spec.add_dependency('ruby-keychain')
+  spec.add_dependency('thor')
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
+end

data/exe/awskeyring

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require_relative '../lib/awskeyring_command'
+
+trap('SIGINT') do
+  warn "\nExecution aborted.\n"
+  exit 1
+end
+
+AwskeyringCommand.start

data/lib/awskeyring/version.rb

@@ -0,0 +1,3 @@
+module Awskeyring
+  VERSION = '0.0.1'.freeze
+end

data/lib/awskeyring.rb

@@ -0,0 +1,127 @@
+require 'keychain'
+require 'aws-sdk-iam'
+
+require 'awskeyring/version'
+
+# Aws Key-ring logical object,
+# gives you an interface to access keychains and items.
+module Awskeyring
+  PREFS_FILE = (File.expand_path '~/.awskeyring').freeze
+  ROLE_PREFIX = 'role '.freeze
+  ACCOUNT_PREFIX = 'account '.freeze
+
+  def self.prefs
+    if File.exist? PREFS_FILE
+      JSON.parse(File.read(PREFS_FILE))
+    else
+      {}
+    end
+  end
+
+  def self.init_keychain(awskeyring:)
+    keychain = Keychain.create(awskeyring)
+    keychain.lock_interval = 300
+    keychain.lock_on_sleep = true
+
+    prefs = { awskeyring: awskeyring }
+    File.new(Awskeyring::PREFS_FILE, 'w').write JSON.dump(prefs)
+  end
+
+  def self.load_keychain
+    unless File.exist?(Awskeyring::PREFS_FILE) || prefs.empty?
+      warn "Config missing, run `#{$PROGRAM_NAME} initialise` to recreate."
+      exit 1
+    end
+
+    keychain = Keychain.open(prefs['awskeyring'])
+    if keychain && keychain.lock_interval > 300
+      warn 'It is STRONGLY reccomended to set your keychain to lock in 5 minutes or less.'
+    end
+    keychain
+  end
+
+  def self.list_items
+    items = all_items.all.sort do |a, b|
+      a.attributes[:label] <=> b.attributes[:label]
+    end
+    items.select { |elem| elem.attributes[:label].start_with?(ACCOUNT_PREFIX) }
+  end
+
+  def self.list_roles
+    items = all_items.all.sort do |a, b|
+      a.attributes[:label] <=> b.attributes[:label]
+    end
+    items.select { |elem| elem.attributes[:label].start_with?(ROLE_PREFIX) }
+  end
+
+  def self.all_items
+    load_keychain.generic_passwords
+  end
+
+  def self.add_item(account:, key:, secret:, comment:)
+    all_items.create(
+      label: "#{ACCOUNT_PREFIX}#{account}",
+      account: key,
+      password: secret,
+      comment: comment
+    )
+  end
+
+  def self.add_role(role:, arn:, account:)
+    all_items.create(
+      label: "#{ROLE_PREFIX}#{role}",
+      account: arn,
+      password: '',
+      comment: account
+    )
+  end
+
+  def self.add_pair(account:, key:, secret:, token:, expiry:, role:)
+    all_items.create(label: "session-key #{account}",
+                     account: key,
+                     password: secret,
+                     comment: "#{ROLE_PREFIX}#{role}")
+    all_items.create(label: "session-token #{account}",
+                     account: expiry,
+                     password: token,
+                     comment: "#{ROLE_PREFIX}#{role}")
+  end
+
+  def self.get_item(account)
+    all_items.where(label: "#{ACCOUNT_PREFIX}#{account}").first
+  end
+
+  def self.get_role(name)
+    all_items.where(label: "#{ROLE_PREFIX}#{name}").first
+  end
+
+  def self.get_pair(account)
+    session_key = all_items.where(label: "session-key #{account}").first
+    session_token = all_items.where(label: "session-token #{account}").first if session_key
+    [session_key, session_token]
+  end
+
+  def self.list_item_names
+    list_items.map { |elem| elem.attributes[:label][(ACCOUNT_PREFIX.length)..-1] }
+  end
+
+  def self.list_role_names
+    list_roles.map { |elem| elem.attributes[:label][(ROLE_PREFIX.length)..-1] }
+  end
+
+  def self.delete_expired(key, token)
+    expires_at = Time.at(token.attributes[:account].to_i)
+    if expires_at < Time.now
+      delete_pair(key, token, '# Removing expired session credentials')
+      key = nil
+      token = nil
+    end
+    [key, token]
+  end
+
+  def self.delete_pair(key, token, message)
+    puts message if message
+    token.delete if token
+    key.delete if key
+  end
+end

data/lib/awskeyring_command.rb

@@ -0,0 +1,314 @@
+require 'aws-sdk-iam'
+require 'cgi'
+require 'highline'
+require 'json'
+require 'open-uri'
+require 'thor'
+
+require_relative 'awskeyring'
+
+# AWS Key-ring command line interface.
+class AwskeyringCommand < Thor
+  map %w[--version -v] => :__version
+  map ['ls'] => :list
+  map ['lsr'] => :list_role
+  map ['rm'] => :remove
+  map ['rmr'] => :remove_role
+
+  desc '--version, -v', 'Prints the version'
+  def __version
+    puts Awskeyring::VERSION
+  end
+
+  desc 'initialise', 'Initialises a new KEYCHAIN'
+  method_option :keychain, type: :string, aliases: '-n', desc: 'Name of KEYCHAIN to initialise.'
+  def initialise
+    unless Awskeyring.prefs.empty?
+      puts "#{Awskeyring::PREFS_FILE} exists. no need to initialise."
+      exit 1
+    end
+
+    keychain ||= options[:keychain]
+    keychain ||= ask(message: "Name for new keychain (default: 'awskeyring')")
+    keychain = 'awskeyring' if keychain.empty?
+
+    puts 'Creating a new Keychain, you will be prompted for a password for it.'
+    Awskeyring.init_keychain(awskeyring: keychain)
+
+    puts 'Your keychain has been initialised. It will auto-lock after 5 minutes'
+    puts 'and when sleeping. Use Keychain Access to adjust.'
+    puts
+    puts "Add accounts to your #{keychain} keychain with:"
+    puts "    #{$PROGRAM_NAME} add"
+  end
+
+  desc 'list', 'Prints a list of accounts in the keyring'
+  def list
+    puts Awskeyring.list_item_names.join("\n")
+  end
+
+  map 'list-role' => :list_role
+  desc 'list-role', 'Prints a list of roles in the keyring'
+  def list_role
+    puts Awskeyring.list_role_names.join("\n")
+  end
+
+  desc 'env ACCOUNT', 'Outputs bourne shell environment exports for an ACCOUNT'
+  def env(account = nil)
+    account ||= ask(message: 'account name')
+    cred, temp_cred = get_valid_item_pair(account: account)
+    token = temp_cred.password unless temp_cred.nil?
+    put_env_string(
+      account: cred.attributes[:label],
+      key: cred.attributes[:account],
+      secret: cred.password,
+      token: token
+    )
+  end
+
+  desc 'add ACCOUNT', 'Adds an ACCOUNT to the keyring'
+  method_option :key, type: :string, aliases: '-k', desc: 'AWS account key id.'
+  method_option :secret, type: :string, aliases: '-s', desc: 'AWS account secret.'
+  method_option :mfa, type: :string, aliases: '-m', desc: 'AWS virtual mfa arn.'
+  def add(account = nil)
+    account ||= ask(message: 'account name')
+    key ||= options[:key]
+    key ||= ask(message: 'access key id')
+    secret ||= options[:secret]
+    secret ||= ask(message: 'secret access key', secure: true)
+    mfa ||= options[:mfa]
+    mfa ||= ask(message: 'mfa arn', optional: true)
+
+    Awskeyring.add_item(
+      account: account,
+      key: key,
+      secret: secret,
+      comment: mfa
+    )
+  end
+
+  map 'add-role' => :add_role
+  desc 'add-role ROLE', 'Adds a ROLE to the keyring'
+  method_option :arn, type: :string, aliases: '-a', desc: 'AWS role arn.'
+  def add_role(role = nil)
+    role ||= ask(message: 'role name')
+    arn ||= options[:arn]
+    arn ||= ask(message: 'role arn')
+    account ||= ask(message: 'account', optional: true)
+
+    Awskeyring.add_role(
+      role: role,
+      arn: arn,
+      account: account
+    )
+  end
+
+  desc 'remove ACCOUNT', 'Removes an ACCOUNT from the keyring'
+  def remove(account = nil)
+    account ||= ask(message: 'account name')
+    cred, temp_cred = get_valid_item_pair(account: account)
+    Awskeyring.delete_pair(cred, temp_cred, "# Removing account #{account}")
+  end
+
+  map 'remove-role' => :remove_role
+  desc 'remove-role ROLE', 'Removes a ROLE from the keyring'
+  def remove_role(role = nil)
+    role ||= ask(message: 'role name')
+    item_role = Awskeyring.get_role(role)
+    Awskeyring.delete_pair(item_role, nil, "# Removing role #{role}")
+  end
+
+  desc 'token ACCOUNT [ROLE] [MFA]', 'Create an STS Token from a ROLE or an MFA code'
+  method_option :role, type: :string, aliases: '-r', desc: 'The ROLE to assume.'
+  method_option :code, type: :string, aliases: '-c', desc: 'Virtual mfa CODE.'
+  method_option :duration, type: :string, aliases: '-d', desc: 'Session DURATION in seconds.'
+  def token(account = nil, role = nil, code = nil)
+    account ||= ask(message: 'account name')
+    role ||= options[:role]
+    code ||= options[:code]
+    duration = options[:duration]
+    duration ||= (60 * 60 * 1).to_s if role
+    duration ||= (60 * 60 * 12).to_s if code
+
+    if !role && !code
+      warn 'Please use either a role or a code'
+      exit 2
+    end
+
+    session_key, session_token = Awskeyring.get_pair(account)
+    Awskeyring.delete_pair(session_key, session_token, '# Removing STS credentials') if session_key
+
+    item = Awskeyring.get_item(account)
+    item_role = Awskeyring.get_role(role) if role
+
+    sts = Aws::STS::Client.new(access_key_id: item.attributes[:account], secret_access_key: item.password)
+
+    begin
+      response =
+        if code && role
+          sts.assume_role(
+            duration_seconds: duration.to_i,
+            role_arn: item_role.attributes[:account],
+            role_session_name: ENV['USER'],
+            serial_number: item.attributes[:comment],
+            token_code: code
+          )
+        elsif role
+          sts.assume_role(
+            duration_seconds: duration.to_i,
+            role_arn: item_role.attributes[:account],
+            role_session_name: ENV['USER']
+          )
+        elsif code
+          sts.get_session_token(
+            duration_seconds: duration.to_i,
+            serial_number: item.attributes[:comment],
+            token_code: code
+          )
+        end
+    rescue Aws::STS::Errors::AccessDenied => e
+      puts e.to_s
+      exit 1
+    end
+
+    Awskeyring.add_pair(
+      account: account,
+      key: response.credentials[:access_key_id],
+      secret: response.credentials[:secret_access_key],
+      token: response.credentials[:session_token],
+      expiry: response.credentials[:expiration].to_i.to_s,
+      role: role
+    )
+
+    puts "Authentication valid until #{response.credentials[:expiration]}"
+  end
+
+  desc 'console ACCOUNT', 'Open the AWS Console for the ACCOUNT'
+  def console(account = nil)
+    account ||= ask(message: 'account name')
+    cred, temp_cred = get_valid_item_pair(account: account)
+    token = temp_cred.password unless temp_cred.nil?
+
+    console_url = 'https://console.aws.amazon.com/console/home'
+    signin_url = 'https://signin.aws.amazon.com/federation'
+    policy_json = {
+      Version: '2012-10-17',
+      Statement: [{
+        Action: '*',
+        Resource: '*',
+        Effect: 'Allow'
+      }]
+    }.to_json
+
+    if temp_cred
+      session_json = {
+        sessionId: cred.attributes[:account],
+        sessionKey: cred.password,
+        sessionToken: token
+      }.to_json
+    else
+      sts = Aws::STS::Client.new(access_key_id: cred.attributes[:account],
+                                 secret_access_key: cred.password)
+
+      session = sts.get_federation_token(name: ENV['USER'],
+                                         policy: policy_json,
+                                         duration_seconds: (60 * 60 * 12))
+      session_json = {
+        sessionId: session.credentials[:access_key_id],
+        sessionKey: session.credentials[:secret_access_key],
+        sessionToken: session.credentials[:session_token]
+      }.to_json
+
+    end
+    get_signin_token_url = signin_url + '?Action=getSigninToken' \
+                           '&Session=' + CGI.escape(session_json)
+
+    returned_content = open(get_signin_token_url).read
+
+    signin_token = JSON.parse(returned_content)['SigninToken']
+    signin_token_param = '&SigninToken=' + CGI.escape(signin_token)
+    destination_param = '&Destination=' + CGI.escape(console_url)
+
+    login_url = signin_url + '?Action=login' + signin_token_param + destination_param
+
+    pid = spawn("open \"#{login_url}\"")
+    Process.wait pid
+  end
+
+  # autocomplete
+  desc 'awskeyring CURR PREV', 'Autocompletion for bourne shells', hide: true
+  def awskeyring(curr, prev)
+    comp_line = ENV['COMP_LINE']
+    unless comp_line
+      warn "enable autocomplete with 'complete -C /path-to-command/awskeyring awskeyring'"
+      exit 1
+    end
+    comp_len = comp_line.split.length
+    comp_len += 1 if curr == ''
+
+    case comp_len
+    when 2
+      puts list_commands.select { |elem| elem.start_with?(curr) }.join("\n")
+    when 3
+      if prev == 'help'
+        puts list_commands.select { |elem| elem.start_with?(curr) }.join("\n")
+      elsif prev == 'remove-role'
+        puts Awskeyring.list_role_names.select { |elem| elem.start_with?(curr) }.join("\n")
+      else
+        puts Awskeyring.list_item_names.select { |elem| elem.start_with?(curr) }.join("\n")
+      end
+    when 4
+      puts Awskeyring.list_role_names.select { |elem| elem.start_with?(curr) }.join("\n")
+    else
+      exit 1
+    end
+  end
+
+  private
+
+  def list_commands
+    self.class.all_commands.keys.map { |elem| elem.tr('_', '-') }
+  end
+
+  def get_valid_item_pair(account:)
+    session_key, session_token = Awskeyring.get_pair(account)
+    session_key, session_token = Awskeyring.delete_expired(session_key, session_token) if session_key
+
+    if session_key && session_token
+      puts '# Using temporary session credentials'
+      return session_key, session_token
+    end
+
+    item = Awskeyring.get_item(account)
+    if item.nil?
+      warn "# Credential not found with name: #{account}"
+      exit 2
+    end
+    [item, nil]
+  end
+
+  def put_env_string(account:, key:, secret:, token:)
+    puts "export AWS_ACCOUNT_NAME=\"#{account}\""
+    puts "export AWS_ACCESS_KEY_ID=\"#{key}\""
+    puts "export AWS_ACCESS_KEY=\"#{key}\""
+    puts "export AWS_SECRET_ACCESS_KEY=\"#{secret}\""
+    puts "export AWS_SECRET_KEY=\"#{secret}\""
+    if token
+      puts "export AWS_SECURITY_TOKEN=\"#{token}\""
+      puts "export AWS_SESSION_TOKEN=\"#{token}\""
+    else
+      puts 'unset AWS_SECURITY_TOKEN'
+      puts 'unset AWS_SESSION_TOKEN'
+    end
+  end
+
+  def ask(message:, secure: false, optional: false)
+    if secure
+      HighLine.new.ask(message.rjust(20) + ': ') { |q| q.echo = '*' }
+    elsif optional
+      HighLine.new.ask((message + ' (optional)').rjust(20) + ': ')
+    else
+      HighLine.new.ask(message.rjust(20) + ': ')
+    end
+  end
+end

metadata

@@ -0,0 +1,171 @@
+--- !ruby/object:Gem::Specification
+name: awskeyring
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Tristan Morgan
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-12-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-iam
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-keychain
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Manages AWS credentials in the OS X keychain
+email:
+- tristanmorgan@users.noreply.github.com
+executables:
+- awskeyring
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- awskeyring.gemspec
+- exe/awskeyring
+- lib/awskeyring.rb
+- lib/awskeyring/version.rb
+- lib/awskeyring_command.rb
+homepage: https://github.com/tristanmorgan/awskeyring
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.12
+signing_key: 
+specification_version: 4
+summary: Manages AWS credentials in the OS X keychain
+test_files: []