awskeyring 0.3.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/CHANGELOG.md +16 -0
- data/lib/awskeyring/awsapi.rb +16 -7
- data/lib/awskeyring/version.rb +1 -1
- data/lib/awskeyring.rb +10 -3
- data/lib/awskeyring_command.rb +13 -2
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 872f5a554d55d638f03155e0b3411bf3d96fb719
|
|
4
|
+
data.tar.gz: 4cb3938b6a21b369372b933f541432861b7ee790
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: def1b159bc413bc54dcb75161cb211e65d2eec1cecefe40bf7d5811eaa101594f05d8be24a50e18cab0c7751a1691fcebc1b6d979c8ec14f1b7ac79e9befceb9
|
|
7
|
+
data.tar.gz: 1daafcf9f1c1451d08000645626675c0c4e7ea399bb1a7a0939872412857d75efd71a775426e22f4482c32f937ec937e8b8cf9fef33566c92ea360f8afc9bb25
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,21 @@
|
|
|
1
1
|
# Change Log
|
|
2
2
|
|
|
3
|
+
## [v0.3.1](https://github.com/vibrato/awskeyring/tree/v0.3.1) (2018-07-25)
|
|
4
|
+
[Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.3.0...v0.3.1)
|
|
5
|
+
|
|
6
|
+
**Implemented enhancements:**
|
|
7
|
+
|
|
8
|
+
- Warn about key-age [\#24](https://github.com/vibrato/awskeyring/pull/24) ([tristanmorgan](https://github.com/tristanmorgan))
|
|
9
|
+
|
|
10
|
+
**Fixed bugs:**
|
|
11
|
+
|
|
12
|
+
- Error adding account when region is not specified [\#21](https://github.com/vibrato/awskeyring/issues/21)
|
|
13
|
+
- Check more locations for current region. [\#23](https://github.com/vibrato/awskeyring/pull/23) ([tristanmorgan](https://github.com/tristanmorgan))
|
|
14
|
+
|
|
15
|
+
**Merged pull requests:**
|
|
16
|
+
|
|
17
|
+
- Set a default region on cred verify. [\#22](https://github.com/vibrato/awskeyring/pull/22) ([tristanmorgan](https://github.com/tristanmorgan))
|
|
18
|
+
|
|
3
19
|
## [v0.3.0](https://github.com/vibrato/awskeyring/tree/v0.3.0) (2018-04-12)
|
|
4
20
|
[Full Changelog](https://github.com/vibrato/awskeyring/compare/v0.2.0...v0.3.0)
|
|
5
21
|
|
data/lib/awskeyring/awsapi.rb
CHANGED
|
@@ -19,6 +19,8 @@ module Awskeyring
|
|
|
19
19
|
|
|
20
20
|
TWELVE_HOUR = (60 * 60 * 12)
|
|
21
21
|
ONE_HOUR = (60 * 60 * 1)
|
|
22
|
+
# Days in seconds
|
|
23
|
+
ONE_DAY = (24 * 60 * 60)
|
|
22
24
|
|
|
23
25
|
# Retrieves a temporary session token from AWS
|
|
24
26
|
#
|
|
@@ -36,11 +38,13 @@ module Awskeyring
|
|
|
36
38
|
# token The aws_session_token
|
|
37
39
|
# expiry expiry time
|
|
38
40
|
def self.get_token(params = {}) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
41
|
+
ENV['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
|
|
39
42
|
sts = Aws::STS::Client.new(access_key_id: params[:key], secret_access_key: params[:secret])
|
|
40
43
|
|
|
44
|
+
params[:mfa] = nil unless params[:code]
|
|
41
45
|
begin
|
|
42
46
|
response =
|
|
43
|
-
if params[:
|
|
47
|
+
if params[:role_arn]
|
|
44
48
|
sts.assume_role(
|
|
45
49
|
duration_seconds: params[:duration].to_i,
|
|
46
50
|
role_arn: params[:role_arn],
|
|
@@ -48,12 +52,6 @@ module Awskeyring
|
|
|
48
52
|
serial_number: params[:mfa],
|
|
49
53
|
token_code: params[:code]
|
|
50
54
|
)
|
|
51
|
-
elsif params[:role_arn]
|
|
52
|
-
sts.assume_role(
|
|
53
|
-
duration_seconds: params[:duration].to_i,
|
|
54
|
-
role_arn: params[:role_arn],
|
|
55
|
-
role_session_name: params[:user]
|
|
56
|
-
)
|
|
57
55
|
elsif params[:code]
|
|
58
56
|
sts.get_session_token(
|
|
59
57
|
duration_seconds: params[:duration].to_i,
|
|
@@ -105,6 +103,7 @@ module Awskeyring
|
|
|
105
103
|
# @param [String] token The aws_session_token
|
|
106
104
|
def self.verify_cred(key:, secret:)
|
|
107
105
|
begin
|
|
106
|
+
ENV['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
|
|
108
107
|
sts = Aws::STS::Client.new(access_key_id: key, secret_access_key: secret)
|
|
109
108
|
sts.get_caller_identity
|
|
110
109
|
rescue Aws::Errors::ServiceError => err
|
|
@@ -133,6 +132,7 @@ module Awskeyring
|
|
|
133
132
|
sessionToken: token
|
|
134
133
|
}.to_json
|
|
135
134
|
else
|
|
135
|
+
ENV['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
|
|
136
136
|
sts = Aws::STS::Client.new(access_key_id: key,
|
|
137
137
|
secret_access_key: secret)
|
|
138
138
|
|
|
@@ -158,6 +158,15 @@ module Awskeyring
|
|
|
158
158
|
signin_url + '?Action=login' + signin_token_param + destination_param
|
|
159
159
|
end
|
|
160
160
|
|
|
161
|
+
# Get the current region
|
|
162
|
+
#
|
|
163
|
+
# @return [String] current configured region
|
|
164
|
+
def self.region
|
|
165
|
+
keys = %w[AWS_REGION AMAZON_REGION AWS_DEFAULT_REGION]
|
|
166
|
+
region = ENV.values_at(*keys).compact.first
|
|
167
|
+
region || Aws.shared_config.region(profile: 'default')
|
|
168
|
+
end
|
|
169
|
+
|
|
161
170
|
# Rotates the AWS access keys
|
|
162
171
|
#
|
|
163
172
|
# @param [String] key The aws_access_key_id
|
data/lib/awskeyring/version.rb
CHANGED
data/lib/awskeyring.rb
CHANGED
|
@@ -14,6 +14,8 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
|
|
|
14
14
|
SESSION_KEY_PREFIX = 'session-key '.freeze
|
|
15
15
|
# Prefix for Session Tokens
|
|
16
16
|
SESSION_TOKEN_PREFIX = 'session-token '.freeze
|
|
17
|
+
# Default warning of key age in days.
|
|
18
|
+
DEFAULT_KEY_AGE = 90
|
|
17
19
|
|
|
18
20
|
# Retrieve the preferences
|
|
19
21
|
#
|
|
@@ -32,7 +34,10 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
|
|
|
32
34
|
keychain.lock_interval = 300
|
|
33
35
|
keychain.lock_on_sleep = true
|
|
34
36
|
|
|
35
|
-
prefs = {
|
|
37
|
+
prefs = {
|
|
38
|
+
awskeyring: awskeyring,
|
|
39
|
+
keyage: DEFAULT_KEY_AGE
|
|
40
|
+
}
|
|
36
41
|
File.new(Awskeyring::PREFS_FILE, 'w').write JSON.dump(prefs)
|
|
37
42
|
end
|
|
38
43
|
|
|
@@ -168,7 +173,8 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
|
|
|
168
173
|
key: cred.attributes[:account],
|
|
169
174
|
secret: cred.password,
|
|
170
175
|
token: token,
|
|
171
|
-
expiry: expiry
|
|
176
|
+
expiry: expiry,
|
|
177
|
+
updated: cred.attributes[:updated_at]
|
|
172
178
|
}
|
|
173
179
|
end
|
|
174
180
|
|
|
@@ -180,7 +186,8 @@ module Awskeyring # rubocop:disable Metrics/ModuleLength
|
|
|
180
186
|
account: account,
|
|
181
187
|
key: cred.attributes[:account],
|
|
182
188
|
secret: cred.password,
|
|
183
|
-
mfa: cred.attributes[:comment]
|
|
189
|
+
mfa: cred.attributes[:comment],
|
|
190
|
+
updated: cred.attributes[:updated_at]
|
|
184
191
|
}
|
|
185
192
|
end
|
|
186
193
|
|
data/lib/awskeyring_command.rb
CHANGED
|
@@ -68,6 +68,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
|
68
68
|
existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
|
|
69
69
|
)
|
|
70
70
|
cred = Awskeyring.get_valid_creds(account: account)
|
|
71
|
+
age_check(account, cred[:updated])
|
|
71
72
|
put_env_string(
|
|
72
73
|
account: cred[:account],
|
|
73
74
|
key: cred[:key],
|
|
@@ -83,12 +84,13 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
|
83
84
|
existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
|
|
84
85
|
)
|
|
85
86
|
cred = Awskeyring.get_valid_creds(account: account)
|
|
87
|
+
age_check(account, cred[:updated])
|
|
86
88
|
expiry = Time.at(cred[:expiry]) unless cred[:expiry].nil?
|
|
87
89
|
puts Awskeyring::Awsapi.get_cred_json(
|
|
88
90
|
key: cred[:key],
|
|
89
91
|
secret: cred[:secret],
|
|
90
92
|
token: cred[:token],
|
|
91
|
-
expiry: expiry || Time.new +
|
|
93
|
+
expiry: expiry || Time.new + Awskeyring::Awsapi::ONE_HOUR
|
|
92
94
|
)
|
|
93
95
|
end
|
|
94
96
|
|
|
@@ -96,6 +98,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
|
96
98
|
# execute an external command with env set
|
|
97
99
|
def exec(account, *command)
|
|
98
100
|
cred = Awskeyring.get_valid_creds(account: account)
|
|
101
|
+
age_check(account, cred[:updated])
|
|
99
102
|
env_vars = env_vars(
|
|
100
103
|
account: cred[:account],
|
|
101
104
|
key: cred[:key],
|
|
@@ -247,6 +250,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
|
247
250
|
duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s
|
|
248
251
|
|
|
249
252
|
item_hash = Awskeyring.get_account_hash(account: account)
|
|
253
|
+
age_check(account, item_hash[:updated])
|
|
250
254
|
role_arn = Awskeyring.get_role_arn(role_name: role) if role
|
|
251
255
|
|
|
252
256
|
begin
|
|
@@ -286,6 +290,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
|
286
290
|
existing: account, message: 'account name', validator: Awskeyring::Validate.method(:account_name)
|
|
287
291
|
)
|
|
288
292
|
cred = Awskeyring.get_valid_creds(account: account)
|
|
293
|
+
age_check(account, cred[:updated])
|
|
289
294
|
|
|
290
295
|
path = options[:path] || 'console'
|
|
291
296
|
|
|
@@ -329,6 +334,12 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
|
329
334
|
|
|
330
335
|
private
|
|
331
336
|
|
|
337
|
+
def age_check(account, updated)
|
|
338
|
+
maxage = Awskeyring.prefs[:keyage] || Awskeyring::DEFAULT_KEY_AGE
|
|
339
|
+
age = (Time.new - updated).div Awskeyring::Awsapi::ONE_DAY
|
|
340
|
+
warn "# Creds for account #{account} are #{age} days old." unless age < maxage
|
|
341
|
+
end
|
|
342
|
+
|
|
332
343
|
def print_auto_resp(curr, len)
|
|
333
344
|
case len
|
|
334
345
|
when 0
|
|
@@ -348,7 +359,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
|
348
359
|
|
|
349
360
|
def env_vars(account:, key:, secret:, token:)
|
|
350
361
|
env_var = {}
|
|
351
|
-
env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless
|
|
362
|
+
env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless Awskeyring::Awsapi.region
|
|
352
363
|
env_var['AWS_ACCOUNT_NAME'] = account
|
|
353
364
|
env_var['AWS_ACCESS_KEY_ID'] = key
|
|
354
365
|
env_var['AWS_ACCESS_KEY'] = key
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: awskeyring
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tristan Morgan
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-07-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-iam
|
|
@@ -181,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
181
181
|
version: '0'
|
|
182
182
|
requirements: []
|
|
183
183
|
rubyforge_project:
|
|
184
|
-
rubygems_version: 2.
|
|
184
|
+
rubygems_version: 2.5.2.3
|
|
185
185
|
signing_key:
|
|
186
186
|
specification_version: 4
|
|
187
187
|
summary: Manages AWS credentials in the macOS keychain
|