awskeyring 1.3.0 → 1.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -1
- data/CONTRIBUTING.md +1 -1
- data/Gemfile +0 -1
- data/README.md +14 -6
- data/Rakefile +9 -2
- data/lib/awskeyring/awsapi.rb +26 -39
- data/lib/awskeyring/version.rb +1 -1
- data/lib/awskeyring_command.rb +9 -9
- data/man/awskeyring.5 +3 -3
- data/man/awskeyring.5.ronn +28 -23
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 30c8d91672aa45d4ed0bdf0500ce5ba053f510cd170958a785854ff10b5f0477
|
4
|
+
data.tar.gz: fc3e66624ea7712eedcba77119b09be088e06a5f4efd2c9d4c92388d26a2f4b0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 61d4e71bec6c42d350c3f3b3915c07dc70cc90c86c219774ac85bb5bc6aff7e6b09800c6efeff06ee50dbb44cb13219e6ffee2974addc3f95be480065f1d8b6e
|
7
|
+
data.tar.gz: d6b3489c866531e8c0c24cc3ed9a140ec734d88ae417e76610990170d08aa69c465b182c3c8dc45a131c3d10e2c80b909ee926ecfce9d83ad1e70eb6df00519b
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,19 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
-
## [v1.3.
|
3
|
+
## [v1.3.1](https://github.com/servian/awskeyring/tree/v1.3.1) (2020-03-20)
|
4
|
+
|
5
|
+
[Full Changelog](https://github.com/servian/awskeyring/compare/v1.3.0...v1.3.1)
|
6
|
+
|
7
|
+
**Implemented enhancements:**
|
8
|
+
|
9
|
+
- Markdown linting changes and removed Rubocop-MD. [\#61](https://github.com/servian/awskeyring/pull/61) ([tristanmorgan](https://github.com/tristanmorgan))
|
10
|
+
- Removed some redundant code. [\#60](https://github.com/servian/awskeyring/pull/60) ([tristanmorgan](https://github.com/tristanmorgan))
|
11
|
+
|
12
|
+
**Merged pull requests:**
|
13
|
+
|
14
|
+
- Update Ronn code and PR template. [\#59](https://github.com/servian/awskeyring/pull/59) ([tristanmorgan](https://github.com/tristanmorgan))
|
15
|
+
|
16
|
+
## [v1.3.0](https://github.com/servian/awskeyring/tree/v1.3.0) (2020-02-19)
|
4
17
|
|
5
18
|
[Full Changelog](https://github.com/servian/awskeyring/compare/v1.2.0...v1.3.0)
|
6
19
|
|
data/CONTRIBUTING.md
CHANGED
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -44,7 +44,9 @@ Now your keys are stored safely in the macOS keychain. To print environment vari
|
|
44
44
|
|
45
45
|
awskeyring env personal-aws
|
46
46
|
|
47
|
-
Alternatively you can create a profile using the credential_process config variable. See the
|
47
|
+
Alternatively you can create a profile using the credential_process config variable. See the
|
48
|
+
[AWS CLI Config docs](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#cli-aws-help-config-vars) for
|
49
|
+
more details on this config option.
|
48
50
|
|
49
51
|
[profile personal]
|
50
52
|
region = us-west-1
|
@@ -87,22 +89,28 @@ To set your environment easily the following bash function helps:
|
|
87
89
|
|
88
90
|
## Development
|
89
91
|
|
90
|
-
After checking out the repo, run `bundle update` to install dependencies. Then, run `bundle exec rake` to run the
|
92
|
+
After checking out the repo, run `bundle update` to install dependencies. Then, run `bundle exec rake` to run the
|
93
|
+
tests. Run `bundle exec awskeyring` to use the gem in this directory, ignoring other installed copies of this gem.
|
94
|
+
Awskeyring is tested against the last two versions of Ruby shipped with macOS.
|
91
95
|
|
92
96
|
To install this gem onto your local machine, run `bundle exec rake install`.
|
93
97
|
|
94
98
|
## Security
|
95
99
|
|
96
|
-
If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at
|
100
|
+
If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at
|
101
|
+
[tristan@vibrato.com.au](mailto:tristan@vibrato.com.au). Awskeyring is a Ruby script and as such Ruby is whitelisted
|
102
|
+
to access your "awskeyring" keychain. Use a strong password and keep the unlock time short.
|
97
103
|
|
98
104
|
## Contributing
|
99
105
|
|
100
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/servian/awskeyring
|
106
|
+
Bug reports and pull requests are welcome on GitHub at [https://github.com/servian/awskeyring](https://github.com/servian/awskeyring).
|
107
|
+
This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to
|
108
|
+
the [Contributor Covenant](https://contributor-covenant.org) code of conduct.
|
101
109
|
|
102
110
|
### Contributors
|
103
111
|
|
104
|
-
|
105
|
-
|
112
|
+
* Tristan [tristanmorgan](https://github.com/tristanmorgan)
|
113
|
+
* Adam Sir [AzySir](https://github.com/AzySir)
|
106
114
|
|
107
115
|
## License
|
108
116
|
|
data/Rakefile
CHANGED
@@ -3,6 +3,7 @@
|
|
3
3
|
require 'bundler/gem_tasks'
|
4
4
|
require 'rspec/core/rake_task'
|
5
5
|
require 'rubocop/rake_task'
|
6
|
+
require 'ronn'
|
6
7
|
require 'github_changelog_generator/task'
|
7
8
|
require 'yard'
|
8
9
|
|
@@ -15,6 +16,10 @@ end
|
|
15
16
|
|
16
17
|
RuboCop::RakeTask.new do |rubocop|
|
17
18
|
rubocop.options = ['-D']
|
19
|
+
rubocop.requires << 'rubocop-performance'
|
20
|
+
rubocop.requires << 'rubocop-rake'
|
21
|
+
rubocop.requires << 'rubocop-rspec'
|
22
|
+
rubocop.requires << 'rubocop-rubycw'
|
18
23
|
end
|
19
24
|
|
20
25
|
RSpec::Core::RakeTask.new(:spec)
|
@@ -37,8 +42,10 @@ end
|
|
37
42
|
|
38
43
|
desc 'generate manpage'
|
39
44
|
task :ronn do
|
40
|
-
|
41
|
-
|
45
|
+
puts 'Writing manpage'
|
46
|
+
roff_text = Ronn::Document.new('man/awskeyring.5.ronn').to_roff
|
47
|
+
File.write('man/awskeyring.5', roff_text)
|
48
|
+
puts "done\n\n"
|
42
49
|
end
|
43
50
|
|
44
51
|
YARD::Rake::YardocTask.new do |t|
|
data/lib/awskeyring/awsapi.rb
CHANGED
@@ -24,6 +24,7 @@ module Awskeyring
|
|
24
24
|
|
25
25
|
# AWS Env vars
|
26
26
|
AWS_ENV_VARS = %w[
|
27
|
+
AWS_ACCOUNT_NAME
|
27
28
|
AWS_ACCESS_KEY_ID
|
28
29
|
AWS_ACCESS_KEY
|
29
30
|
AWS_SECRET_ACCESS_KEY
|
@@ -116,29 +117,23 @@ module Awskeyring
|
|
116
117
|
# Generates Environment Variables for the AWS CLI
|
117
118
|
#
|
118
119
|
# @param [Hash] params including
|
119
|
-
# [String] account The
|
120
|
+
# [String] account The aws account name
|
121
|
+
# [String] key The aws_access_key_id
|
120
122
|
# [String] secret The aws_secret_access_key
|
121
123
|
# [String] token The aws_session_token
|
122
124
|
# @return [Hash] env_var hash
|
123
125
|
def self.get_env_array(params = {})
|
124
126
|
env_var = {}
|
125
127
|
env_var['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
|
126
|
-
env_var['AWS_ACCOUNT_NAME'] = params[:account] if params[:account]
|
127
128
|
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
env_var['AWS_SECRET_ACCESS_KEY'] = params[:secret]
|
135
|
-
env_var['AWS_SECRET_KEY'] = params[:secret]
|
129
|
+
params.each_key do |param_name|
|
130
|
+
AWS_ENV_VARS.each do |var_name|
|
131
|
+
if var_name.include?(param_name.to_s.upcase) && !params[param_name].nil?
|
132
|
+
env_var[var_name] = params[param_name]
|
133
|
+
end
|
134
|
+
end
|
136
135
|
end
|
137
136
|
|
138
|
-
if params[:token]
|
139
|
-
env_var['AWS_SECURITY_TOKEN'] = params[:token]
|
140
|
-
env_var['AWS_SESSION_TOKEN'] = params[:token]
|
141
|
-
end
|
142
137
|
env_var
|
143
138
|
end
|
144
139
|
|
@@ -166,30 +161,22 @@ module Awskeyring
|
|
166
161
|
# @param [String] user The local username
|
167
162
|
# @param [String] path within the Console to access
|
168
163
|
# @return [String] login_url to access
|
169
|
-
def self.get_login_url(key:, secret:, token:, path:, user:)
|
164
|
+
def self.get_login_url(key:, secret:, token:, path:, user:)
|
170
165
|
console_url = "https://console.aws.amazon.com/#{path}/home"
|
171
166
|
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
}.to_json
|
178
|
-
else
|
179
|
-
ENV['AWS_DEFAULT_REGION'] = 'us-east-1' unless region
|
180
|
-
sts = Aws::STS::Client.new(access_key_id: key,
|
181
|
-
secret_access_key: secret)
|
182
|
-
|
183
|
-
session = sts.get_federation_token(name: user,
|
184
|
-
policy: ADMIN_POLICY,
|
185
|
-
duration_seconds: TWELVE_HOUR)
|
186
|
-
session_json = {
|
187
|
-
sessionId: session.credentials[:access_key_id],
|
188
|
-
sessionKey: session.credentials[:secret_access_key],
|
189
|
-
sessionToken: session.credentials[:session_token]
|
190
|
-
}.to_json
|
167
|
+
unless token
|
168
|
+
cred = get_token({ key: key, secret: secret, user: user, duration: TWELVE_HOUR })
|
169
|
+
key = cred[:key]
|
170
|
+
secret = cred[:secret]
|
171
|
+
token = cred[:token]
|
191
172
|
end
|
192
173
|
|
174
|
+
session_json = {
|
175
|
+
sessionId: key,
|
176
|
+
sessionKey: secret,
|
177
|
+
sessionToken: token
|
178
|
+
}.to_json
|
179
|
+
|
193
180
|
destination_param = '&Destination=' + CGI.escape(console_url)
|
194
181
|
|
195
182
|
AWS_SIGNIN_URL + '?Action=login' + token_param(session_json: session_json) + destination_param
|
@@ -235,10 +222,10 @@ module Awskeyring
|
|
235
222
|
exit 1
|
236
223
|
end
|
237
224
|
|
238
|
-
new_key = iam.create_access_key
|
225
|
+
new_key = iam.create_access_key[:access_key]
|
239
226
|
iam = Aws::IAM::Client.new(
|
240
|
-
access_key_id: new_key[:
|
241
|
-
secret_access_key: new_key[:
|
227
|
+
access_key_id: new_key[:access_key_id],
|
228
|
+
secret_access_key: new_key[:secret_access_key]
|
242
229
|
)
|
243
230
|
retry_backoff do
|
244
231
|
iam.delete_access_key(
|
@@ -247,8 +234,8 @@ module Awskeyring
|
|
247
234
|
end
|
248
235
|
{
|
249
236
|
account: account,
|
250
|
-
key: new_key[:
|
251
|
-
secret: new_key[:
|
237
|
+
key: new_key[:access_key_id],
|
238
|
+
secret: new_key[:secret_access_key]
|
252
239
|
}
|
253
240
|
end
|
254
241
|
|
data/lib/awskeyring/version.rb
CHANGED
data/lib/awskeyring_command.rb
CHANGED
@@ -289,7 +289,7 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
289
289
|
method_option :code, type: :string, aliases: '-c', desc: I18n.t('method_option.code')
|
290
290
|
method_option :duration, type: :string, aliases: '-d', desc: I18n.t('method_option.duration')
|
291
291
|
# generate a sessiopn token
|
292
|
-
def token(account = nil, role = nil, code = nil) # rubocop:disable
|
292
|
+
def token(account = nil, role = nil, code = nil) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
293
293
|
account = ask_check(
|
294
294
|
existing: account,
|
295
295
|
message: I18n.t('message.account'),
|
@@ -309,19 +309,13 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
309
309
|
existing: code, message: I18n.t('message.code'), validator: Awskeyring::Validate.method(:mfa_code)
|
310
310
|
)
|
311
311
|
end
|
312
|
-
duration = options[:duration]
|
313
|
-
duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s if role
|
314
|
-
duration ||= Awskeyring::Awsapi::TWELVE_HOUR.to_s if code
|
315
|
-
duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s
|
316
|
-
|
317
312
|
item_hash = age_check_and_get(account: account, no_token: true)
|
318
|
-
role_arn = Awskeyring.get_role_arn(role_name: role) if role
|
319
313
|
|
320
314
|
begin
|
321
315
|
new_creds = Awskeyring::Awsapi.get_token(
|
322
316
|
code: code,
|
323
|
-
role_arn:
|
324
|
-
duration: duration,
|
317
|
+
role_arn: (Awskeyring.get_role_arn(role_name: role) if role),
|
318
|
+
duration: default_duration(options[:duration], role, code),
|
325
319
|
mfa: item_hash[:mfa],
|
326
320
|
key: item_hash[:key],
|
327
321
|
secret: item_hash[:secret],
|
@@ -471,6 +465,12 @@ class AwskeyringCommand < Thor # rubocop:disable Metrics/ClassLength
|
|
471
465
|
Awskeyring::Awsapi::AWS_ENV_VARS.each { |key| puts "unset #{key}" unless env_var.key?(key) }
|
472
466
|
end
|
473
467
|
|
468
|
+
def default_duration(duration, role, code)
|
469
|
+
duration ||= Awskeyring::Awsapi::ONE_HOUR.to_s if role
|
470
|
+
duration ||= Awskeyring::Awsapi::TWELVE_HOUR.to_s if code
|
471
|
+
duration || Awskeyring::Awsapi::ONE_HOUR.to_s
|
472
|
+
end
|
473
|
+
|
474
474
|
def ask_check(existing:, message:, flags: nil, validator: nil, limited_to: nil) # rubocop:disable Metrics/MethodLength
|
475
475
|
retries ||= 3
|
476
476
|
begin
|
data/man/awskeyring.5
CHANGED
@@ -1,10 +1,10 @@
|
|
1
1
|
.\" generated with Ronn/v0.7.3
|
2
2
|
.\" http://github.com/rtomayko/ronn/tree/0.7.3
|
3
3
|
.
|
4
|
-
.TH "AWSKEYRING" "5" "
|
4
|
+
.TH "AWSKEYRING" "5" "March 2020" "" ""
|
5
5
|
.
|
6
6
|
.SH "NAME"
|
7
|
-
\fBAwskeyring\fR \- is a small tool to manage AWS account keys in the macOS Keychain
|
7
|
+
\fBAwskeyring\fR \- is a small tool to manage AWS account keys in the macOS Keychain
|
8
8
|
.
|
9
9
|
.SH "SYNOPSIS"
|
10
10
|
awskeyring COMMAND [ACCOUNT|ROLE] [OPTIONS]
|
@@ -13,7 +13,7 @@ awskeyring COMMAND [ACCOUNT|ROLE] [OPTIONS]
|
|
13
13
|
awskeyring help COMMAND
|
14
14
|
.
|
15
15
|
.SH "DESCRIPTION"
|
16
|
-
The Awskeyring utility stores and manages AWS access keys and provides the
|
16
|
+
The Awskeyring utility stores and manages AWS access keys and provides the facility to generate access tokens with combinations of assumed roles and multi\-factor\-authentication codes\. It includes autocompletion features and multiple validation checks for input parsing\. It also includes the ability for the AWS CLI to call it directly to provide authentication\.
|
17
17
|
.
|
18
18
|
.P
|
19
19
|
The commands are as follows:
|
data/man/awskeyring.5.ronn
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# Awskeyring -- is a small tool to manage AWS account keys in the macOS Keychain
|
1
|
+
# Awskeyring -- is a small tool to manage AWS account keys in the macOS Keychain
|
2
2
|
|
3
3
|
## SYNOPSIS
|
4
4
|
|
@@ -8,81 +8,84 @@ awskeyring help COMMAND
|
|
8
8
|
|
9
9
|
## DESCRIPTION
|
10
10
|
|
11
|
-
The Awskeyring utility stores and manages AWS access keys and provides the
|
11
|
+
The Awskeyring utility stores and manages AWS access keys and provides the facility to generate access tokens with
|
12
|
+
combinations of assumed roles and multi-factor-authentication codes. It includes autocompletion features and multiple
|
13
|
+
validation checks for input parsing. It also includes the ability for the AWS CLI to call it directly to provide authentication.
|
12
14
|
|
13
15
|
The commands are as follows:
|
14
16
|
|
15
|
-
|
17
|
+
* --version, -v:
|
16
18
|
|
17
19
|
Prints the version
|
18
20
|
|
19
|
-
|
21
|
+
* add ACCOUNT:
|
20
22
|
|
21
23
|
Adds an ACCOUNT to the keyring
|
22
24
|
|
23
|
-
|
25
|
+
* add-role ROLE:
|
24
26
|
|
25
27
|
Adds a ROLE to the keyring
|
26
28
|
|
27
|
-
*
|
29
|
+
* console ACCOUNT:
|
28
30
|
|
29
31
|
Open the AWS Console for the ACCOUNT
|
30
32
|
|
31
|
-
*
|
33
|
+
* env ACCOUNT:
|
32
34
|
|
33
35
|
Outputs bourne shell environment exports for an ACCOUNT
|
34
36
|
|
35
|
-
*
|
37
|
+
* exec ACCOUNT command...:
|
36
38
|
|
37
39
|
Execute a COMMAND with the environment set for an ACCOUNT
|
38
40
|
|
39
|
-
*
|
41
|
+
* help [COMMAND]:
|
40
42
|
|
41
43
|
Describe available commands or one specific command
|
42
44
|
|
43
|
-
*
|
45
|
+
* initialise:
|
44
46
|
|
45
47
|
Initialises a new KEYCHAIN
|
46
48
|
|
47
|
-
*
|
49
|
+
* json ACCOUNT:
|
48
50
|
|
49
51
|
Outputs AWS CLI compatible JSON for an ACCOUNT
|
50
52
|
|
51
|
-
*
|
53
|
+
* list:
|
52
54
|
|
53
55
|
Prints a list of accounts in the keyring
|
54
56
|
|
55
|
-
*
|
57
|
+
* list-role:
|
56
58
|
|
57
59
|
Prints a list of roles in the keyring
|
58
60
|
|
59
|
-
*
|
61
|
+
* remove ACCOUNT:
|
60
62
|
|
61
63
|
Removes an ACCOUNT from the keyring
|
62
64
|
|
63
|
-
*
|
65
|
+
* remove-role ROLE:
|
64
66
|
|
65
67
|
Removes a ROLE from the keyring
|
66
68
|
|
67
|
-
*
|
69
|
+
* remove-token ACCOUNT:
|
68
70
|
|
69
71
|
Removes a token for ACCOUNT from the keyring
|
70
72
|
|
71
|
-
*
|
73
|
+
* rotate ACCOUNT:
|
72
74
|
|
73
75
|
Rotate access keys for an ACCOUNT
|
74
76
|
|
75
|
-
*
|
77
|
+
* token ACCOUNT [ROLE] [MFA]:
|
76
78
|
|
77
79
|
Create an STS Token from a ROLE or an MFA code
|
78
80
|
|
79
|
-
*
|
81
|
+
* update ACCOUNT:
|
80
82
|
|
81
83
|
Updates an ACCOUNT in the keyring
|
82
84
|
|
83
85
|
## ENVIRONMENT
|
84
86
|
|
85
|
-
The AWS_DEFAULT_REGION environment variable will be used for AWS API calls where specified or fall back to us-east-1
|
87
|
+
The AWS_DEFAULT_REGION environment variable will be used for AWS API calls where specified or fall back to us-east-1
|
88
|
+
when not.
|
86
89
|
|
87
90
|
## EXIT STATUS
|
88
91
|
|
@@ -113,7 +116,9 @@ like [HashiCorp Vault](https://vaultproject.io/).
|
|
113
116
|
|
114
117
|
## SECURITY
|
115
118
|
|
116
|
-
If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at
|
119
|
+
If you believe you have found a security issue in Awskeyring, please responsibly disclose by contacting me at
|
120
|
+
[tristan@vibrato.com.au](mailto:tristan@vibrato.com.au). Awskeyring is a Ruby script and as such Ruby is whitelisted to
|
121
|
+
access your "awskeyring" keychain. Use a strong password and keep the unlock time short.
|
117
122
|
|
118
123
|
## AUTHOR
|
119
124
|
|
@@ -121,8 +126,8 @@ Tristan Morgan <tristan@vibrato.com.au> is the maintainer of Awskeyring.
|
|
121
126
|
|
122
127
|
## CONTRIBUTORS
|
123
128
|
|
124
|
-
|
125
|
-
|
129
|
+
* Tristan [tristanmorgan](https://github.com/tristanmorgan)
|
130
|
+
* Adam Sir [AzySir](https://github.com/AzySir)
|
126
131
|
|
127
132
|
## LICENSE
|
128
133
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: awskeyring
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tristan Morgan
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-03-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-iam
|