mydrive-aws-mfa 0.4.0 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +40 -15
- data/bin/mydrive-aws-mfa +22 -0
- data/lib/aws_mfa.rb +5 -15
- data/lib/aws_mfa/credentials_output_executor.rb +44 -0
- data/lib/aws_mfa_client.rb +2 -2
- metadata +6 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 82c386664256afbd3d017a1cad7d07ceb8c659e7
|
4
|
+
data.tar.gz: 4b8a42f0182d40bb5a1f671dc6d17969b5bf1071
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8d08e64cc735ebccd6151cea768d600c091c5899cc8ad479eb5fb86b58fe3a87de3adc5eeb35063d551cf82edff83b0422301bf8a3e39a996471962bcd9f5f54
|
7
|
+
data.tar.gz: 12fd51ac2a8b7f3d6bb3c75b11df8d35709a223b083d9b31f3c4510192abf32a452ff9b8aa2e008d3d787276a9bc0839bef7a51956f436a7bfea1aa17fd0ad26
|
data/README.md
CHANGED
@@ -2,9 +2,7 @@
|
|
2
2
|
|
3
3
|
## Introduction
|
4
4
|
|
5
|
-
This is a fork of the original AWS MFA gem found [here](https://github.com/lonelyplanet/aws-mfa/). The original repository is for a stand-alone shell script.
|
6
|
-
|
7
|
-
`mydrive-aws-mfa` can be inserted into a ruby application to prepare the environment for that single instance to interact with AWS SDK tools. It retrieves temporary credentials for assuming an AWS role, by first obtaining an MFA token from the user.
|
5
|
+
This is a fork of the original AWS MFA gem found [here](https://github.com/lonelyplanet/aws-mfa/). The original repository is for a stand-alone shell script to prepare the environment to interact with AWS SDK tools. `mydrive-aws-mfa` is both a stand-alone shell script and can also be inserted into a ruby application to prepare the environment for a single instance. It retrieves temporary credentials for assuming an AWS role, by first obtaining an MFA token from the user.
|
8
6
|
|
9
7
|
It uses [AWS STS](http://docs.aws.amazon.com/cli/latest/reference/sts/index.html) to get temporary credentials. This is necessary if you have [MFA](https://aws.amazon.com/iam/details/mfa/) enabled on your account. The variables it sets are:
|
10
8
|
|
@@ -13,11 +11,48 @@ It uses [AWS STS](http://docs.aws.amazon.com/cli/latest/reference/sts/index.html
|
|
13
11
|
* AWS_SESSION_TOKEN
|
14
12
|
* AWS_SECURITY_TOKEN
|
15
13
|
|
14
|
+
The gem can assume different roles specified by AWS profiles.
|
15
|
+
|
16
16
|
## Prerequisites
|
17
17
|
|
18
18
|
Before using `mydrive-aws-mfa`, you must have the [AWS CLI](https://aws.amazon.com/cli/) installed (through whatever [method](http://docs.aws.amazon.com/cli/latest/userguide/installing.html) you choose) and configured (through `aws configure`).
|
19
19
|
|
20
|
-
##
|
20
|
+
## General usage
|
21
|
+
|
22
|
+
Upon running the gem, the user will be prompted user for the 6-digit token from their MFA device. This will retrieve AWS MFA credentials that are valid for one hour and cache them. Within the following hour, any program using the gem can be executed without requiring the user to input their MFA token and will instead retrieve the credentials from the cache.
|
23
|
+
|
24
|
+
If user's AWS configuration is set up for different profiles, the user can change the AWS role they assume by passing in the profile as the `AWS_PROFILE` environment variable. By default, the role specified by the `default` profile will be assumed. Each profile has it's own cache, so supplying a different `AWS_PROFILE` will prompt the user for the 6-digit token again.
|
25
|
+
|
26
|
+
For example, in the stand alone usage, running `AWS_PROFILE=production mydrive-aws-mfa aws` would run the AWS cli whilst assuming the role specified by the `production` profile. Running `mydrive-aws-mfa aws` run the AWS cli but instead will assume the role specified by the `default` profile.
|
27
|
+
|
28
|
+
## Stand alone usage
|
29
|
+
|
30
|
+
As a stand alone script, the gem can be used in three different ways.
|
31
|
+
|
32
|
+
### Eval
|
33
|
+
|
34
|
+
The first is to use the gem to alter the environment of your current shell. To do this, run `eval $(mydrive-aws-mfa)`. Now any command that uses the standard AWS environment variables should work. However, if the AWS MFA credentials have expired, the user will be unable to enter their credentials because of how `$()` works. So it is recommended the Eval usage be used in conjunction with the Quiet usage.
|
35
|
+
|
36
|
+
### Wrapper
|
37
|
+
|
38
|
+
The second is to use the gem to alter the environment of a single invocation of a program. `mydrive-aws-mfa` tries to execute its arguments. `mydrive-aws-mfa aws` would run the aws cli, `mydrive-aws-mfa kitchen` would run test-kitchen, and so on. You can safely setup an alias with `alias aws=mydrive-aws-mfa aws`. With the alias, if you had set up autcompletion for `aws` it will still work.
|
39
|
+
|
40
|
+
### Quiet
|
41
|
+
|
42
|
+
Passing `--quiet` as an argument to `mydrive-aws-mfa`, as `mydrive-aws-mfa --quiet`, will ignore the other arguments. This will still prompt the user for their MFA token, but not print the ENV to the shell.
|
43
|
+
|
44
|
+
This has been added, to be used in conjunction with the Eval usage, to ask a user for their token and set the shell environment, without printing the ENV to the shell:
|
45
|
+
|
46
|
+
```
|
47
|
+
mydrive-aws-mfa --quiet
|
48
|
+
eval $(mydrive-aws-mfa)
|
49
|
+
```
|
50
|
+
|
51
|
+
## Ruby application usage
|
52
|
+
|
53
|
+
The following are the steps required to run the `mydrive-aws-mfa` gem inside a ruby application.
|
54
|
+
|
55
|
+
### Installation
|
21
56
|
|
22
57
|
First, add the Gem into a project's Gemfile:
|
23
58
|
`gem "mydrive-aws-mfa"`
|
@@ -29,17 +64,7 @@ Second, add the following to a script or any code that will be ran once upon exe
|
|
29
64
|
```
|
30
65
|
The gem will require the user to input their MFA token if it hasn't been ran in a while, so it is best to place the `AwsMfaClient` such that it will be ran once upon initial execution of the program.
|
31
66
|
|
32
|
-
|
33
|
-
|
34
|
-
Upon running `AwsMfaClient.new.execute`, the gem will prompt the user for the 6-digit token from their MFA device. This will retrieve AWS MFA credentials that are valid for one hour and cache them. These credentials are loaded into the environment for duration of that program.
|
35
|
-
|
36
|
-
Within the following hour, any program using the gem can be executed without requiring the user to input their MFA token and will instead retrieve the credentials from the cache.
|
37
|
-
|
38
|
-
If user's AWS configuration is set up for different profiles, the user can change the AWS role they assume by passing in the profile as the `AWS_PROFILE` environment variable. By default, the role specified by the `default` profile will be assumed.
|
39
|
-
|
40
|
-
For example, given a program `bin/fake_program` containing `AwsMfaClient.new.execute`, running `AWS_PROFILE=production bin/fake_program` will assume the role specified by the `production` profile. Instead, running `bin/fake_program` will assume the role specified by the `default` profile.
|
41
|
-
|
42
|
-
Each profile has it's own cache, so supplying a different `AWS_PROFILE` will prompt the user for the 6-digit token again.
|
67
|
+
Upon running `AwsMfaClient.new.execute`, the credentials are loaded into the environment for duration of that program.
|
43
68
|
|
44
69
|
## Release Process
|
45
70
|
|
data/bin/mydrive-aws-mfa
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
$LOAD_PATH.unshift(File.expand_path(File.join(__dir__, '../lib')))
|
4
|
+
|
5
|
+
require 'aws_mfa'
|
6
|
+
|
7
|
+
def execution_output
|
8
|
+
if ARGV.include?('--quiet')
|
9
|
+
:quiet
|
10
|
+
elsif ARGV.empty?
|
11
|
+
:print_env
|
12
|
+
else
|
13
|
+
:set_env_and_execute
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
begin
|
18
|
+
aws_mfa = AwsMfa.new
|
19
|
+
aws_mfa.execute(execution_output)
|
20
|
+
rescue AwsMfa::Errors::Error => e
|
21
|
+
abort e.message
|
22
|
+
end
|
data/lib/aws_mfa.rb
CHANGED
@@ -1,6 +1,7 @@
|
|
1
1
|
require 'aws-sdk-core/ini_parser'
|
2
2
|
require 'fileutils'
|
3
3
|
require 'json'
|
4
|
+
require_relative 'aws_mfa/credentials_output_executor'
|
4
5
|
require_relative 'aws_mfa/credentials_loader'
|
5
6
|
require_relative 'aws_mfa/errors'
|
6
7
|
require_relative 'aws_mfa/profile_config'
|
@@ -16,12 +17,11 @@ class AwsMfa
|
|
16
17
|
@mydrive_credentials_cache_dir = set_mydrive_credentials_cache_dir
|
17
18
|
end
|
18
19
|
|
19
|
-
def execute
|
20
|
+
def execute(execution_output = :set_env)
|
20
21
|
profile = ENV['AWS_PROFILE'] || 'default'
|
21
22
|
profile_config = load_profile_config(profile)
|
22
23
|
credentials = load_credentials(profile_config)
|
23
|
-
|
24
|
-
export_credentials(credentials)
|
24
|
+
execute_output(execution_output, credentials)
|
25
25
|
end
|
26
26
|
|
27
27
|
private
|
@@ -62,17 +62,7 @@ class AwsMfa
|
|
62
62
|
CredentialsLoader.new(mydrive_credentials_cache_dir).load_credentials(profile_config)
|
63
63
|
end
|
64
64
|
|
65
|
-
def
|
66
|
-
|
67
|
-
ENV.delete('AWS_ACCESS_KEY_ID')
|
68
|
-
ENV.delete('AWS_SESSION_TOKEN')
|
69
|
-
ENV.delete('AWS_SECURITY_TOKEN')
|
70
|
-
end
|
71
|
-
|
72
|
-
def export_credentials(credentials)
|
73
|
-
ENV['AWS_SECRET_ACCESS_KEY'] = credentials['SecretAccessKey']
|
74
|
-
ENV['AWS_ACCESS_KEY_ID'] = credentials['AccessKeyId']
|
75
|
-
ENV['AWS_SESSION_TOKEN'] = credentials['SessionToken']
|
76
|
-
ENV['AWS_SECURITY_TOKEN'] = credentials['SessionToken']
|
65
|
+
def execute_output(execution_output, credentials)
|
66
|
+
CredentialsOutputExecutor.new.execute_output(execution_output, credentials)
|
77
67
|
end
|
78
68
|
end
|
@@ -0,0 +1,44 @@
|
|
1
|
+
class CredentialsOutputExecutor
|
2
|
+
def execute_output(execution_output, credentials)
|
3
|
+
case execution_output
|
4
|
+
when :set_env
|
5
|
+
unset_environment
|
6
|
+
export_credentials(credentials)
|
7
|
+
when :quiet
|
8
|
+
nil
|
9
|
+
when :set_env_and_execute
|
10
|
+
unset_environment
|
11
|
+
export_credentials(credentials)
|
12
|
+
execute_command_line_arguments
|
13
|
+
when :print_env
|
14
|
+
print_credentials(credentials)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
private
|
19
|
+
|
20
|
+
def unset_environment
|
21
|
+
ENV.delete('AWS_SECRET_ACCESS_KEY')
|
22
|
+
ENV.delete('AWS_ACCESS_KEY_ID')
|
23
|
+
ENV.delete('AWS_SESSION_TOKEN')
|
24
|
+
ENV.delete('AWS_SECURITY_TOKEN')
|
25
|
+
end
|
26
|
+
|
27
|
+
def export_credentials(credentials)
|
28
|
+
ENV['AWS_SECRET_ACCESS_KEY'] = credentials['SecretAccessKey']
|
29
|
+
ENV['AWS_ACCESS_KEY_ID'] = credentials['AccessKeyId']
|
30
|
+
ENV['AWS_SESSION_TOKEN'] = credentials['SessionToken']
|
31
|
+
ENV['AWS_SECURITY_TOKEN'] = credentials['SessionToken']
|
32
|
+
end
|
33
|
+
|
34
|
+
def print_credentials(credentials)
|
35
|
+
puts "export AWS_SECRET_ACCESS_KEY='#{credentials['SecretAccessKey']}'"
|
36
|
+
puts "export AWS_ACCESS_KEY_ID='#{credentials['AccessKeyId']}'"
|
37
|
+
puts "export AWS_SESSION_TOKEN='#{credentials['SessionToken']}'"
|
38
|
+
puts "export AWS_SECURITY_TOKEN='#{credentials['SessionToken']}'"
|
39
|
+
end
|
40
|
+
|
41
|
+
def execute_command_line_arguments
|
42
|
+
exec(*ARGV)
|
43
|
+
end
|
44
|
+
end
|
data/lib/aws_mfa_client.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: mydrive-aws-mfa
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- MyDrive Solutions Ltd
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-08-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-core
|
@@ -54,14 +54,17 @@ dependencies:
|
|
54
54
|
version: '0.9'
|
55
55
|
description: A client to run AWS commands with MFA that can be added into a Ruby project
|
56
56
|
email: support@mydrivesolutions.com
|
57
|
-
executables:
|
57
|
+
executables:
|
58
|
+
- mydrive-aws-mfa
|
58
59
|
extensions: []
|
59
60
|
extra_rdoc_files: []
|
60
61
|
files:
|
61
62
|
- LICENSE
|
62
63
|
- README.md
|
64
|
+
- bin/mydrive-aws-mfa
|
63
65
|
- lib/aws_mfa.rb
|
64
66
|
- lib/aws_mfa/credentials_loader.rb
|
67
|
+
- lib/aws_mfa/credentials_output_executor.rb
|
65
68
|
- lib/aws_mfa/errors.rb
|
66
69
|
- lib/aws_mfa/profile_config.rb
|
67
70
|
- lib/aws_mfa/shell_command.rb
|