yle-aws-role 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9f7b053ced151afced7e073a3b35b845c9063535
+  data.tar.gz: c56becd6190bc4cc5d97547daa02257839a57319
+SHA512:
+  metadata.gz: 678d27720ced0e4d0aba60780cc8409367efea5477f93aeacaa45e98cb88cf09ebf0fd5651692d32a9ed93e151c158aaca3f8936181855908adb4cd5995e0a5d
+  data.tar.gz: e980b5b1bec818f651045e98ad30241493fe67a5bef6108b158978057222cfcb71b4692c2f34fc11be48a3aeaec3fc83ff5dd5f601746a4d6f59dc8cf265bbec

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1 @@
+--color

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+cache: bundler
+
+rvm:
+  - 2.4.1
+  - 2.3.4
+  - 2.2.7

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 1.0.1 / 2017-05-16
+
+- Initial public release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at teemu.matilainen@iki.fi. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in yle-aws-assume_role.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016-2017 Yleisradio Oy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,72 @@
+# yle-aws-role
+
+Tooling to help to assume [AWS IAM roles](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html).
+
+Offers a command-line helper tool, `asu`, and a Ruby library. After assuming the specified role, it sets the standard environment variables and configures the Ruby SDK for the role.
+
+## Installation
+
+The project can be installed in a shell:
+
+```sh
+gem install yle-aws-role
+```
+
+To use the Ruby library, add this line to your application's Gemfile:
+
+```ruby
+gem 'yle-aws-role'
+```
+
+and then execute `bundle`
+
+## Usage
+
+```plain
+Usage: asu <account> [options] -- [command ...]
+   or: asu --list
+
+    account         The account ID or pattern of the role account
+    command         Command to execute with the role. Defaults to launching new shell session.
+
+    -d, --duration  Duration for the role credentials. Default: 900
+    --env           Print out environment variables and exit
+    -l, --list      Print out all configured account aliases
+    -q, --quiet     Be quiet
+    -r, --role      Name of the role
+
+    -h, --help      Prints this help
+    -v, --version   Prints the version information
+```
+
+### Configuration
+
+Account aliases and their IDs can be specified in a configuration file. Then you can list the known accounts with `asu --list`, and use aliases (even with partial matching) when specifying the account for `asu`. Also the default role can be set.
+
+The configuration file location defaults to _$HOME/.aws/asu.yaml_, but can be specified with the `ASU_CONFIG` environment variable.
+
+Example configuration:
+
+```yaml
+defaults:
+  role: "dev"
+
+accounts:
+  foo-bar: "123456789012"
+  baz:     "987654321098"
+```
+
+With this you can just call for example
+
+```sh
+asu foo -- aws s3 ls s3://mybucket/
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/Yleisradio/yle-aws-role. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/asu

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup' if File.exist? File.expand_path('../../Gemfile', __FILE__)
+require 'yle/aws/role/cli'
+
+cli = Yle::AWS::Role::Cli.new(ARGV)
+cli.execute

data/lib/yle/aws/role.rb

@@ -0,0 +1,106 @@
+require 'aws-sdk'
+require 'shellwords'
+
+require 'yle/aws/role/accounts'
+require 'yle/aws/role/config'
+require 'yle/aws/role/errors'
+require 'yle/aws/role/version'
+
+module Yle
+  module AWS
+    class Role
+      # Default duration in seconds when assuming a role
+      DEFAULT_DURATION = 900
+
+      def self.assume_role(account_name, role_name, duration = nil)
+        account_alias = accounts.find(account_name)
+        if !account_alias
+          raise Errors::AccountNotFoundError, "No account found for '#{account_name}'"
+        end
+
+        role = Role.new(account_alias, role_name, duration)
+        role.with_env { yield role } if block_given?
+        role
+      end
+
+      def self.config
+        @config ||= Config.load
+      end
+
+      def self.accounts
+        @accounts ||= Accounts.new(config['accounts'])
+      end
+
+      attr_reader :account, :role_name, :credentials
+
+      def initialize(account_alias, role_name, duration = nil)
+        @account = account_alias
+        @role_name = role_name
+
+        @credentials = Aws::AssumeRoleCredentials.new(
+          role_arn: role_arn,
+          role_session_name: session_name,
+          duration_seconds: duration || DEFAULT_DURATION
+        ).credentials
+      rescue Aws::STS::Errors::ServiceError,
+        Aws::Errors::MissingCredentialsError => e
+        raise Errors::AssumeRoleError, "Failed to assume role #{role_arn}: #{e}"
+      end
+
+      def with_env
+        old_env = set_env_vars(env_vars)
+        old_credentials = Aws.config[:credentials]
+        Aws.config.update(credentials: credentials)
+
+        yield
+
+        if old_credentials
+          Aws.config.update(credentials: old_credentials)
+        else
+          Aws.config.delete(:credentials)
+        end
+        set_env_vars(old_env)
+      end
+
+      def env_vars
+        {
+          'AWS_ACCESS_KEY_ID'     => credentials.access_key_id,
+          'AWS_SECRET_ACCESS_KEY' => credentials.secret_access_key,
+          'AWS_SESSION_TOKEN'     => credentials.session_token,
+          'ASU_CURRENT_PROFILE'   => name
+        }
+      end
+
+      def set_env_vars(vars)
+        old_env = {}
+        vars.each do |key, value|
+          old_env[key] = ENV[key]
+          ENV[key] = value
+        end
+        old_env
+      end
+
+      def print_env_vars
+        env_vars.each do |key, value|
+          puts "export #{key}=#{Shellwords.escape(value)}"
+        end
+      end
+
+      def name
+        "#{account.name}:#{role_name}"
+      end
+
+      def role_arn
+        "arn:aws:iam::#{account.id}:role/#{role_name}"
+      end
+
+      def session_name
+        "#{current_user}-#{Time.now.to_i}"
+      end
+
+      def current_user
+        ENV['USER'] || ENV['USERNAME'] || 'unknown'
+      end
+    end
+  end
+end

data/lib/yle/aws/role/accounts.rb

@@ -0,0 +1,48 @@
+module Yle
+  module AWS
+    class Role
+      AccountAlias = Struct.new(:name, :id)
+
+      class Accounts
+        attr_reader :aliases
+
+        def initialize(aliases = nil)
+          @aliases = aliases || {}
+        end
+
+        # Returns an `AccountAlias` that best matches the passed string
+        def find(id_or_alias)
+          if account_id?(id_or_alias)
+            name = aliases.key(id_or_alias) || id_or_alias
+            AccountAlias.new(name, id_or_alias)
+          else
+            name = best_matching_account(id_or_alias)
+            AccountAlias.new(name, aliases[name]) if name
+          end
+        end
+
+        def to_s
+          max_name_length = aliases.keys.map(&:length).max
+          aliases.sort.map do |name, id|
+            "#{name.ljust(max_name_length)}\t#{id}"
+          end.join("\n")
+        end
+
+        # Returns truish if the argument looks like an AWS Account ID
+        def account_id?(id_or_alias)
+          id_or_alias =~ /^\d{12}$/
+        end
+
+        def best_matching_account(id_or_alias)
+          matcher = alias_matcher(id_or_alias)
+          aliases.keys.select { |key| matcher =~ key }.min_by(&:length)
+        end
+
+        def alias_matcher(s)
+          pattern = s.gsub(/([^^])(?=[^$])/, '\1.*')
+          Regexp.new(pattern)
+        end
+      end
+    end
+  end
+end

data/lib/yle/aws/role/cli.rb

@@ -0,0 +1,104 @@
+require 'slop'
+
+require 'yle/aws/role'
+
+module Yle
+  module AWS
+    class Role
+      class Cli
+        attr_reader :account_name, :command, :opts
+
+        def initialize(argv)
+          parse_args(argv)
+        end
+
+        def parse_args(argv)
+          @opts = Slop.parse(argv) do |o|
+            o.banner = 'Usage: asu <account> [options] -- [command ...]'
+            o.separator '   or: asu --list'
+            o.separator ''
+            o.separator '    account         The account ID or pattern of the role account'
+            o.separator '    command         Command to execute with the role. Defaults to launching new shell session.'
+            o.separator ''
+            o.integer '-d', '--duration', "Duration for the role credentials. Default: #{Role::DEFAULT_DURATION}"
+            o.bool '--env', 'Print out environment variables and exit'
+            o.bool '-l', '--list', 'Print out all configured account aliases'
+            o.bool '-q', '--quiet', 'Be quiet'
+            o.string '-r', '--role', 'Name of the role'
+            o.separator ''
+            o.on '-h', '--help', 'Prints this help' do
+              puts o
+              exit
+            end
+            o.on '-v', '--version', 'Prints the version information' do
+              puts VERSION
+              exit
+            end
+          end
+
+          @account_name = opts.args.shift
+          @command = opts.args
+
+          if !@account_name && !@opts[:list]
+            STDERR.puts @opts
+            exit 64
+          end
+        rescue Slop::Error => e
+          STDERR.puts e
+          exit 64
+        end
+
+        def execute
+          if opts[:list]
+            puts Role.accounts
+            return
+          end
+
+          if !role_name
+            STDERR.puts 'Role name must be passed with `--role` or set in the config'
+            exit 64
+          end
+
+          Role.assume_role(account_name, role_name, duration) do |role|
+            STDERR.puts("Assumed role #{role.name}") if !opts[:quiet]
+
+            if opts[:env]
+              role.print_env_vars
+            else
+              run_command
+            end
+          end
+        rescue Errors::AssumeRoleError => e
+          STDERR.puts e
+          exit 1
+        end
+
+        def run_command
+          cmd = command
+          if cmd.empty?
+            shell = ENV.fetch('SHELL', 'bash')
+            cmd = [shell]
+
+            if !opts[:quiet]
+              puts "Executing shell '#{shell}' with the assumed role"
+              puts "Use `exit` to quit"
+              puts
+            end
+          end
+
+          ret = system(*cmd)
+          STDERR.puts "Failed to execute '#{cmd.first}'" if ret.nil?
+          exit(1) if !ret
+        end
+
+        def role_name
+          opts[:role] || Role.config['defaults']['role']
+        end
+
+        def duration
+          opts[:duration] || Role.config['defaults']['duration']
+        end
+      end
+    end
+  end
+end

data/lib/yle/aws/role/config.rb

@@ -0,0 +1,43 @@
+require 'yaml'
+
+module Yle
+  module AWS
+    class Role
+      Config = Struct.new(:accounts, :defaults) do
+        def self.default_path
+          ENV.fetch('ASU_CONFIG') { File.join(Dir.home, '.aws', 'asu.yaml') }
+        end
+
+        def self.default_config
+          @default_config ||= Config.new({}, {})
+        end
+
+        def self.default_config=(config)
+          @default_config = default_config.merge(config)
+        end
+
+        def self.load(paths = nil)
+          paths = Array(paths).push(default_path)
+          paths.inject(default_config) do |config, path|
+            config.merge(load_yaml(path))
+          end
+        end
+
+        def self.load_yaml(path)
+          (path && File.exist?(path) && YAML.load_file(path)) || {}
+        rescue StandardError
+          STDERR.puts("WARN: Failed to load or parse configuration from '#{path}'")
+          {}
+        end
+
+        def merge(config)
+          config ||= {}
+          Config.new(
+            accounts.merge(config['accounts'] || {}),
+            defaults.merge(config['defaults'] || {})
+          )
+        end
+      end
+    end
+  end
+end

data/lib/yle/aws/role/errors.rb

@@ -0,0 +1,11 @@
+module Yle
+  module AWS
+    class Role
+      module Errors
+        class AssumeRoleError < StandardError; end
+
+        class AccountNotFoundError < AssumeRoleError; end
+      end
+    end
+  end
+end

data/lib/yle/aws/role/version.rb

@@ -0,0 +1,7 @@
+module Yle
+  module AWS
+    class Role
+      VERSION = '1.0.1'.freeze
+    end
+  end
+end

data/yle-aws-role.gemspec

@@ -0,0 +1,39 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'yle/aws/role/version'
+
+Gem::Specification.new do |spec|
+  spec.name        = 'yle-aws-role'
+  spec.version     = Yle::AWS::Role::VERSION
+  spec.summary     = 'Tooling to help to assume AWS IAM roles'
+  spec.description = spec.summary
+  spec.homepage    = 'https://github.com/Yleisradio/yle-aws-role'
+  spec.license     = 'MIT'
+
+  spec.authors = [
+    'Yleisradio',
+    'Teemu Matilainen',
+    'Antti Forsell',
+  ]
+  spec.email = [
+    'devops@yle.fi',
+    'teemu.matilainen@iki.fi',
+    'antti@fosu.me',
+  ]
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+
+  spec.bindir        = 'bin'
+  spec.executables   = ['asu']
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'aws-sdk', '~> 2.6'
+  spec.add_dependency 'slop', '~> 4.4'
+
+  spec.add_development_dependency 'bundler', '~> 1.13'
+  spec.add_development_dependency 'rake', '~> 11.0'
+  spec.add_development_dependency 'rspec', '~> 3.5'
+end

metadata

@@ -0,0 +1,136 @@
+--- !ruby/object:Gem::Specification
+name: yle-aws-role
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Yleisradio
+- Teemu Matilainen
+- Antti Forsell
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-05-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: slop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.4'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+description: Tooling to help to assume AWS IAM roles
+email:
+- devops@yle.fi
+- teemu.matilainen@iki.fi
+- antti@fosu.me
+executables:
+- asu
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/asu
+- lib/yle/aws/role.rb
+- lib/yle/aws/role/accounts.rb
+- lib/yle/aws/role/cli.rb
+- lib/yle/aws/role/config.rb
+- lib/yle/aws/role/errors.rb
+- lib/yle/aws/role/version.rb
+- yle-aws-role.gemspec
+homepage: https://github.com/Yleisradio/yle-aws-role
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Tooling to help to assume AWS IAM roles
+test_files: []