PyPI - exchange-keyshare - Versions diffs - 0.1.0__py3-none-any.whl - Mend

exchange-keyshare 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

exchange_keyshare/__init__.py +3 -0
exchange_keyshare/cfn.py +14 -0
exchange_keyshare/cli.py +37 -0
exchange_keyshare/commands/__init__.py +1 -0
exchange_keyshare/commands/keys.py +476 -0
exchange_keyshare/commands/setup.py +170 -0
exchange_keyshare/config.py +86 -0
exchange_keyshare/keys.py +106 -0
exchange_keyshare/schema.py +117 -0
exchange_keyshare/setup.py +263 -0
exchange_keyshare/templates/stack.yaml +221 -0
exchange_keyshare-0.1.0.dist-info/METADATA +10 -0
exchange_keyshare-0.1.0.dist-info/RECORD +15 -0
exchange_keyshare-0.1.0.dist-info/WHEEL +4 -0
exchange_keyshare-0.1.0.dist-info/entry_points.txt +2 -0

exchange_keyshare/templates/stack.yaml ADDED Viewed

@@ -0,0 +1,221 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Exchange Keyshare credential storage infrastructure
+Parameters:
+  BucketName:
+    Type: String
+    Description: Name of the S3 bucket for credential storage
+  ConsumerPrincipalArn:
+    Type: String
+    Description: ARN of the principal that will assume the role
+  ExternalId:
+    Type: String
+    Description: External ID for role assumption
+Resources:
+  CredentialsBucket:
+    Type: AWS::S3::Bucket
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      BucketName: !Ref BucketName
+      Tags:
+        - Key: app
+          Value: exchange-keyshare
+      VersioningConfiguration:
+        Status: Enabled
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: aws:kms
+              KMSMasterKeyID: !GetAtt CredentialsKey.Arn
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      LoggingConfiguration:
+        DestinationBucketName: !Ref AccessLogsBucket
+        LogFilePrefix: credentials-access/
+  AccessLogsBucket:
+    Type: AWS::S3::Bucket
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      BucketName: !Sub '${BucketName}-access-logs'
+      Tags:
+        - Key: app
+          Value: exchange-keyshare
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      LifecycleConfiguration:
+        Rules:
+          - Id: ExpireOldLogs
+            Status: Enabled
+            ExpirationInDays: 90
+  AccessLogsBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref AccessLogsBucket
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: S3ServerAccessLogsPolicy
+            Effect: Allow
+            Principal:
+              Service: logging.s3.amazonaws.com
+            Action: s3:PutObject
+            Resource: !Sub '${AccessLogsBucket.Arn}/*'
+            Condition:
+              ArnLike:
+                aws:SourceArn: !GetAtt CredentialsBucket.Arn
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+  CredentialsBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref CredentialsBucket
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: DenyUnencryptedUploads
+            Effect: Deny
+            Principal: '*'
+            Action: s3:PutObject
+            Resource: !Sub '${CredentialsBucket.Arn}/*'
+            Condition:
+              StringNotEquals:
+                s3:x-amz-server-side-encryption: aws:kms
+          - Sid: DenyWrongKmsKey
+            Effect: Deny
+            Principal: '*'
+            Action: s3:PutObject
+            Resource: !Sub '${CredentialsBucket.Arn}/*'
+            Condition:
+              StringNotEqualsIfExists:
+                s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt CredentialsKey.Arn
+          - Sid: DenyInsecureTransport
+            Effect: Deny
+            Principal: '*'
+            Action: 's3:*'
+            Resource:
+              - !GetAtt CredentialsBucket.Arn
+              - !Sub '${CredentialsBucket.Arn}/*'
+            Condition:
+              Bool:
+                aws:SecureTransport: 'false'
+  CredentialsKey:
+    Type: AWS::KMS::Key
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      Description: KMS key for Exchange Keyshare credential encryption
+      EnableKeyRotation: true
+      PendingWindowInDays: 30
+      Tags:
+        - Key: app
+          Value: exchange-keyshare
+      KeyPolicy:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: AllowAccountRoot
+            Effect: Allow
+            Principal:
+              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Action: 'kms:*'
+            Resource: '*'
+          - Sid: AllowConsumerDecrypt
+            Effect: Allow
+            Principal:
+              AWS: !Ref ConsumerPrincipalArn
+            Action:
+              - kms:Decrypt
+              - kms:DescribeKey
+            Resource: '*'
+  CredentialsKeyAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Sub 'alias/${BucketName}'
+      TargetKeyId: !Ref CredentialsKey
+  ConsumerAccessRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref BucketName
+      Tags:
+        - Key: app
+          Value: exchange-keyshare
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: !Ref ConsumerPrincipalArn
+            Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                sts:ExternalId: !Ref ExternalId
+      Policies:
+        - PolicyName: CredentialAccess
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: ListBucket
+                Effect: Allow
+                Action:
+                  - s3:ListBucket
+                Resource: !GetAtt CredentialsBucket.Arn
+                Condition:
+                  StringLike:
+                    s3:prefix:
+                      - 'exchange-credentials/*'
+              - Sid: GetObjects
+                Effect: Allow
+                Action:
+                  - s3:GetObject
+                Resource: !Sub '${CredentialsBucket.Arn}/exchange-credentials/*'
+              - Sid: DecryptKey
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:DescribeKey
+                Resource: !GetAtt CredentialsKey.Arn
+Outputs:
+  BucketName:
+    Description: S3 bucket name
+    Value: !Ref CredentialsBucket
+  BucketArn:
+    Description: S3 bucket ARN
+    Value: !GetAtt CredentialsBucket.Arn
+  KmsKeyArn:
+    Description: KMS key ARN
+    Value: !GetAtt CredentialsKey.Arn
+  RoleArn:
+    Description: IAM role ARN for credential consumer to assume
+    Value: !GetAtt ConsumerAccessRole.Arn
+  ExternalId:
+    Description: External ID for role assumption
+    Value: !Ref ExternalId
+  AccessLogsBucketName:
+    Description: S3 bucket for access logs
+    Value: !Ref AccessLogsBucket

exchange_keyshare-0.1.0.dist-info/METADATA ADDED Viewed

@@ -0,0 +1,10 @@
+Metadata-Version: 2.4
+Name: exchange-keyshare
+Version: 0.1.0
+Summary: CLI for market makers to securely share exchange API credentials
+Requires-Python: >=3.12
+Requires-Dist: boto3>=1.34.0
+Requires-Dist: click>=8.1.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: questionary>=2.0.0
+Requires-Dist: rich>=13.0.0

exchange_keyshare-0.1.0.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,15 @@
+exchange_keyshare/__init__.py,sha256=r2L4CpACTGPQTgruORVSNLxpD1vQD6zbcigQqDzzpt8,111
+exchange_keyshare/cfn.py,sha256=Jr8QjeRHS9AP44vx14N_023we0iWjIHAz5Np9dnATe4,364
+exchange_keyshare/cli.py,sha256=ogQBvZmrbR18QPQ4RJW9nERac3JqO_DPnk4RgyVjORU,825
+exchange_keyshare/config.py,sha256=QD2apmjj99J9j5svOVS209726pS7uK5rcaxTAgYYBj4,2668
+exchange_keyshare/keys.py,sha256=Lyl7vgJ4Bo0XA4iBKJyRWGd1ZpHPmrAuY7T0-sUWpOM,3278
+exchange_keyshare/schema.py,sha256=BRv22tV3TifkoADVlMPGPNbhc9DKHtPq56s1EDcy70w,3818
+exchange_keyshare/setup.py,sha256=n0Rn-gl8tFautc34HnA5lm-R0iCx7SAQAc7LTL9Zyn8,8235
+exchange_keyshare/commands/__init__.py,sha256=gQ6tnU0Rvm0-ESWFUBU-KDl5dpNOpUTG509hXOQQjwY,27
+exchange_keyshare/commands/keys.py,sha256=NX_BDl2-iWoLso5ep9kQNCjx5r7SszUg2MY62qJ-eHc,14610
+exchange_keyshare/commands/setup.py,sha256=GTfFP4H6JJtIah47ruSlETLy9mJm6XvZbUpEN-OUMo0,5727
+exchange_keyshare/templates/stack.yaml,sha256=KdNEeTFHm24pxQbSKzWxi2VyyjkKBYB9mYlBvSA6gfQ,6456
+exchange_keyshare-0.1.0.dist-info/METADATA,sha256=B4dXgTPHXQgLBWuUJN-h7mzUedSK72-RlT4pKoNAL-c,305
+exchange_keyshare-0.1.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+exchange_keyshare-0.1.0.dist-info/entry_points.txt,sha256=4SeV5jhxW3C6plg8WefZdLhPBRqmYErdKfnGTUEWmmo,65
+exchange_keyshare-0.1.0.dist-info/RECORD,,

exchange_keyshare-0.1.0.dist-info/WHEEL ADDED Viewed

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.28.0
+Root-Is-Purelib: true
+Tag: py3-none-any

exchange_keyshare-0.1.0.dist-info/entry_points.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ [console_scripts]
2	+ exchange-keyshare = exchange_keyshare.cli:main