Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify credentials, sessions and profiles #161

Merged
merged 7 commits into from
Oct 18, 2017
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 3 additions & 9 deletions cli/add.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,9 @@ func ConfigureAddCommand(app *kingpin.Application) {
func AddCommand(app *kingpin.Application, input AddCommandInput) {
var accessKeyId, secretKey string

profiles, err := awsConfigFile.Parse()
if err != nil {
app.Fatalf("%v", err)
return
}

if source := profiles[input.Profile]["source_profile"]; source != "" {
if source, ok := awsConfig.SourceProfile(input.Profile); ok {
app.Fatalf("Your profile has a source_profile of %s, adding credentials to %s won't have any effect",
source, input.Profile)
source.Name, input.Profile)
return
}

Expand Down Expand Up @@ -81,7 +75,7 @@ func AddCommand(app *kingpin.Application, input AddCommandInput) {

fmt.Printf("Added credentials to profile %q in vault\n", input.Profile)

sessions, err := vault.NewKeyringSessions(input.Keyring, profiles)
sessions, err := vault.NewKeyringSessions(input.Keyring, awsConfig)
if err != nil {
app.Fatalf(err.Error())
return
Expand Down
24 changes: 6 additions & 18 deletions cli/exec.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,27 +91,21 @@ func ExecCommand(app *kingpin.Application, input ExecCommandInput) {
return
}

profiles, err := awsConfigFile.Parse()
if err != nil {
app.Fatalf("Error parsing config: %v", err)
return
}

creds, err := vault.NewVaultCredentials(input.Keyring, input.Profile, vault.VaultOptions{
SessionDuration: input.Duration,
AssumeRoleDuration: input.RoleDuration,
MfaToken: input.MfaToken,
MfaPrompt: input.MfaPrompt,
NoSession: input.NoSession,
Profiles: profiles,
Config: awsConfig,
})
if err != nil {
app.Fatalf("%v", err)
}

val, err := creds.Get()
if err != nil {
app.Fatalf(vault.FormatCredentialError(input.Profile, profiles, err))
app.Fatalf(awsConfig.FormatCredentialError(err, input.Profile))
}

if input.StartServer {
Expand All @@ -122,12 +116,6 @@ func ExecCommand(app *kingpin.Application, input ExecCommandInput) {
}
}

profs, err := awsConfigFile.Parse()
if err != nil {
app.Fatalf("%v", err)
return
}

env := environ(os.Environ())
env.Set("AWS_VAULT", input.Profile)

Expand All @@ -137,10 +125,10 @@ func ExecCommand(app *kingpin.Application, input ExecCommandInput) {
env.Unset("AWS_DEFAULT_PROFILE")
env.Unset("AWS_PROFILE")

if region, ok := profs[input.Profile]["region"]; ok {
log.Printf("Setting subprocess env: AWS_DEFAULT_REGION=%s, AWS_REGION=%s", region, region)
env.Set("AWS_DEFAULT_REGION", region)
env.Set("AWS_REGION", region)
if profile, _ := awsConfig.Profile(input.Profile); profile.Region != "" {
log.Printf("Setting subprocess env: AWS_DEFAULT_REGION=%s, AWS_REGION=%s", profile.Region, profile.Region)
env.Set("AWS_DEFAULT_REGION", profile.Region)
env.Set("AWS_REGION", profile.Region)
}

if setEnv {
Expand Down
2 changes: 1 addition & 1 deletion cli/exec_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
)

func ExampleExecCommand() {
awsConfigFile = &vault.FileConfig{}
awsConfig = &vault.Config{}
keyringImpl = keyring.NewArrayKeyring([]keyring.Item{
{Key: "llamas", Data: []byte(`{"AccessKeyID":"ABC","SecretAccessKey":"XYZ"}`)},
})
Expand Down
6 changes: 3 additions & 3 deletions cli/global.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ const (

var (
keyringImpl keyring.Keyring
awsConfigFile vault.Config
awsConfig *vault.Config
promptsAvailable = prompt.Available()
backendsAvailable = keyring.SupportedBackends()
)
Expand Down Expand Up @@ -49,8 +49,8 @@ func ConfigureGlobals(app *kingpin.Application) {
if keyringImpl == nil {
keyringImpl, err = keyring.Open(KeyringName, GlobalFlags.Backend)
}
if awsConfigFile == nil {
awsConfigFile, err = vault.NewConfigFromEnv()
if awsConfig == nil {
awsConfig, err = vault.LoadConfigFromEnv()
}
return err
})
Expand Down
14 changes: 4 additions & 10 deletions cli/login.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,18 +74,12 @@ func LoginCommand(app *kingpin.Application, input LoginCommandInput) {
return
}

profiles, err := awsConfigFile.Parse()
if err != nil {
app.Fatalf("Error parsing config: %v", err)
return
}

provider, err := vault.NewVaultProvider(input.Keyring, input.Profile, vault.VaultOptions{
AssumeRoleDuration: input.AssumeRoleDuration,
MfaToken: input.MfaToken,
MfaPrompt: input.MfaPrompt,
NoSession: true,
Profiles: profiles,
Config: awsConfig,
})
if err != nil {
app.Fatalf("Failed to create vault provider: %v", err)
Expand All @@ -95,7 +89,7 @@ func LoginCommand(app *kingpin.Application, input LoginCommandInput) {
creds := credentials.NewCredentials(provider)
val, err := creds.Get()
if err != nil {
app.Fatalf(vault.FormatCredentialError(input.Profile, profiles, err))
app.Fatalf(awsConfig.FormatCredentialError(err, input.Profile))
}

var isFederated bool
Expand Down Expand Up @@ -179,10 +173,10 @@ func LoginCommand(app *kingpin.Application, input LoginCommandInput) {
}

destination := "https://console.aws.amazon.com/"
if region, ok := profiles[input.Profile]["region"]; ok {
if profile, _ := awsConfig.Profile(input.Profile); profile.Region != "" {
destination = fmt.Sprintf(
"https://%s.console.aws.amazon.com/console/home?region=%s",
region, region,
profile.Region, profile.Region,
)
}

Expand Down
105 changes: 101 additions & 4 deletions cli/ls.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,36 +2,133 @@ package cli

import (
"fmt"
"os"
"strings"
"text/tabwriter"

"github.com/99designs/aws-vault/vault"
"github.com/99designs/keyring"
"gopkg.in/alecthomas/kingpin.v2"
)

type LsCommandInput struct {
Keyring keyring.Keyring
Keyring keyring.Keyring
OnlyProfiles bool
OnlySessions bool
OnlyCredentials bool
}

func ConfigureListCommand(app *kingpin.Application) {
input := LsCommandInput{}

cmd := app.Command("list", "List all credentials and sessions")
cmd := app.Command("list", "List profiles, along with their credentials and sessions")
cmd.Alias("ls")

cmd.Flag("profile", "Show only the profile names").
BoolVar(&input.OnlyProfiles)

cmd.Flag("sessions", "Show only the session names").
BoolVar(&input.OnlySessions)

cmd.Flag("credentials", "Show only the credential names").
BoolVar(&input.OnlyCredentials)

cmd.Action(func(c *kingpin.ParseContext) error {
input.Keyring = keyringImpl
LsCommand(app, input)
return nil
})
}

func containsProfile(profile string, accounts []string) bool {
for _, account := range accounts {
if !vault.IsSessionKey(account) && account == profile {
return true
}
}
return false
}

func LsCommand(app *kingpin.Application, input LsCommandInput) {
krs, err := vault.NewKeyringSessions(input.Keyring, awsConfig)
if err != nil {
app.Fatalf(err.Error())
return
}

accounts, err := input.Keyring.Keys()
if err != nil {
app.Fatalf(err.Error())
return
}

for _, name := range accounts {
fmt.Println(name)
if input.OnlyCredentials {
for _, account := range accounts {
if !vault.IsSessionKey(account) {
fmt.Printf("%s\n", account)
}
}
return
}

if input.OnlyProfiles {
for _, profile := range awsConfig.Profiles() {
fmt.Printf("%s\n", profile.Name)
}
return
}

if input.OnlySessions {
for _, account := range accounts {
if vault.IsSessionKey(account) {
fmt.Printf("%s\n", account)
}
}
return
}

w := tabwriter.NewWriter(os.Stdout, 25, 4, 2, ' ', 0)
fmt.Fprintln(w, "Profile\tCredentials\tSessions\t")
fmt.Fprintln(w, "=======\t===========\t========\t")

// list out known profiles first
for _, profile := range awsConfig.Profiles() {
fmt.Fprintf(w, "%s\t", profile.Name)

source, _ := awsConfig.SourceProfile(profile.Name)
if containsProfile(source.Name, accounts) {
fmt.Fprintf(w, "%s\t", source.Name)
} else {
fmt.Fprintf(w, "-\t")
}

sessions, err := krs.Sessions(source.Name)
if err != nil {
app.Fatalf(err.Error())
return
} else if len(sessions) > 0 {
var sessionIDs []string
for _, sess := range sessions {
sessionIDs = append(sessionIDs, sess.SessionID)
}
fmt.Fprintf(w, "%s\t\n", strings.Join(sessionIDs, ", "))
} else {
fmt.Fprintf(w, "-\t\n")
}
}

// show credentials that don't have profiles
for _, account := range accounts {
if !vault.IsSessionKey(account) {
if _, ok := awsConfig.Profile(account); !ok {
fmt.Fprintf(w, "-\t%s\t-\t\n", account)
}
}
}

if err = w.Flush(); err != nil {
app.Fatalf("%v", err)
return
}

if len(accounts) == 0 {
Expand Down
8 changes: 1 addition & 7 deletions cli/rm.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,7 @@ func RemoveCommand(app *kingpin.Application, input RemoveCommandInput) {
fmt.Printf("Deleted credentials.\n")
}

profiles, err := awsConfigFile.Parse()
if err != nil {
app.Fatalf("%v", err)
return
}

sessions, err := vault.NewKeyringSessions(input.Keyring, profiles)
sessions, err := vault.NewKeyringSessions(input.Keyring, awsConfig)
if err != nil {
app.Fatalf(err.Error())
return
Expand Down
18 changes: 7 additions & 11 deletions cli/rotate.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,15 +43,11 @@ func ConfigureRotateCommand(app *kingpin.Application) {
func RotateCommand(app *kingpin.Application, input RotateCommandInput) {
var err error

profiles, err := awsConfigFile.Parse()
if err != nil {
app.Fatalf("Error parsing config: %v", err)
return
}
source, _ := awsConfig.SourceProfile(input.Profile)

provider := &vault.KeyringProvider{
Keyring: input.Keyring,
Profile: profiles.SourceProfile(input.Profile),
Profile: source.Name,
}

oldMasterCreds, err := provider.Retrieve()
Expand Down Expand Up @@ -79,7 +75,7 @@ func RotateCommand(app *kingpin.Application, input RotateCommandInput) {
oldSessionCreds, err := vault.NewVaultCredentials(input.Keyring, input.Profile, vault.VaultOptions{
MfaToken: input.MfaToken,
MfaPrompt: input.MfaPrompt,
Profiles: profiles,
Config: awsConfig,
NoSession: true,
MasterCreds: &oldMasterCreds,
})
Expand All @@ -92,7 +88,7 @@ func RotateCommand(app *kingpin.Application, input RotateCommandInput) {

oldSessionVal, err := oldSessionCreds.Get()
if err != nil {
app.Fatalf(vault.FormatCredentialError(input.Profile, profiles, err))
app.Fatalf(awsConfig.FormatCredentialError(err, input.Profile))
return
}

Expand Down Expand Up @@ -122,7 +118,7 @@ func RotateCommand(app *kingpin.Application, input RotateCommandInput) {
return
}

sessions, err := vault.NewKeyringSessions(input.Keyring, profiles)
sessions, err := vault.NewKeyringSessions(input.Keyring, awsConfig)
if err != nil {
app.Fatalf(err.Error())
return
Expand All @@ -137,7 +133,7 @@ func RotateCommand(app *kingpin.Application, input RotateCommandInput) {
newSessionCreds, err := vault.NewVaultCredentials(input.Keyring, input.Profile, vault.VaultOptions{
MfaToken: input.MfaToken,
MfaPrompt: input.MfaPrompt,
Profiles: profiles,
Config: awsConfig,
NoSession: true,
MasterCreds: &newMasterCreds,
})
Expand All @@ -148,7 +144,7 @@ func RotateCommand(app *kingpin.Application, input RotateCommandInput) {

newVal, err := newSessionCreds.Get()
if err != nil {
app.Fatalf(vault.FormatCredentialError(input.Profile, profiles, err))
app.Fatalf(awsConfig.FormatCredentialError(err, input.Profile))
return
}

Expand Down
Loading