Merge pull request #5 from Netflix/credentials_process

Credentials process

.github/workflows/precommit.yml

@@ -0,0 +1,14 @@
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [master]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+      - uses: pre-commit/[email protected]

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+repos:
+- repo: git://github.com/dnephin/pre-commit-golang
+  rev: master
+  hooks:
+    - id: go-fmt
+    - id: go-vet
+    - id: go-imports
+    - id: no-go-testing
+    - id: go-mod-tidy

README.md

@@ -106,6 +106,27 @@ weep file exampleRole -o /tmp/credentials
 
 Weep will do its best to preserve existing credentials in the file (but it will overwrite a conflicting profile name, so be careful!).
 
+### Credentials Process
+The AWS CLI can source credentials from weep using the `credential_process` configuration which can be defined for a
+profile in the `~/.aws/config` file. Read more about this process [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html).
+
+Here's an example of an `~/.aws/config` file:
+
+```bash
+[profile role1]
+credential_process = /path/to/weep credential_process role1
+
+[profile role2]
+credential_process = /path/to/weep credential_process role2
+```
+
+To use the credential process, you would invoke the AWS CLI with the `AWS_PROFILE` environment variable set  to the
+profile you wanted to use. Example:
+
+```bash
+AWS_PROFILE=role1 aws s3 ls
+```
+
 ## Building
 
 In most cases, `weep` can be built by running the `make` command in the repository root. `make release` (requires

challenge/challenge.go

@@ -4,10 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/golang/glog"
-	"github.com/netflix/weep/config"
-	"github.com/netflix/weep/util"
-	log "github.com/sirupsen/logrus"
 	"io/ioutil"
 	"net/http"
 	"net/http/cookiejar"
@@ -19,6 +15,11 @@ import (
 	"runtime"
 	"strings"
 	"time"
+
+	"github.com/golang/glog"
+	"github.com/netflix/weep/config"
+	"github.com/netflix/weep/util"
+	log "github.com/sirupsen/logrus"
 )
 
 func NewHTTPClient(consolemeUrl string) (*http.Client, error) {
@@ -159,8 +160,7 @@ func RefreshChallenge() error {
 	// Step 1: Make unauthed request to ConsoleMe challenge endpoint and get a challenge challenge
 	if config.Config.ChallengeSettings.User == "" {
 		log.Fatalf(
-			"Invalid configuration. You must define challenge_settings.user as the ",
-			"user you wish to authenticate as.",
+			"Invalid configuration. You must define challenge_settings.user as the user you wish to authenticate as.",
 		)
 	}
 	var consoleMeChallengeGeneratorEndpoint string = fmt.Sprintf(

cmd/credential_process.go

@@ -0,0 +1,55 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/netflix/weep/consoleme"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	CredentialProcessCmd.PersistentFlags().BoolVarP(&noIpRestrict, "no-ip", "n", false, "remove IP restrictions")
+	rootCmd.AddCommand(CredentialProcessCmd)
+}
+
+var CredentialProcessCmd = &cobra.Command{
+	Use:   "credential_process [role_name]",
+	Short: "Retrieve credentials and writes them in credential_process format",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runCredentialProcess,
+}
+
+func runCredentialProcess(cmd *cobra.Command, args []string) error {
+	role = args[0]
+	client, err := consoleme.GetClient()
+	if err != nil {
+		return err
+	}
+	creds, err := client.GetRoleCredentials(role, noIpRestrict)
+	if err != nil {
+		return err
+	}
+	printCredentialProcess(creds)
+	return nil
+}
+
+func printCredentialProcess(creds consoleme.AwsCredentials) {
+	expirationTimeFormat := time.Unix(creds.Expiration, 0).Format(time.RFC3339)
+
+	credentialProcessOutput := &consoleme.CredentialProcess{
+		Version:         1,
+		AccessKeyId:     creds.AccessKeyId,
+		SecretAccessKey: creds.SecretAccessKey,
+		SessionToken:    creds.SessionToken,
+		Expiration:      expirationTimeFormat,
+	}
+
+	b, err := json.Marshal(credentialProcessOutput)
+	if err != nil {
+		log.Error(err)
+	}
+	fmt.Printf(string(b))
+}

cmd/export.go

@@ -2,19 +2,15 @@ package cmd
 
 import (
 	"fmt"
-	"github.com/netflix/weep/consoleme"
-	"github.com/spf13/cobra"
 	"os"
 	"strings"
-)
 
-var (
-	exportRole         string
-	exportNoIPRestrict bool
+	"github.com/netflix/weep/consoleme"
+	"github.com/spf13/cobra"
 )
 
 func init() {
-	exportCmd.PersistentFlags().BoolVarP(&exportNoIPRestrict, "no-ip", "n", false, "remove IP restrictions")
+	exportCmd.PersistentFlags().BoolVarP(&noIpRestrict, "no-ip", "n", false, "remove IP restrictions")
 	rootCmd.AddCommand(exportCmd)
 }
 
@@ -26,12 +22,12 @@ var exportCmd = &cobra.Command{
 }
 
 func runExport(cmd *cobra.Command, args []string) error {
-	exportRole = args[0]
+	role = args[0]
 	client, err := consoleme.GetClient()
 	if err != nil {
 		return err
 	}
-	creds, err := client.GetRoleCredentials(exportRole, exportNoIPRestrict)
+	creds, err := client.GetRoleCredentials(role, noIpRestrict)
 	if err != nil {
 		return err
 	}

cmd/file.go

@@ -2,26 +2,21 @@ package cmd
 
 import (
 	"fmt"
+	"os"
+	"path"
+
+	ini "gopkg.in/ini.v1"
+
 	"github.com/mitchellh/go-homedir"
 	"github.com/netflix/weep/consoleme"
 	"github.com/netflix/weep/util"
 	"github.com/spf13/cobra"
-	"gopkg.in/ini.v1"
-	"os"
-	"path"
-)
-
-var (
-	fileDestination  string
-	fileNoIPRestrict bool
-	fileProfileName  string
-	fileRole         string
 )
 
 func init() {
-	fileCmd.PersistentFlags().BoolVarP(&fileNoIPRestrict, "no-ip", "n", false, "remove IP restrictions")
-	fileCmd.PersistentFlags().StringVarP(&fileDestination, "output", "o", getDefaultCredentialsFile(), "output file for credentials")
-	fileCmd.PersistentFlags().StringVarP(&fileProfileName, "profile", "p", "consoleme", "profile name")
+	fileCmd.PersistentFlags().BoolVarP(&noIpRestrict, "no-ip", "n", false, "remove IP restrictions")
+	fileCmd.PersistentFlags().StringVarP(&destination, "output", "o", getDefaultCredentialsFile(), "output file for credentials")
+	fileCmd.PersistentFlags().StringVarP(&profileName, "profile", "p", "consoleme", "profile name")
 	rootCmd.AddCommand(fileCmd)
 }
 
@@ -33,12 +28,12 @@ var fileCmd = &cobra.Command{
 }
 
 func runFile(cmd *cobra.Command, args []string) error {
-	fileRole = args[0]
+	role = args[0]
 	client, err := consoleme.GetClient()
 	if err != nil {
 		return err
 	}
-	credentials, err := client.GetRoleCredentials(fileRole, fileNoIPRestrict)
+	credentials, err := client.GetRoleCredentials(role, noIpRestrict)
 	if err != nil {
 		return err
 	}
@@ -66,19 +61,19 @@ func writeCredentialsFile(credentials consoleme.AwsCredentials) error {
 	ini.PrettyFormat = false
 	ini.PrettyEqual = true
 
-	if util.FileExists(fileDestination) {
-		credentialsINI, err = ini.Load(fileDestination)
+	if util.FileExists(destination) {
+		credentialsINI, err = ini.Load(destination)
 		if err != nil {
 			return err
 		}
 	} else {
 		credentialsINI = ini.Empty()
 	}
 
-	credentialsINI.Section(fileProfileName).Key("aws_access_key_id").SetValue(credentials.AccessKeyId)
-	credentialsINI.Section(fileProfileName).Key("aws_secret_access_key").SetValue(credentials.SecretAccessKey)
-	credentialsINI.Section(fileProfileName).Key("aws_session_token").SetValue(credentials.SessionToken)
-	err = credentialsINI.SaveTo(fileDestination)
+	credentialsINI.Section(profileName).Key("aws_access_key_id").SetValue(credentials.AccessKeyId)
+	credentialsINI.Section(profileName).Key("aws_secret_access_key").SetValue(credentials.SecretAccessKey)
+	credentialsINI.Section(profileName).Key("aws_session_token").SetValue(credentials.SessionToken)
+	err = credentialsINI.SaveTo(destination)
 	if err != nil {
 		return err
 	}

cmd/list.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+
 	"github.com/netflix/weep/consoleme"
 	"github.com/spf13/cobra"
 )

cmd/metadata.go

@@ -2,24 +2,18 @@ package cmd
 
 import (
 	"fmt"
-	"github.com/gorilla/mux"
-	"github.com/netflix/weep/consoleme"
-	"github.com/netflix/weep/handlers"
-	"github.com/netflix/weep/metadata"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
 	"net"
 	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
-)
 
-var (
-	metadataRole       string
-	metadataRegion     string
-	metadataListenAddr string
-	metadataListenPort int
+	"github.com/gorilla/mux"
+	"github.com/netflix/weep/consoleme"
+	"github.com/netflix/weep/handlers"
+	"github.com/netflix/weep/metadata"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
 )
 
 func init() {
@@ -37,8 +31,8 @@ var metadataCmd = &cobra.Command{
 }
 
 func runMetadata(cmd *cobra.Command, args []string) error {
-	metadataRole = args[0]
-	metadata.Role = metadataRole
+	role = args[0]
+	metadata.Role = role
 	metadata.MetadataRegion = metadataRegion
 	client, err := consoleme.GetClient()
 	if err != nil {

cmd/root.go

@@ -2,22 +2,19 @@ package cmd
 
 import (
 	"fmt"
+	"os"
+	"path"
+	"runtime"
+	"strings"
+
 	"github.com/mitchellh/go-homedir"
 	"github.com/netflix/weep/config"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
-	"os"
-	"path"
-	"runtime"
-	"strings"
 )
 
 var (
-	cfgFile   string
-	logLevel  string
-	logFormat string
-
 	rootCmd = &cobra.Command{
 		Use:   "weep",
 		Short: "weep helps you get the most out of ConsoleMe credentials",

cmd/vars.go

@@ -0,0 +1,14 @@
+package cmd
+
+var (
+	role               string
+	profileName        string
+	destination        string
+	noIpRestrict       bool
+	metadataRegion     string
+	metadataListenAddr string
+	metadataListenPort int
+	cfgFile            string
+	logLevel           string
+	logFormat          string
+)

cmd/version.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+
 	"github.com/netflix/weep/version"
 	"github.com/spf13/cobra"
 )

config/config.go

@@ -14,20 +14,20 @@ type MetaDataConfig struct {
 }
 
 type MtlsSettings struct {
-	Cert string `mapstructure:"cert"`
-	Key string `mapstructure:"key"`
-	CATrust string `mapstructure:"catrust"`
-	Insecure bool `mapstructure:"insecure"`
+	Cert     string `mapstructure:"cert"`
+	Key      string `mapstructure:"key"`
+	CATrust  string `mapstructure:"catrust"`
+	Insecure bool   `mapstructure:"insecure"`
 }
 
 type ChallengeSettings struct {
 	User string `mapstructure:"user"`
 }
 
 type WeepConfig struct {
-	MetaData MetaDataConfig `mapstructure:"metadata"`
-	ConsoleMeUrl string `mapstructure:"consoleme_url"`
-	MtlsSettings MtlsSettings `mapstructure:"mtls_settings"`
-	ChallengeSettings ChallengeSettings `mapstructure:"challenge_settings"`
-	AuthenticationMethod string `mapstructure:"authentication_method"`
+	MetaData             MetaDataConfig    `mapstructure:"metadata"`
+	ConsoleMeUrl         string            `mapstructure:"consoleme_url"`
+	MtlsSettings         MtlsSettings      `mapstructure:"mtls_settings"`
+	ChallengeSettings    ChallengeSettings `mapstructure:"challenge_settings"`
+	AuthenticationMethod string            `mapstructure:"authentication_method"`
 }