Class: Dev::Aws::Credentials

Inherits:

Object

• Object
• Dev::Aws::Credentials

Defined in:

lib/firespring_dev_commands/aws/credentials.rb

Overview

Class contains methods for interacting with your Aws credentials

Constant Summary

CONFIG_FILE =

The local file where temporary credentials are stored

"#{Dev::Aws::CONFIG_DIR}/credentials".freeze

Class Method Summary

• .config_ini ⇒ Object

  Returns the config ini file associated with this object.

Instance Method Summary

• #active?(profile = Dev::Aws::Profile.new.current) ⇒ Boolean

  Whether or not the current credentials are still active.

• #base_setup! ⇒ Object

  Setup base Aws credential settings.

• #export! ⇒ Object

  Export our current credentials into the ruby environment.

• #export_container_credentials! ⇒ Object

  Exports the credentials if there is an active credentials uri.

• #export_profile_credentials! ⇒ Object

  Exports the credentials if there is a configured aws profile.

• #logged_in_account ⇒ Object

  The account the profile is currently logged in to.

• #logged_in_arn ⇒ Object

  The arn of the currently logged in identity.

• #logged_in_region ⇒ Object

  The region associated with the current login.

• #logged_in_role ⇒ Object

  The role the current identity is using.

• #write!(account, creds) ⇒ Object

  Write Aws account specific settings to the credentials file.

Class Method Details

.config_ini ⇒ Object

Returns the config ini file associated with this object

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 15

def self.config_ini
  IniFile.new(filename: CONFIG_FILE, default: 'default')
end

Instance Method Details

#active?(profile = Dev::Aws::Profile.new.current) ⇒ Boolean

Whether or not the current credentials are still active

Returns:

• (Boolean)

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 40

def active?(profile = Dev::Aws::Profile.new.current)
  # If there is a metadata uri then we are in an AWS env - assume we are good
  return true if ENV.fetch('ECS_CONTAINER_METADATA_URI', nil)

  # Otherwise there should either be an aws config directory or access key configured
  return false unless File.exist?(Dev::Aws::CONFIG_DIR) || ENV.fetch('AWS_ACCESS_KEY_ID', nil)

  # TODO: I'd prefer to still validate creds if using a METADATA_URI
  # However this appears to require additional permissions which might not be present. Is there a better check here?
  # return false if !ENV.fetch('ECS_CONTAINER_METADATA_URI', nil) && !(File.exist?(Dev::Aws::CONFIG_DIR) || ENV.fetch('AWS_ACCESS_KEY_ID', nil))

  # Check for expired credentials
  begin
    ::Aws::STS::Client.new(profile:).get_caller_identity
  rescue
    return false
  end

  # Check for invalid credentials
  begin
    # TODO: Is there a better check we can do here?
    ::Aws::SSM::Client.new(profile:).describe_parameters(max_results: 1)
  rescue
    return false
  end

  # If the credentials are valid, make sure they are set in the ruby process environment for use later
  export!
  true
end

#base_setup! ⇒ Object

Setup base Aws credential settings

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 72

def base_setup!
  # Make the base config directory
  FileUtils.mkdir_p(Dev::Aws::CONFIG_DIR)

  puts
  puts 'Configuring default credential values'

  # Write access key / secret key in the credentials file
  credini = self.class.config_ini
  defaultini = credini['default']

  access_key_default = defaultini['aws_access_key_id']
  defaultini['aws_access_key_id'] = Dev::Common.new.ask('AWS Access Key ID', access_key_default)

  secret_key_default = defaultini['aws_secret_access_key']
  defaultini['aws_secret_access_key'] = Dev::Common.new.ask('AWS Secret Access Key', secret_key_default)

  credini.write
end

#export! ⇒ Object

Export our current credentials into the ruby environment

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 106

def export!
  export_profile_credentials!
  export_container_credentials!
end

#export_container_credentials! ⇒ Object

Exports the credentials if there is an active credentials uri

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 112

def export_container_credentials!
  # If we already have creds defined, don't do anything
  return if ENV.fetch('AWS_ACCESS_KEY_ID', nil)

  # If a container credentials url is not present, don't do anything
  ecs_creds = ENV.fetch('AWS_CONTAINER_CREDENTIALS_RELATIVE_URI', nil)
  return unless ecs_creds

  # Otherwise query the local creds, parse the json response, and store in the environment
  response = Net::HTTP.get_response(URI.parse("http://169.254.170.2#{ecs_creds}"))
  raise 'Error getting container credentials' unless response.is_a?(Net::HTTPSuccess)

  creds = JSON.parse(response.body)
  ENV['AWS_ACCESS_KEY_ID'] = creds['AccessKeyId']
  ENV['AWS_SECRET_ACCESS_KEY'] = creds['SecretAccessKey']
  ENV['AWS_SESSION_TOKEN'] = creds['Token']
  ENV['AWS_DEFAULT_REGION'] = logged_in_region
end

#export_profile_credentials! ⇒ Object

Exports the credentials if there is a configured aws profile

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 132

def export_profile_credentials!
  # If we already have creds defined, don't do anything
  return if ENV.fetch('AWS_ACCESS_KEY_ID', nil)

  # If a profile config file is not present, don't do anything
  return unless File.exist?(CONFIG_FILE)

  # Otherwise load access key / secret key / session token from the credentials file into the environment
  credini = self.class.config_ini
  profile_credentials = credini[Dev::Aws::Profile.new.current]
  return unless profile_credentials

  ENV['AWS_ACCESS_KEY_ID'] = profile_credentials['aws_access_key_id']
  ENV['AWS_SECRET_ACCESS_KEY'] = profile_credentials['aws_secret_access_key']
  ENV['AWS_SESSION_TOKEN'] = profile_credentials['aws_session_token']
  ENV['AWS_DEFAULT_REGION'] = logged_in_region
end

#logged_in_account ⇒ Object

The account the profile is currently logged in to

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 20

def logged_in_account
  ::Aws::STS::Client.new.get_caller_identity.account
end

#logged_in_arn ⇒ Object

The arn of the currently logged in identity

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 25

def logged_in_arn
  ::Aws::STS::Client.new.get_caller_identity.arn
end

#logged_in_region ⇒ Object

The region associated with the current login

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 35

def logged_in_region
  ::Aws::STS::Client.new.send(:config).region
end

#logged_in_role ⇒ Object

The role the current identity is using

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 30

def logged_in_role
  logged_in_arn.split(%r{/})[1]
end

#write!(account, creds) ⇒ Object

Write Aws account specific settings to the credentials file

# File 'lib/firespring_dev_commands/aws/credentials.rb', line 93

def write!(account, creds)
  # Write access key / secret key / session token in the credentials file
  credini = self.class.config_ini
  defaultini = credini[account]

  defaultini['aws_access_key_id'] = creds.access_key_id
  defaultini['aws_secret_access_key'] = creds.secret_access_key
  defaultini['aws_session_token'] = creds.session_token

  credini.write
end