Class: Dev::Aws::Login

Inherits:
Object show all
Defined in:
lib/firespring_dev_commands/aws/login.rb

Overview

Class containing methods for helping a user log in to aws

Instance Method Summary collapse

Instance Method Details

#authorize!(account) ⇒ Object

Authorize your local credentials User is prompted for an MFA code Temporary credentials are written back to the credentials file



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 
# File 'lib/firespring_dev_commands/aws/login.rb', line 32

def authorize!()
  # Make sure the account has been set up
  cfgini = setup_cfgini()

  defaultini = cfgini['default']
  profileini = cfgini["profile #{}"]

  region = profileini['region'] || defaultini['region'] || Dev::Aws::DEFAULT_REGION

  # Explicitly set the region to the one we are logging in to. Then return if we are already logged in.
  # This is to fix an issue where you are attempting to log in to an account in a different region.
  # Without this fix it would still be attempting to use the old region until the process exited
  ENV['AWS_DEFAULT_REGION'] = region
  return if Dev::Aws::Credentials.new.active?()

  serial = profileini['mfa_serial_name'] || defaultini['mfa_serial_name']
  serial = "arn:aws:iam::#{Dev::Aws::Account.new.root.id}:mfa/#{serial}" if serial
  serial ||= profileini['mfa_serial'] || defaultini['mfa_serial']

  role = profileini['role_arn'] || defaultini['role_arn']
  # NOTE: We supported role name for a period of time but we are switching back to role_arn.
  #       Leaving this here for a period of time until it can be deprecated
  role ||= "arn:aws:iam::#{}:role/#{profileini['role_name'] || defaultini['role_name']}"
  # TODO: role_name is deprecated. Eventually, we should remove the above line

  session_name = profileini['role_session_name'] || defaultini['role_session_name']
  session_duration = profileini['session_duration'] || defaultini['session_duration']

  puts
  puts "  Logging in to #{} in #{region} as #{role}".light_yellow
  puts

  code = ENV['AWS_TOKEN_CODE'] || Dev::Common.new.ask("Enter the MFA code for the #{ENV.fetch('USERNAME', 'no_username_found')} user serial #{serial}")
  raise 'MFA is required' unless code.to_s.strip

  sts = ::Aws::STS::Client.new(profile: 'default', region:)
  creds = sts.assume_role(
    serial_number: serial,
    role_arn: role,
    role_session_name: session_name,
    token_code: code,
    duration_seconds: session_duration
  ).credentials
  puts

  Dev::Aws::Credentials.new.write!(, creds)
end

#login!(account = nil) ⇒ Object

Main interface for logging in to an AWS account If an account is not specified the user is given an account selection menu If account registries have been configured, the user is also logged in to the docker registries



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
# File 'lib/firespring_dev_commands/aws/login.rb', line 12

def login!( = nil)
  # If more than one child account has been configured, have the user select the account they want to log in to
   ||= Dev::Aws::Account.new.select

  # Authorize if our creds are not active
  authorize!()

  # Ensure the local env is pointed to the profile we selected
  Dev::Aws::Profile.new.write!()

  # Load credentials into the ENV for subprocesses
  Dev::Aws::Credentials.new.export!

  # Login in to all configured docker registries
  registry_logins!
end

#registry_login!(registry_id: nil, region: nil) ⇒ Object

Authroizes the docker cli to pull/push images from the Aws container registry (e.g. if docker compose needs to pull an image) Authroizes the docker ruby library to pull/push images from the Aws container registry



105
106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'lib/firespring_dev_commands/aws/login.rb', line 105

def registry_login!(registry_id: nil, region: nil)
  registry_id ||= Dev::Aws::Account.new.ecr_registry_ids.first
  region ||= Dev::Aws::Credentials.new.logged_in_region || Dev::Aws::DEFAULT_REGION
  raise 'registry_id is required' if registry_id.to_s.strip.empty?
  raise 'region is required' if region.to_s.strip.empty?

  registry = "#{registry_id}.dkr.ecr.#{region}.amazonaws.com"
  docker_cli_login!(registry:, region:)
  docker_lib_login!(registry_id:, region:)

  ENV['ECR_REGISTRY_ID'] ||= registry_id
  ENV['ECR_REGISTRY'] ||= registry
end

#registry_logins!(registry_ids: nil, region: nil) ⇒ Object

Authroizes the docker cli to pull/push images from the Aws container registry (e.g. if docker compose needs to pull an image) Authroizes the docker ruby library to pull/push images from the Aws container registry



93
94
95
96
97
98
99
100
101
 
# File 'lib/firespring_dev_commands/aws/login.rb', line 93

def registry_logins!(registry_ids: nil, region: nil)
  registry_ids ||= Dev::Aws::Account.new.ecr_registry_ids
  region ||= Dev::Aws::Credentials.new.logged_in_region || Dev::Aws::DEFAULT_REGION
  return if registry_ids.empty?

  puts
  registry_ids.each { |id| registry_login!(registry_id: id, region:) }
  puts
end

#setup_cfgini(account) ⇒ Object

Returns the config ini file Runs the setup for our current account if it’s not already setup



82
83
84
85
86
87
88
89
 
# File 'lib/firespring_dev_commands/aws/login.rb', line 82

def setup_cfgini()
  cfgini = Dev::Aws::Account.config_ini
  unless cfgini.has_section?("profile #{}")
    Dev::Aws::Account.new.write!()
    cfgini = Dev::Aws::Account.config_ini
  end
  cfgini
end