kreuzwerker / awsu Goto Github PK

Dependency line:

github.com/kreuzwerker/awsu --> github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr

github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr (No version information)
https://github.com/mdp/qrterminal/blob/v1.0.0/qrterminal.go#L7

package qrterminal
import (
	"io"
	"strings"
	"github.com/rsc/qr"
) 

Background

Repo mdp/qrterminal used the old path to import rsc/qr， and didn’t use module in the version v1.0.0.
This caused that github.com/rsc/qr and rsc.io/qr coexist in this repo：
https://github.com/kreuzwerker/awsu/blob/master/go.mod （Line 9 & 18）

github.com/rsc/qr v0.1.0
rsc.io/qr v0.2.0 // indirect 

That’s because the rsc/qr has already renamed it’s import path from "github.com/rsc/qr" to "rsc.io/qr". When you use the old path "github.com/rsc/qr" to import the rsc/qr, will reintroduces rsc/qr through the import statements "import rsc.io/qr" in the go source file of rsc/qr.

https://github.com/rsc/qr/blob/v0.1.0/qr.go#L15

package qr
import (
	"errors"
	"image"
	"image/color"
	"rsc.io/qr/coding"
)

"github.com/rsc/qr" and "rsc.io/qr" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

1. Add replace statement in the go.mod file:

replace github.com/rsc/qr => rsc.io/qr v0.1.0

Then clean the go.mod.
2. Update the direct dependency github.com/mdp/qrterminal. This problem does not exist in the latest version v3.0.0 of github.com/mdp/qrterminal.

https://github.com/mdp/qrterminal/blob/v3.0.0/qrterminal.go#L7

package qrterminal
import (
	"io"
	"strings"
	"rsc.io/qr"
)

Expected Behavior

It should be part of the goreleaser

Actual Behavior

We have to do it manually with 2 steps:

1. upload it manually to the release page

make build/awsu-linux-amd64
mv build/awsu-linux-amd64 build/awsu
tar cvzf build/awsu_2.3.3_Linux_x86_64.tar.gz build/awsu

2. update the https://github.com/kreuzwerker/homebrew-taps/blob/master/awsu.rb formula

shasum -a 256 build/awsu_2.3.3_Linux_x86_64.tar.gz
e8cfec1e9bc05a81fe9f15dee15f0b51af97da60c79340bcb1574cee84b63753 build/awsu_2.3.3_Linux_x86_64.tar.gz

and add the snippet

on_linux do
    if Hardware::CPU.intel?
      url "https://github.com/kreuzwerker/awsu/releases/download/v2.3.3/awsu_2.3.3_Linux_x86_64.tar.gz"
      sha256 "e8cfec1e9bc05a81fe9f15dee15f0b51af97da60c79340bcb1574cee84b63753"
    end
end

Your Environment

• OS: Darwin/Intel
• aswu version: 2.3.3

Missing cli deps:

1. parallel
2. upx

Go deps:
joshdk/ykmango has to be installed via go get -u github.com/joshdk/ykmango or the dependency is not found.

(awscli2.7) Mikes-MacBook-Pro:awsu mip$ make build
gox -parallel=8 -osarch="darwin/amd64 linux/amd64" -ldflags "-s -w -X=main.build=edd42b7 -X=main.time=`TZ=UTC date '+%FT%TZ'` -X=main.version="2.0.2"" -output "build/awsu-{{.OS}}-{{.Arch}}" ./bin/
Number of parallel builds: 8

-->     linux/amd64: github.com/kreuzwerker/awsu/bin
-->    darwin/amd64: github.com/kreuzwerker/awsu/bin

2 errors occurred:
--> linux/amd64 error: exit status 1
Stderr: yubikey/oath.go:5:2: cannot find package "github.com/joshdk/ykmango" in any of:
        /Users/mip/go/src/github.com/kreuzwerker/awsu/vendor/github.com/joshdk/ykmango (vendor tree)
        /usr/local/Cellar/go/1.9.2/libexec/src/github.com/joshdk/ykmango (from $GOROOT)
        /Users/mip/go/src/github.com/joshdk/ykmango (from $GOPATH)

--> darwin/amd64 error: exit status 1
Stderr: yubikey/oath.go:5:2: cannot find package "github.com/joshdk/ykmango" in any of:
        /Users/mip/go/src/github.com/kreuzwerker/awsu/vendor/github.com/joshdk/ykmango (vendor tree)
        /usr/local/Cellar/go/1.9.2/libexec/src/github.com/joshdk/ykmango (from $GOROOT)
        /Users/mip/go/src/github.com/joshdk/ykmango (from $GOPATH)

make: *** [build] Error 1
(awscli2.7) Mikes-MacBook-Pro:awsu mip$ go get -u github.com/joshdk/ykmango
(awscli2.7) Mikes-MacBook-Pro:awsu mip$ make build
gox -parallel=8 -osarch="darwin/amd64 linux/amd64" -ldflags "-s -w -X=main.build=edd42b7 -X=main.time=`TZ=UTC date '+%FT%TZ'` -X=main.version="2.0.2"" -output "build/awsu-{{.OS}}-{{.Arch}}" ./bin/
Number of parallel builds: 8

-->     linux/amd64: github.com/kreuzwerker/awsu/bin
-->    darwin/amd64: github.com/kreuzwerker/awsu/bin
parallel upx --best --ultra-brute --quiet {} ::: build/awsu-*-*
/bin/sh: parallel: command not found

• mfa_serial is not allowed anymore in cross-account profiles.
• A default profile should be recommended.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-configuring

Hi,

EB CLI does not work with AWSU, each time asks for new code. E.g:

AWSU_PROFILE_DEFAULT=eb-cli awsu -v -- eb deploy

I'd propose 15m to cover long-running operations. Maybe we should do an out-of-band refresh when hitting 15m as soft limit?

In case of no mfa_serial found in all relevant profiles one could use get-caller-identity to build the default representation from register or try to list MFA devices via the API.

Release 2.2.0

[kreuzwerker]
aws_access_key_id=XXX
aws_secret_access_key=XXX
mfa_serial=arn:aws:iam::113030XXXXXX:mfa/[email protected]
region=eu-central-1

[seachefs]
role_arn=arn:aws:iam::976760XXXXXX:role/xw-operator-cross-account
source_profile=kreuzwerker
mfa_serial=arn:aws:iam:: 113030XXXXXX:mfa/[email protected]

$ awsu -p seachefs -s 900s -v -n -- aws s3 ls

Error: failed to aquire credentials for profile "seachefs": failed to assume role "arn:aws:iam::[IAMID]:role/xw-operator-cross-account": ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
status code: 400, request id: 3ff3d68f-6d61-11e8-83f8-014ef402c6d5

Hello!

Thanks for an awesome project! We are using awsu for authentication for our aws mfa setup. Now we're expanding operations and are going to set up an aws account in a different region. We currently use awsu to switch profiles between aws accounts with profiles. We would like for awsu to also manage the region differences, which it seems not to do at the moment:

➜  ~ awsu -p dev-rp-prod
export AWSU_EXPIRES=2021-08-23T10:21:48+02:00
export AWS_ACCESS_KEY_ID=AS...GA
export AWS_SECRET_ACCESS_KEY=CZv....73
export AWS_SESSION_TOKEN=Fw....0bA==

In order to handle regions, awsu would also set the env var "AWS_DEFAULT_REGION". In the AWS config file format this should be called "region": https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html. In "config" we have

[default]
region = eu-west-1
output = json

If we could do something like

[us]
region = us-east-1
output = json

[dev-rp-us-prod]
mfa_serial = arn:aws:iam::815...4:mfa/username-aws
role_arn = arn:aws:iam::815....4:role/MyRole
source_profile = us

That would be awesome. Thoughts?

It seems the default 'MaxSessionDuration' is 1h for roles in our own accounts. Please change the behaviour to 1h.
(Edit: relevant parameter is -t time to live for cached role credentials

https://github.com/kreuzwerker/awsu/blob/master/command/root.go#L55

This should "normal" cases, where no MFA is in play / on the Yubikey.

https://github.com/kreuzwerker/homebrew-taps

Session token seems to be hardcoded to 15 minutes. I vote for 60 min by default as well as config option (environment based config is enough).

Use a role name that reflects the username and investigate if that can be enforced in the trust policies conditions.

Found two inconsistencies in loading the the AWS CLI configufration from ~/.aws/config file.

Problem 1:

The default location for the AWS CLI config file is ~/.aws/credentials but should be ~/.aws/config

> awsu –help

…
-c, --config-file string               sets the config file (default "/Users/borchj/.aws/credentials")

I fixed the problem by adding parameter -c ~/.aws/config but it's a bit cumbersome to add this to each invocation.

Problem 2:

According to the AWS doc https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html, profiles in the config file should be prefixes by profile.
For example:

[profile user1]
region=us-east-1

awsu returns an error message : no such profile "user1" configured

awsu find the profile if you remove the ‘profile’ prefix.

[user1]
region=us-east-1

Expected Behavior

• When I uninstall and reinstall via brew tap kreuzwerker/taps && brew reinstall kreuzwerker/taps/awsu I expect to get a linked binary in /usr/local/bin/awsu but I do not

Actual Behavior

There is no binary in /usr/local/bin/awsu or /usr/local/Cellar/awsu/2.3.6 and therefore nothing to symlink and therefore the awsu command does not work

Steps to Reproduce (including precondition)

• Install v2.3.6 of awsu

Screenshot on This Problem (if possible)

Your Environment

• OS: macOS Monteray 12.0.1
• passgen version:

https://aws.amazon.com/about-aws/whats-new/2018/03/longer-role-sessions/

We should also document the various setups for role conditions following the security requirements (e.g. MFA from 1h ago vs. MFA from 12h ago).

From time to time (multiple times a day, usually), I get this problem:

awsu -p <profile> -- <command>
error: failed to aquire credentials for profile "default": failed to initialize Yubikey: failed to establish context: scard: Sharing violation.

Unplugging and plugging the Yubikey, or running ykman oauth code <profile name> resets things to a working state.

Perhaps this should rather be reported on some Yubikey go library?

Expected Behavior

Assets awsu_2.3.10_Darwin_x86_64.tar.gz and awsu_2.3.10_Linux_x86_64.tar.gz were released in GitHub Releases.

Actual Behavior

Assets for amd64 weren't released in the latest version v2.3.10

Screenshot on This Problem (if possible)

https://github.com/kreuzwerker/awsu/releases/tag/v2.3.10

On the other hand, assets for amd64 were released in v2.3.9.

https://github.com/kreuzwerker/awsu/releases/tag/v2.3.9

like in https://github.com/kreuzwerker/m1-terraform-provider-helper

• travis -> GH actions
• goreleaser
• changelog generation

to be able to automate recurring processes use the latest CI/release tools

Looking at the source code, it looks like there's a hardcoded Amazon account ID (015428540659) as client_id in one of the generated URLs for the awsu console command.

Is is supposed to be like that, or is it an unfortunate copy-paste accident?

The use case looks like this: for local container based development you need to export (and very often re-export) environment variables into it (at least key id, secret key and session id). An alternative would be to add a port directive to the shared configuration files and forward these ports to the dedicated container specific ports for the metadata API.

The local setup would then require the setup from https://github.com/NYTimes/mock-ec2-metadata:

/sbin/ifconfig lo:1 inet 169.254.169.254 netmask 255.255.255.255 up
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A OUTPUT -p tcp -d 169.254.169.254/32 --dport 80  -j DNAT --to-destination 169.254.169.254:65432
service iptables save

With the local ports configured awsu would get another command e.g. listen. This would basically invoke the port-appropriate assuming of roles etc., re-using (and re-writing) the same cached files as awsu does right now. This would also require locking on the FS level.

If that's technical feasible, that is.

This could look like this:

[warn]
production=You are deploying to production
live=You are deploying to live

When invoking awsu it would display the message and ask for yes.