kreuzwerker / awsu Goto Github PK
View Code? Open in Web Editor NEWEnhanced account switching for AWS, supports Yubikey as MFA source
License: GNU General Public License v3.0
Enhanced account switching for AWS, supports Yubikey as MFA source
License: GNU General Public License v3.0
github.com/kreuzwerker/awsu --> github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr
github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr (No version information)
https://github.com/mdp/qrterminal/blob/v1.0.0/qrterminal.go#L7
package qrterminal
import (
"io"
"strings"
"github.com/rsc/qr"
)
Repo mdp/qrterminal
used the old path to import rsc/qr
, and didn’t use module in the version v1.0.0.
This caused that github.com/rsc/qr
and rsc.io/qr
coexist in this repo:
https://github.com/kreuzwerker/awsu/blob/master/go.mod (Line 9 & 18)
github.com/rsc/qr v0.1.0
rsc.io/qr v0.2.0 // indirect
That’s because the rsc/qr
has already renamed it’s import path from "github.com/rsc/qr" to "rsc.io/qr". When you use the old path "github.com/rsc/qr" to import the rsc/qr
, will reintroduces rsc/qr
through the import statements "import rsc.io/qr" in the go source file of rsc/qr
.
https://github.com/rsc/qr/blob/v0.1.0/qr.go#L15
package qr
import (
"errors"
"image"
"image/color"
"rsc.io/qr/coding"
)
"github.com/rsc/qr" and "rsc.io/qr" are the same repos. This will work in isolation, bring about potential risks and problems.
replace github.com/rsc/qr => rsc.io/qr v0.1.0
Then clean the go.mod.
2. Update the direct dependency github.com/mdp/qrterminal. This problem does not exist in the latest version v3.0.0 of github.com/mdp/qrterminal
.
https://github.com/mdp/qrterminal/blob/v3.0.0/qrterminal.go#L7
package qrterminal
import (
"io"
"strings"
"rsc.io/qr"
)
It should be part of the goreleaser
We have to do it manually with 2 steps:
make build/awsu-linux-amd64
mv build/awsu-linux-amd64 build/awsu
tar cvzf build/awsu_2.3.3_Linux_x86_64.tar.gz build/awsu
shasum -a 256 build/awsu_2.3.3_Linux_x86_64.tar.gz
e8cfec1e9bc05a81fe9f15dee15f0b51af97da60c79340bcb1574cee84b63753 build/awsu_2.3.3_Linux_x86_64.tar.gz
and add the snippet
on_linux do
if Hardware::CPU.intel?
url "https://github.com/kreuzwerker/awsu/releases/download/v2.3.3/awsu_2.3.3_Linux_x86_64.tar.gz"
sha256 "e8cfec1e9bc05a81fe9f15dee15f0b51af97da60c79340bcb1574cee84b63753"
end
end
Missing cli deps:
Go deps:
joshdk/ykmango has to be installed via go get -u github.com/joshdk/ykmango
or the dependency is not found.
(awscli2.7) Mikes-MacBook-Pro:awsu mip$ make build
gox -parallel=8 -osarch="darwin/amd64 linux/amd64" -ldflags "-s -w -X=main.build=edd42b7 -X=main.time=`TZ=UTC date '+%FT%TZ'` -X=main.version="2.0.2"" -output "build/awsu-{{.OS}}-{{.Arch}}" ./bin/
Number of parallel builds: 8
--> linux/amd64: github.com/kreuzwerker/awsu/bin
--> darwin/amd64: github.com/kreuzwerker/awsu/bin
2 errors occurred:
--> linux/amd64 error: exit status 1
Stderr: yubikey/oath.go:5:2: cannot find package "github.com/joshdk/ykmango" in any of:
/Users/mip/go/src/github.com/kreuzwerker/awsu/vendor/github.com/joshdk/ykmango (vendor tree)
/usr/local/Cellar/go/1.9.2/libexec/src/github.com/joshdk/ykmango (from $GOROOT)
/Users/mip/go/src/github.com/joshdk/ykmango (from $GOPATH)
--> darwin/amd64 error: exit status 1
Stderr: yubikey/oath.go:5:2: cannot find package "github.com/joshdk/ykmango" in any of:
/Users/mip/go/src/github.com/kreuzwerker/awsu/vendor/github.com/joshdk/ykmango (vendor tree)
/usr/local/Cellar/go/1.9.2/libexec/src/github.com/joshdk/ykmango (from $GOROOT)
/Users/mip/go/src/github.com/joshdk/ykmango (from $GOPATH)
make: *** [build] Error 1
(awscli2.7) Mikes-MacBook-Pro:awsu mip$ go get -u github.com/joshdk/ykmango
(awscli2.7) Mikes-MacBook-Pro:awsu mip$ make build
gox -parallel=8 -osarch="darwin/amd64 linux/amd64" -ldflags "-s -w -X=main.build=edd42b7 -X=main.time=`TZ=UTC date '+%FT%TZ'` -X=main.version="2.0.2"" -output "build/awsu-{{.OS}}-{{.Arch}}" ./bin/
Number of parallel builds: 8
--> linux/amd64: github.com/kreuzwerker/awsu/bin
--> darwin/amd64: github.com/kreuzwerker/awsu/bin
parallel upx --best --ultra-brute --quiet {} ::: build/awsu-*-*
/bin/sh: parallel: command not found
mfa_serial
is not allowed anymore in cross-account profiles.default
profile should be recommended.Hi,
EB CLI does not work with AWSU, each time asks for new code. E.g:
AWSU_PROFILE_DEFAULT=eb-cli awsu -v -- eb deploy
I'd propose 15m to cover long-running operations. Maybe we should do an out-of-band refresh when hitting 15m as soft limit?
In case of no mfa_serial
found in all relevant profiles one could use get-caller-identity
to build the default representation from register
or try to list MFA devices via the API.
Release 2.2.0
[kreuzwerker]
aws_access_key_id=XXX
aws_secret_access_key=XXX
mfa_serial=arn:aws:iam::113030XXXXXX:mfa/[email protected]
region=eu-central-1
[seachefs]
role_arn=arn:aws:iam::976760XXXXXX:role/xw-operator-cross-account
source_profile=kreuzwerker
mfa_serial=arn:aws:iam:: 113030XXXXXX:mfa/[email protected]
$ awsu -p seachefs -s 900s -v -n -- aws s3 ls
Error: failed to aquire credentials for profile "seachefs": failed to assume role "arn:aws:iam::[IAMID]:role/xw-operator-cross-account": ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
status code: 400, request id: 3ff3d68f-6d61-11e8-83f8-014ef402c6d5
Hello!
Thanks for an awesome project! We are using awsu for authentication for our aws mfa setup. Now we're expanding operations and are going to set up an aws account in a different region. We currently use awsu to switch profiles between aws accounts with profiles. We would like for awsu to also manage the region differences, which it seems not to do at the moment:
➜ ~ awsu -p dev-rp-prod
export AWSU_EXPIRES=2021-08-23T10:21:48+02:00
export AWS_ACCESS_KEY_ID=AS...GA
export AWS_SECRET_ACCESS_KEY=CZv....73
export AWS_SESSION_TOKEN=Fw....0bA==
In order to handle regions, awsu would also set the env var "AWS_DEFAULT_REGION". In the AWS config file format this should be called "region": https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html. In "config" we have
[default]
region = eu-west-1
output = json
If we could do something like
[us]
region = us-east-1
output = json
[dev-rp-us-prod]
mfa_serial = arn:aws:iam::815...4:mfa/username-aws
role_arn = arn:aws:iam::815....4:role/MyRole
source_profile = us
That would be awesome. Thoughts?
Line 71 in 729f4c4
It seems the default 'MaxSessionDuration' is 1h for roles in our own accounts. Please change the behaviour to 1h.
(Edit: relevant parameter is -t time to live for cached role credentials
This should "normal" cases, where no MFA is in play / on the Yubikey.
Session token seems to be hardcoded to 15 minutes. I vote for 60 min by default as well as config option (environment based config is enough).
Use a role name that reflects the username and investigate if that can be enforced in the trust policies conditions.
Found two inconsistencies in loading the the AWS CLI configufration from ~/.aws/config
file.
Problem 1:
The default location for the AWS CLI config file is ~/.aws/credentials
but should be ~/.aws/config
> awsu –help
…
-c, --config-file string sets the config file (default "/Users/borchj/.aws/credentials")
I fixed the problem by adding parameter -c ~/.aws/config
but it's a bit cumbersome to add this to each invocation.
Problem 2:
According to the AWS doc https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html, profiles in the config
file should be prefixes by profile
.
For example:
[profile user1]
region=us-east-1
awsu returns an error message : no such profile "user1" configured
awsu find the profile if you remove the ‘profile’ prefix.
[user1]
region=us-east-1
brew tap kreuzwerker/taps && brew reinstall kreuzwerker/taps/awsu
I expect to get a linked binary in /usr/local/bin/awsu
but I do notThere is no binary in /usr/local/bin/awsu
or /usr/local/Cellar/awsu/2.3.6
and therefore nothing to symlink and therefore the awsu
command does not work
awsu
https://aws.amazon.com/about-aws/whats-new/2018/03/longer-role-sessions/
We should also document the various setups for role conditions following the security requirements (e.g. MFA from 1h ago vs. MFA from 12h ago).
From time to time (multiple times a day, usually), I get this problem:
awsu -p <profile> -- <command>
error: failed to aquire credentials for profile "default": failed to initialize Yubikey: failed to establish context: scard: Sharing violation.
Unplugging and plugging the Yubikey, or running ykman oauth code <profile name>
resets things to a working state.
Perhaps this should rather be reported on some Yubikey go library?
Assets awsu_2.3.10_Darwin_x86_64.tar.gz
and awsu_2.3.10_Linux_x86_64.tar.gz
were released in GitHub Releases.
Assets for amd64 weren't released in the latest version v2.3.10
https://github.com/kreuzwerker/awsu/releases/tag/v2.3.10
On the other hand, assets for amd64 were released in v2.3.9.
like in https://github.com/kreuzwerker/m1-terraform-provider-helper
to be able to automate recurring processes use the latest CI/release tools
Looking at the source code, it looks like there's a hardcoded Amazon account ID (015428540659) as client_id in one of the generated URLs for the awsu console
command.
Is is supposed to be like that, or is it an unfortunate copy-paste accident?
Line 163 in fb48af2
The use case looks like this: for local container based development you need to export (and very often re-export) environment variables into it (at least key id, secret key and session id). An alternative would be to add a port
directive to the shared configuration files and forward these ports to the dedicated container specific ports for the metadata API.
The local setup would then require the setup from https://github.com/NYTimes/mock-ec2-metadata:
/sbin/ifconfig lo:1 inet 169.254.169.254 netmask 255.255.255.255 up
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A OUTPUT -p tcp -d 169.254.169.254/32 --dport 80 -j DNAT --to-destination 169.254.169.254:65432
service iptables save
With the local ports configured awsu
would get another command e.g. listen
. This would basically invoke the port-appropriate assuming of roles etc., re-using (and re-writing) the same cached files as awsu
does right now. This would also require locking on the FS level.
If that's technical feasible, that is.
This could look like this:
[warn]
production=You are deploying to production
live=You are deploying to live
When invoking awsu
it would display the message and ask for yes
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.