naftulikay / aws-env Goto Github PK
View Code? Open in Web Editor NEWA utility script for exporting an AWS profile as environment variables.
License: Other
A utility script for exporting an AWS profile as environment variables.
License: Other
Since we're not using PyPi, see #3, we should update the README so that installation via pip is simple.
Eggs and source distributions for all Python versions we support should be published to PyPI and a signed set of packages should be produced and hosted here on the releases page.
Apparently, as reported by @joshuajlai, if credentials files have quotes surrounding the variable values, it breaks things.
Attempt to fix this either via shlex
or some regular expression magic.
Presently with #16, we support lazy-loading of credential files when a qualified profile URI is used. If you have a profile named dev
in ~/.aws/credentials.d/92-something.gpg
, the profile URI will be dev/92-something
; if stg
exists in ~/.aws/credentials
, then the profile URI will be /stg
.
Currently, lazy-loading works for root URIs, but if a non-root profile URI is used, we load all profiles rather than incrementally try to load by the file stem. The most optimal solution would be to lazy load like this:
Implementing the non-root URI lazy-loading is what is required by this issue.
As reported by @hhercules, there should be an ls
functionality for listing available profiles.
Offer tab completions utilizing aws-env --ls
to offer completions for which profile to select.
We're still using the old README, which is not relevant anymore. Update the README to reflect the new hauteness.
aws-env list
[2023-02-15T14:41:22.524835-08:00 ERROR aws_env::loader (main)] Unable to read directory: No such file or directory (os error 2)
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }', src/main.rs:119:10
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Since having credentials in plain-text on your filesystem is probably a bad idea, aws-env
should attempt to load encrypted files in the following order:
~/.aws/credentials.gpg
~/.aws/credentials.pgp
~/.aws/credentials.asc
It should then attempt to decrypt these files using gpg2
or gpg
into memory, and then do the export thing.
Failing finding an encrypted file, it should then default back to the normal ~/.aws/credentials
.
AWS Single-Sign-On uses temporary credentials1, then uses STS to get temporary role credentials2.
naftulikay/aws-sso-env already implements the required logic to generate and export role credentials2, provided that the temporary credentials1 are present and not expired.
Temporary credentials1 are obtained via aws sso login
, which opens a browser window to obtain the credentials. Config for SSO is typically stored in ~/.aws/config
either as the default
profile, or with INI header names like [profile prod]
. Rather than storing the access key id and secret access key, the sections look like this:
[profile prod]
sso_start_url = https://$SOMETHING.awsapps.com/start
sso_region = us-east-1
sso_account_id = $ACCOUNT_ID
sso_role_name = $ROLE_NAME
region = us-east-1
Temporary credentials1 are stored in ~/.aws/sso/cache/$(shasum $SSO_START_URL).json
and look like this:
{
"accessToken": "...",
"expiresAt": "2021-12-27T20:30:02+0000",
"region": "us-east-1",
"startUrl": "SSO_START_URL"
}
Using these credentials, role credentials2 can be obtained, and then access is permitted. What is not clear at the moment is the exact logic that aws sso login
uses to do the login with the browser window. If this can be determined, then aws-env
can do the full lifecycle login, if not, we can only do work if valid, unexpired cached SSO credentials exist.
aws sso login
functionality to generate temporary credentials1.A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.