From b60ff8f13b6614a7e156c930fa96e16ba4dd0046 Mon Sep 17 00:00:00 2001 From: Don Kuntz Date: Tue, 19 Dec 2017 13:51:47 -0600 Subject: [PATCH 1/3] Allow using AWS_PROFILE env variable in combination with ~/.aws/config Similar to #65 and #70, this change allows users to use standard AWS command line flags. example: AWS_PROFILE=profile-name unicreds list would work the same as unicreds --profile profile-name list --- aws_config.go | 15 ++++++++++----- ds.go | 4 ++++ kms.go | 4 ++++ 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/aws_config.go b/aws_config.go index 3af1ce7..c17b3a8 100644 --- a/aws_config.go +++ b/aws_config.go @@ -41,7 +41,7 @@ func SetAwsConfig(region, profile *string, role *string) (err error) { func setAwsConfig(region, profile *string, role *string) { log.WithFields(log.Fields{"region": aws.StringValue(region), "profile": aws.StringValue(profile)}).Debug("Configure AWS") - config := &aws.Config{Region: region} + config := aws.Config{Region: region} // if a profile is supplied then just use the shared credentials provider // as per docs this will look in $HOME/.aws/credentials if the filename is "" @@ -52,11 +52,16 @@ func setAwsConfig(region, profile *string, role *string) { // Are we assuming a role? if aws.StringValue(role) != "" { // Must request credentials from STS service and replace before passing on - sess := session.Must(session.NewSession(config)) + sts_sess := session.Must(session.NewSession(&config)) log.WithFields(log.Fields{"role": aws.StringValue(role)}).Debug("AssumeRole") - config.Credentials = stscreds.NewCredentials(sess, *role) + config.Credentials = stscreds.NewCredentials(sts_sess, *role) } - SetDynamoDBConfig(config) - SetKMSConfig(config) + sess := session.Must(session.NewSessionWithOptions(session.Options{ + Config: config, + SharedConfigState: session.SharedConfigEnable, + })) + + SetDynamoDBSession(sess) + SetKMSSession(sess) } diff --git a/ds.go b/ds.go index 41fbf01..fd4ca30 100644 --- a/ds.go +++ b/ds.go @@ -52,6 +52,10 @@ func SetDynamoDBConfig(config *aws.Config) { dynamoSvc = dynamodb.New(session.New(), config) } +func SetDynamoDBSession(sess *session.Session) { + dynamoSvc = dynamodb.New(sess) +} + // Credential managed credential information type Credential struct { Name string `dynamodbav:"name"` diff --git a/kms.go b/kms.go index 977bba1..492af52 100644 --- a/kms.go +++ b/kms.go @@ -18,6 +18,10 @@ func SetKMSConfig(config *aws.Config) { kmsSvc = kms.New(session.New(), config) } +func SetKMSSession(sess *session.Session) { + kmsSvc = kms.New(sess) +} + // DataKey which contains the details of the KMS key type DataKey struct { CiphertextBlob []byte From 3fbd8ba96306d96731568257d030892b6914b3ec Mon Sep 17 00:00:00 2001 From: Don Kuntz Date: Thu, 8 Feb 2018 11:00:54 -0600 Subject: [PATCH 2/3] Use the shared config region when region is not set by command line flag. Previously, not including the `--region` flag would result in an error being thrown and unicreds just stopping. Now, the session will use the region as set by the environment variable or inside one of the AWS config files (~/.aws/credentials and ~/.aws/config), if region isn't set by flag. --- aws_config.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/aws_config.go b/aws_config.go index c17b3a8..8d70161 100644 --- a/aws_config.go +++ b/aws_config.go @@ -25,10 +25,6 @@ func SetAwsConfig(region, profile *string, role *string) (err error) { } } - if aws.StringValue(region) == "" && aws.StringValue(profile) == "" { - return nil - } - // This is to work around a limitation of the credentials // chain when providing an AWS profile as a flag if aws.StringValue(region) == "" && aws.StringValue(profile) != "" { From 889077062f443a7183fb9bd9f11d2a38583316c4 Mon Sep 17 00:00:00 2001 From: Don Kuntz Date: Thu, 8 Feb 2018 11:12:12 -0600 Subject: [PATCH 3/3] Update readme to include information on using credentials/config file and environment variables --- README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3c52a87..d362cd7 100644 --- a/README.md +++ b/README.md @@ -83,16 +83,25 @@ Commands: Execute a command with all secrets loaded as environment variables. ``` +Unicreds supports the `AWS_*` environment variables, and configuration in `~/.aws/credentials` and `~/.aws/config` + # examples * List secrets using default profile: ``` -$ unicreds -r us-west-2 list +$ unicreds list +``` + +* List secrets using the default profile, in a different region: +``` +$ unicreds -r us-east-2 list +$ AWS_REGION=us-east-2 unicreds list ``` -* List secrets using profile MYPROFILE in `~/.aws/credentials` (NOTE: `~/.aws/config` is only used by aws CLI, not the SDK) +* List secrets using profile MYPROFILE in `~/.aws/credentials` or `~/.aws/config` ``` $ unicreds -r us-west-2 -p MYPROFILE list +$ AWS_PROFILE=MYPROFILE unicreds list ``` * List secrets using a profile, but also assuming a role: