From a4f25f8db89c884f97a4e6ebedca40af8325ffdb Mon Sep 17 00:00:00 2001 From: Markert Thomas Date: Tue, 28 May 2019 15:22:20 +0200 Subject: [PATCH 1/2] added ability to set durationSeconds as parameter --- cmd/assumeRole.go | 9 +++++---- cmd/awsToken.go | 10 +++++----- cmd/logon.go | 8 ++++++-- cmd/single_signon_test.go | 3 +-- cmd/utils.go | 2 +- cmd/ver.go | 2 +- 6 files changed, 19 insertions(+), 15 deletions(-) diff --git a/cmd/assumeRole.go b/cmd/assumeRole.go index 7495796..5791c7e 100644 --- a/cmd/assumeRole.go +++ b/cmd/assumeRole.go @@ -7,12 +7,13 @@ import ( "github.com/pkg/errors" ) -func assumeRole(sess *session.Session, arn *Arn, assertion string) error { +func assumeRole(sess *session.Session, arn *Arn, assertion string, durationSeconds int64) error { svc := sts.New(sess) params := &sts.AssumeRoleWithSAMLInput{ - PrincipalArn: aws.String(arn.principal), - RoleArn: aws.String(arn.role), - SAMLAssertion: aws.String(assertion), + PrincipalArn: aws.String(arn.principal), + RoleArn: aws.String(arn.role), + SAMLAssertion: aws.String(assertion), + DurationSeconds: aws.Int64(durationSeconds), } resp, err := svc.AssumeRoleWithSAML(params) if err != nil { diff --git a/cmd/awsToken.go b/cmd/awsToken.go index a129d99..4bca860 100644 --- a/cmd/awsToken.go +++ b/cmd/awsToken.go @@ -33,7 +33,7 @@ type ( ) //ExtractRoles from the saml single sign on response -func ExtractRoles(saml *Saml, cache *AccountAliasCache) (arns []Arn, err error) { +func ExtractRoles(saml *Saml, cache *AccountAliasCache, durationSeconds int64) (arns []Arn, err error) { var xml []byte xml, err = saml.AsXML() if err != nil { @@ -43,7 +43,7 @@ func ExtractRoles(saml *Saml, cache *AccountAliasCache) (arns []Arn, err error) if err != nil { return arns, err } - lookupAccountAliases(arns, saml.AsAssertion(), cache) + lookupAccountAliases(arns, saml.AsAssertion(), cache, durationSeconds) return arns, err } @@ -89,7 +89,7 @@ func (a AttributeValue) arns() []Arn { return result } -func lookupAccountAliases(arns []Arn, assertion string, cache *AccountAliasCache) { +func lookupAccountAliases(arns []Arn, assertion string, cache *AccountAliasCache, durationSeconds int64) { // fix: arn changes do no leave this func for i, arn := range arns { alias, found := cache.findAlias(arn.role) @@ -100,7 +100,7 @@ func lookupAccountAliases(arns []Arn, assertion string, cache *AccountAliasCache clearCredentials() sess := session.New() - err := assumeRole(sess, &arn, assertion) + err := assumeRole(sess, &arn, assertion, durationSeconds) setCredentials(arn.accessKeyID, arn.secretAccessKey, arn.sessionToken) @@ -118,7 +118,7 @@ func lookupAccountAliases(arns []Arn, assertion string, cache *AccountAliasCache } else { // Print the error, cast err to awserr.Error to get the Code and // Message from an error. - journal("Unable to resolve account alias", err.Error()) + journal("Unable to resolve account alias") } // return continue diff --git a/cmd/logon.go b/cmd/logon.go index fba0e11..493525e 100644 --- a/cmd/logon.go +++ b/cmd/logon.go @@ -31,11 +31,13 @@ func init() { logonCmd.Flags().StringP("role", "r", "", "Role to auto select, if one one role available it is auto selected") logonCmd.Flags().Bool("token", false, "If set the token is displayed (useful for tools that don't use aws credentials file)") + logonCmd.Flags().Int64("durationSeconds", 3600, "Use to define the duration of session validity in seconds") bindFlags(RootCmd, "logon") } func execLogon(cmd *cobra.Command, args []string) { + uri := viper.GetString("url") if len(uri) == 0 { @@ -58,13 +60,15 @@ func execLogon(cmd *cobra.Command, args []string) { cache, close := loadCache() defer close() - arns, err := ExtractRoles(saml, cache) + durationSeconds := viper.GetInt64("durationSeconds") + + arns, err := ExtractRoles(saml, cache, durationSeconds) fatalExit(err, "Extracting roles") arn, err := SelectRole(viper.GetString("role"), arns) fatalExit(err, "Role selection") if !arn.hasCredentials() { - assumeRole(session.New(), arn, saml.AsAssertion()) + assumeRole(session.New(), arn, saml.AsAssertion(), durationSeconds) } if viper.GetBool("token") { fmt.Printf("AWS_SESSION_TOKEN=%s\n", arn.sessionToken) diff --git a/cmd/single_signon_test.go b/cmd/single_signon_test.go index 239e039..cc85f04 100644 --- a/cmd/single_signon_test.go +++ b/cmd/single_signon_test.go @@ -1,11 +1,10 @@ package cmd_test import ( + "github.com/NearlyUnique/awsSts/cmd" "net/http" "net/http/httptest" "testing" - - "github.com/NearlyUnique/awsSts/cmd" ) const ( diff --git a/cmd/utils.go b/cmd/utils.go index b62f051..bfc9e1e 100644 --- a/cmd/utils.go +++ b/cmd/utils.go @@ -103,7 +103,7 @@ func fileMustExist(filePath string) { if err == nil { f.Close() } else { - fatalExitf(err, "Failed to create required file", filePath) + fatalExitf(err, "Failed to create required file") } } diff --git a/cmd/ver.go b/cmd/ver.go index 1b47f12..73a655e 100644 --- a/cmd/ver.go +++ b/cmd/ver.go @@ -1,3 +1,3 @@ package cmd -const _VERSION = "v0.8" +const _VERSION = "tmark" From aff07ec5f13adc2a3a291a5261f31787dfbe0708 Mon Sep 17 00:00:00 2001 From: Markert Thomas Date: Wed, 29 May 2019 13:16:04 +0200 Subject: [PATCH 2/2] added ability to set durationSeconds as parameter --- cmd/ver.go | 2 +- readme.md | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cmd/ver.go b/cmd/ver.go index 73a655e..cd5aa45 100644 --- a/cmd/ver.go +++ b/cmd/ver.go @@ -1,3 +1,3 @@ package cmd -const _VERSION = "tmark" +const _VERSION = "v0.9" diff --git a/readme.md b/readme.md index 1c5e8f4..e88eb78 100644 --- a/readme.md +++ b/readme.md @@ -27,9 +27,10 @@ Common scenario; - My other scripts are going to use the `default` AWS profile - Automatically select the role `arn:aws:iam::123456789:role/my-role` - Leave running in a state where I can `auto`matically refresh my token with one key press when it expires in an hour +- Set the validity of the session (depending on thresholds of your aws user role) in Seconds, default 3600 ``` -awsSts logon --url https://sts.domain.company.org/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices --profile default --role arn:aws:iam::123456789:role/my-role +awsSts logon --url https://sts.domain.company.org/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices --profile default --role arn:aws:iam::123456789:role/my-role --durationSeconds 3600 ``` `--help` for full details, including details of all parameters that can be read from environment.