brightspace / bmx Goto Github PK
View Code? Open in Web Editor NEWIAM-less AWS API access for humans.
License: Apache License 2.0
IAM-less AWS API access for humans.
License: Apache License 2.0
PS C:\> bmx write -h
usage:
bmx-write -h
bmx-write [--username USERNAME] [--duration DURATION]
optional arguments:
-h, --help show this help message and exit
--username USERNAME specify username instead of being prompted
--profile PROFILE the profile to write to the AWS crdentials file
BMX currently only supports primary username/password authentication.
https://github.com/okta/okta-sdk-python/blob/master/okta/AuthClient.py#L44
... so that we can print a friendly message when we hit an error, instead of a stack trace.
We'll need these later: whenever the command is successful, we want to write the creds to ~/.bmx/credentials
, keyed by account/role.
Like in SamlHacker. I think three will do:
Related to #34.
We should include the changes for 0.0.2 and the upcoming 1.0.0.
We want a configuration chain like:
Add an CLI option for the AWS role, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)
If SSO is not possible, there may be a possibility of using headless chrome to fetch an Okta auth token.
#4 added support for TOTP MFA, where this issue adds SMS MFA.
After this issue is fixed, when a user requires MFA, and
If the option is specified and identifies an existing role, then the user is not prompted for a a role. Otherwise, the user is prompted.
Possible contacts:
Juno
Mark T.
Donn B.
The command will get a new STS token and write it to ~/.bmx/credentials
.
Once a command has retrieved credentials, it should cache them in ~/.bmx/credentials. Key the entries by account/role.
version: 1.0.0
credentials:
<account>:
<role>: <creds map>
We want a configuration chain like:
Add an CLI option for the AWS account, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)
When writing out the creds file, look for and remove expired entries.
bmx print --username <username> --account <account> --role <role> -p
Traceback (most recent call last):
File "C:\Users\cstavropoulos\AppData\Local\Programs\Python\Python36\Scripts\bmx-script.py", line 9, in <module>
load_entry_point('bmx', 'console_scripts', 'bmx')()
File "c:\d2l\bmx\bmx\bmx.py", line 51, in main
return known_args.func(unknown_args)
File "c:\d2l\bmx\bmx\bmxprint.py", line 125, in cmd
print(format_credentials(known_args, credentials))
File "c:\d2l\bmx\bmx\bmxprint.py", line 89, in format_credentials
formatted_credentials = powershell_format_credentials(credentials)
File "c:\d2l\bmx\bmx\bmxprint.py", line 78, in powershell_format_credentials
credentials['AccessKeyId'],
TypeError: 'AwsCredentials' object is not subscriptable
Looks like the format of the credentials object changed and wasn't accounted for in bmx print
. The tests have a hardcoded response coming from StsUtil so it would have been missed by the tests.
We want a configuration chain like:
Add an CLI option for the AWS role, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)
When BMX uses a token, it should check to see when the token will expire. If it will expire "soon" (a configurabe duration), then BMX should ask AWS for a new one while the old one still works.
Assuming that developers already have the AWS CLI and that they won't want BMX to sort out the dependency for them was a bad idea.
Integrating BMX with the CLI is a big pain point during installation. Although the CLI might already be installed, it will be for a different version of Python, etc...
Just list the CLI as a dependency and have Pip install it if need be.
Use this file to store credentials, instead of ~/.aws/credentials; then pass values to the AWS CLI using environment variables.
Remove the bmx-X ones.
Rather than try to be robust during reading and writing, validate the credentials file before using it. (This expands on checking the version, which @nsimone implemented in #64 .)
We can use a schema validator like Rx or Schema. To get the most out of schema validation, we might want to change the 'credentials' -> '' -> '' mapping to a list of credentials, where each credential has an account and role field:
credentials:
- account: <account #1>
role: <role #2>
SecretAccessKey: ...
- account: <account #2>
...
In this case, here is an Rx example of a valid schema:
{
"type": "//rec",
"optional": {
"version": {
"type": "//str",
"value": "1.0.0"
},
"meta": {
"type": "//rec",
"required": {
"default": {
"type": "//rec",
"required": {
"account": "//str",
"role": "//str"
}
}
}
},
"credentials": {
"type": "//arr",
"length": { "min": 1 },
"contents": {
"type": "//rec",
"required": {
"account": "//str",
"role": "//str",
"AccessKeyId": "//str",
"SecretAccessKey": "//str",
"SessionToken": "//str",
},
"optional": {
"Expiration": "//str"
},
},
},
},
}
I actually don't see an Rx impl for Python, so YMMV there. It had a live demo, which I used to build this schema, but we might need to use a different validator.
We want a configuration chain like:
Add an environment variable for username, which BMX will use if no CLI option is provided.
When we write, specify version: 1.0.0
.
When we read, if no version or version 1.0.0 is specified, then we proceed; otherwise we fail.
We want a configuration chain like:
Add an CLI option for the AWS account, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)
We want a configuration chain like:
Add an CLI option for the AWS account, which BMX will use whenever it is provided. (BMX should fail if the option is invalid.)
It doesn't know if the username has changed, e.g., via the --username
option.
Related to #14. The config file can hold values like username, account name, role, etc...
Re-use Okta session to prevent multiple username/password entries. Suggestion taken from #5
root = true
[*]
charset = utf-8
end_of_line = lf
trim_trailing_whitespace = true
insert_final_newline = false
indent_style = space
indent_size = 4
[{*.json,.*.yml}]
indent_style = space
indent_size = 2
We want a configuration chain like:
Add an environment variable for the AWS account, which BMX will use if no CLI option is provided. (BMX should fail if the env var is invalid.)
Before returning creds from ~/.bmx/credentials
, credentialsutil
should check that they have not expired. If they're expired, then return None.
We want a configuration chain like:
Add an environment variable for the AWS-account role, which BMX will use if no CLI option is provided. (BMX should fail if the environment variable is invalid.)
PS C:\> bmx print --profile foo
Traceback (most recent call last):
File "C:\Users\credekop\AppData\Local\Programs\Python\Python36\lib\configparser.py", line 1138, in _unify_values
sectiondict = self._sections[section]
KeyError: 'foo'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "c:\users\credekop\appdata\roaming\python\python36\scripts\bmx-script.py", line 11, in <module>
load_entry_point('bmx==0.0.2', 'console_scripts', 'bmx')()
File "C:\Users\credekop\AppData\Roaming\Python\Python36\site-packages\bmx\bmx.py", line 51, in main
return known_args.func(unknown_args)
File "C:\Users\credekop\AppData\Roaming\Python\Python36\site-packages\bmx\bmxprint.py", line 112, in cmd
credentials = read_config(known_args.profile)
File "C:\Users\credekop\AppData\Roaming\Python\Python36\site-packages\bmx\bmxprint.py", line 98, in read_config
access_key_id = config.get(profile, 'aws_access_key_id')
File "C:\Users\credekop\AppData\Local\Programs\Python\Python36\lib\configparser.py", line 781, in get
d = self._unify_values(section, vars)
File "C:\Users\credekop\AppData\Local\Programs\Python\Python36\lib\configparser.py", line 1141, in _unify_values
raise NoSectionError(section)
configparser.NoSectionError: No section: 'foo'
Related to #34.
... to other creds, instead of duplicating an account/role's creds in the default section.
... and keep its AWS_* variables up-to-date as they expire and need renewal?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.