Add capability to use IAM instance profile credentials

Instance profiles have three pieces of data necessary for
authentication: Access key, secret key, and token. This change
allows the user to enter a token if necessary.

Author: ryansydnor

README.md

@@ -63,6 +63,17 @@ The policy you use for AWSResco should follow the least privilege access rules.
 }
 ```
 
+If you are using an IAM instance profile you need to use the (access key, secret key, token) tuple to authenticate.
+You can retrieve the values from the EC2 metadata API. First, find the name of your instance-profile:
+
+`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`
+
+Then, plug in the name at the end of the URL
+
+`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/instance-profile`
+
+The resulting JSON will have the necessary credentials to utilize the site.
+
 ## Gaps
 Currently AWSResco does not take into account `OfferingType`, it assumes that only `Heavy Utilization` is being used as that was the original use case for the tool.  There are plans to support all `OfferingType` variations - see [Issue#3](https://github.com/ckelner/AWSResco/issues/3).
 
@@ -74,7 +85,7 @@ Currently AWSResco does not take into account `OfferingType`, it assumes that on
 - Manual process to test
 
 ## Build
-- Run `sudo bash build.sh` which will uglify css and javascript
+- Run `bash build.sh` which will uglify css and javascript
 
 ## Deploy
 - Manual process of pushing to S3

dev.html

@@ -37,18 +37,24 @@ <h1>
             </h1>
         </div>
         <div class="row">
-            <div class="col-md-4">
+            <div class="col-md-3">
                 <div class="form-group">
                     <label for="awsAccessKey">AWS Access Key</label>
                     <input type="text" class="form-control" id="awsAccessKey" placeholder="AWS Access Key" />
                 </div>
             </div>
-            <div class="col-md-4">
+            <div class="col-md-3">
                 <div class="form-group">
                     <label for="awsSecretKey">AWS Secret Key</label>
                     <input type="password" class="form-control" id="awsSecretKey" placeholder="AWS Secret Key" />
                 </div>
             </div>
+            <div class="col-md-3">
+                <div class="form-group">
+                    <label for="awsToken">AWS Token (if using instance profile)</label>
+                    <input type="text" class="form-control" id="awsToken" placeholder="AWS Token" />
+                </div>
+            </div>
             <div class="col-md-2 col-padding-top-25">
                 <select class="form-control" id="regionSelect">
                     <option>us-east-1</option>

index.html

@@ -34,18 +34,24 @@ <h1>
             </h1>
         </div>
         <div class="row">
-            <div class="col-md-4">
+            <div class="col-md-3">
                 <div class="form-group">
                     <label for="awsAccessKey">AWS Access Key</label>
                     <input type="text" class="form-control" id="awsAccessKey" placeholder="AWS Access Key" />
                 </div>
             </div>
-            <div class="col-md-4">
+            <div class="col-md-3">
                 <div class="form-group">
                     <label for="awsSecretKey">AWS Secret Key</label>
                     <input type="password" class="form-control" id="awsSecretKey" placeholder="AWS Secret Key" />
                 </div>
             </div>
+            <div class="col-md-3">
+                <div class="form-group">
+                    <label for="awsToken">AWS Token (if using instance profile)</label>
+                    <input type="text" class="form-control" id="awsToken" placeholder="AWS Token" />
+                </div>
+            </div>
             <div class="col-md-2 col-padding-top-25">
                 <select class="form-control" id="regionSelect">
                     <option>us-east-1</option>

js/aws.js

@@ -25,19 +25,19 @@ function resetAWSValues() {
   g_EC2DataTimer = null;
 }
 
-function queryAllAWSRegionsForEC2Data(key, secret, region) {
+function queryAllAWSRegionsForEC2Data(key, secret, token, region) {
   if (key != null && secret != null) {
     g_REGION = region;
     resetEc2DataTable();
     resetAWSValues();
     if (region.indexOf(g_ALL_Region_Const) != -1) {
       for (var i = 0; i < g_AWSRegions.length; i++) {
-        queryAWSforEC2Data(g_AWSRegions[i], key, secret, false);
-        queryAWSforEC2Data(g_AWSRegions[i], key, secret, true);
+        queryAWSforEC2Data(g_AWSRegions[i], key, secret, token, false);
+        queryAWSforEC2Data(g_AWSRegions[i], key, secret, token, true);
       }
     } else {
-      queryAWSforEC2Data(g_REGION, key, secret, false);
-      queryAWSforEC2Data(g_REGION, key, secret, true);
+      queryAWSforEC2Data(g_REGION, key, secret, token, false);
+      queryAWSforEC2Data(g_REGION, key, secret, token, true);
     }
     // Because of the asynchronous nature of the AWS SDK calls, we need to
     // wait until all data is returned for all regions before we proceed
@@ -172,10 +172,11 @@ function combineEC2AndResData(ec2, res) {
   return newRes;
 }
 
-function queryAWSforEC2Data(region, key, secret, reservations) {
+function queryAWSforEC2Data(region, key, secret, token, reservations) {
   var ec2 = new AWS.EC2({
     accessKeyId: key,
     secretAccessKey: secret,
+    sessionToken: token,
     region: region,
     maxRetries: 5,
     // http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Config.html#sslEnabled-property
@@ -334,7 +335,7 @@ function mungeEc2Data(data) {
   return mungedDataArr;
 }
 
-function testAWSCredentials(key, secret, region) {
+function testAWSCredentials(key, secret, token, region) {
   resetCredChecks();
   if (region.toLowerCase() == "all") {
     // pick us-east-1 should always be there
@@ -344,6 +345,7 @@ function testAWSCredentials(key, secret, region) {
   var ec2 = new AWS.EC2({
     accessKeyId: key,
     secretAccessKey: secret,
+    sessionToken: token,
     region: region,
     maxRetries: 5,
     sslEnabled: true
@@ -390,6 +392,7 @@ function checkCredCheck() {
       queryAllAWSRegionsForEC2Data(
         getAccessKeyValue(),
         getSecretKeyValue(),
+        getTokenValue(),
         getRegionValue()
       );
       resetCredChecks();

js/main.js

@@ -24,6 +24,10 @@ function getSecretKeyValue() {
   return validateKeys(document.getElementById('awsSecretKey').value);
 }
 
+function getTokenValue() {
+  return document.getElementById('awsToken').value;
+}
+
 function getRegionValue() {
   return document.getElementById('regionSelect').value;
 }
@@ -33,7 +37,7 @@ function awsQueryButtonAction() {
   showPleaseWaitDiv();
   hideAccessSecretErrorDiv();
   hideCredentialsErrorDiv();
-  testAWSCredentials(getAccessKeyValue(), getSecretKeyValue(), getRegionValue());
+  testAWSCredentials(getAccessKeyValue(), getSecretKeyValue(), getTokenValue(), getRegionValue());
   waitForCredCheck();
   // always return false to avoid page refresh
   return false;