Feature/long creds (#40)

* Allow for auto-refresh of role credentials when wrapping a command

Instead of using a temporary credential file, start an HTTP server which
mimics the ECS credential endpoint, and modify the environment such that
the called command will reference the endpoint for credentials.  This
should allow the command to automatically refresh the role credentials
while the process executes, for as long as the session token credentials
are valid.

* add `-E` flag to preserve env var credential behavior

* Change MFA code prompt to use stderr, update aws sdk version

* Set envvar to pass profile name to called program

Expose the profile name, if it doesn't look like a role ARN, as the
env var AWSRUNAS_PROFILE, so downstream programs can still get access
to the profile name using a variable which won't collide with the AWS
SDK operation.

* generate/distribute only signed Windows executable

* create .deb and .rpm packages for linux

Author: Mike Morris

.circleci/config.yml

@@ -1,20 +1,26 @@
 # Golang CircleCI 2.0 configuration file
 #
 # Check https://circleci.com/docs/2.0/language-go/ for more details
-version: 2
+version: 2.1
+
+orbs:
+  aws-cli: circleci/[email protected]
+
 jobs:
   build:
     docker:
       # specify the version
       - image: "circleci/golang:1.12"
 
     working_directory: /go/src/github.com/mmmorris1975/aws-runas
+
+    environment:
+      GO111MODULE: "on"
+
     steps:
       - checkout
 
       # specify any bash command here prefixed with `run: `
-      # 'go get' only pulls from master branch, and circleci doesn't support dep
-      - run: go get -v -t -d ./...
       - run: go vet -tests=false ./...
       - run: go test -v ./...
       - run: mkdir -p build
@@ -34,6 +40,11 @@ jobs:
       - attach_workspace:
           at: build
 
+      - aws-cli/install
+      - aws-cli/configure:
+          profile-name: circleci
+          configure-default-region: false
+
       - run: bundle check --path=vendor/bundle || bundle install --path=vendor/bundle --jobs=4 --retry=3
       - run: mkdir -p /var/tmp/rspec
       - run:

Makefile

@@ -10,24 +10,26 @@ $(EXE): go.mod *.go lib/*/*.go
 	go build -v -ldflags '-X main.Version=$(VER)' -o $@
 
 release: $(EXE) darwin windows linux
+	docker run --rm -e VER=$(VER) -v ${PWD}:/build --entrypoint /build/scripts/package.sh debian:stretch
 
 darwin linux:
 	GOOS=$@ go build -ldflags '-X main.Version=$(VER)' -o $(EXE)-$(VER)-$@-$(GOARCH)
 
 # $(shell go env GOEXE) is evaluated in the context of the Makefile host (before GOOS is evaluated), so hard-code .exe
 windows:
-	GOOS=$@ go build -ldflags '-X main.Version=$(VER)' -o $(EXE)-$(VER)-$@-$(GOARCH).exe
-	osslsigncode sign -certs .ca/codesign.crt -key .ca/codesign.key -n "aws-runas" -i https://github.com/mmmorris1975/aws-runas -in $(EXE)-$(VER)-$@-$(GOARCH).exe -out $(EXE)-$(VER)-$@-$(GOARCH)-signed.exe
+	GOOS=$@ go build -ldflags '-X main.Version=$(VER)' -o $(EXE)-$(VER)-$@-$(GOARCH)-unsigned.exe
+	osslsigncode sign -certs .ca/codesign.crt -key .ca/codesign.key -n "aws-runas" -i https://github.com/mmmorris1975/aws-runas -in $(EXE)-$(VER)-$@-$(GOARCH)-unsigned.exe -out $(EXE)-$(VER)-$@-$(GOARCH).exe
+	rm -f $(EXE)-$(VER)-$@-$(GOARCH)-unsigned.exe
 
 clean:
-	rm -f $(EXE) $(EXE)-*-*-*
+	rm -f $(EXE) $(EXE)-*-*-* $(EXE)*.rpm $(EXE)*.deb
 
 dist-clean: clean
 	rm -f go.sum
 
 test: $(EXE)
 	mv $(EXE) build
-	go test -v ./...
+	go test -count 1 -v ./...
 	bundle install
 	AWS_CONFIG_FILE=.aws/config AWS_PROFILE=arn:aws:iam::686784119290:role/circleci-role AWS_DEFAULT_PROFILE=circleci bundle exec rspec
 

README.md

@@ -41,6 +41,7 @@ Pre-compiled binaries for various platforms can be downloaded [here](https://git
       -u, --update             Check for updates to aws-runas
       -D, --diagnose           Run diagnostics to gather info to troubleshoot issues
           --ec2                Run as mock EC2 metadata service to provide role credentials
+      -E, --env                Pass credentials to program as environment variables
       -V, --version            Show application version.
 
     Args:

docs/ec2-metadata.md

@@ -56,9 +56,10 @@ http access log format.
 
 ## Program Access
 When executing programs which will get their credentials via this local metadata service, it may be necessary to set the
-`AWS_SHARED_CREDENTIALS_FILE` environment variable to an invalid value so the SDK does not attempt to use the credentials
-in that file to make the AWS service calls. This is due to the default AWS credential lookup chain checking the credentials
-file before attempting to get the credentials via the metadata service.
+`AWS_SHARED_CREDENTIALS_FILE` environment variable (`AWS_CREDENTIAL_PROFILES_FILE` if you're using the Java SDK) to an
+invalid value so the SDK does not attempt to use the credentials in that file to make the AWS service calls. This is due
+to the default AWS credential lookup chain checking the credentials file before attempting to get the credentials via the
+metadata service.
 
 For example, running:
 ```text

docs/execution.md

@@ -7,7 +7,6 @@ How to use aws-runas to perform various functions
 
 #### Program Options
 ```text
-$ aws-runas --help
 usage: aws-runas [<flags>] [<profile>] [<cmd>...]
 
 Create an environment for interacting with the AWS API using an assumed role
@@ -29,6 +28,7 @@ Flags:
   -u, --update             Check for updates to aws-runas
   -D, --diagnose           Run diagnostics to gather info to troubleshoot issues
       --ec2                Run as mock EC2 metadata service to provide role credentials
+  -E, --env                Pass credentials to program as environment variables
   -V, --version            Show application version.
 
 Args:
@@ -99,6 +99,15 @@ If necessary, the ARN for an MFA token can be provided via the `-M` command line
 $ aws-runas [-M mfa serial] arn:aws:iam::1234567890:role/my-role terraform plan
 ```
 
+#### Executing local docker containers using role credentials
+Special consideration must be given when executing docker containers which need to access AWS services using role credentials,
+and the container process does not handle the role assumption (it expects the role credentials to be provided to it).  Use
+the `-E` command line option to instruct aws-runas to pass the credentials as environment variable to docker, like this:
+
+```text
+$ aws-runas -E my-profile docker run -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_REGION ...
+```
+
 #### Injecting assume role credentials in the environment
 Running the program with only a profile name will output an eval()-able set of environment variables for the assumed role
 credentials which can be added to the current session.
@@ -142,6 +151,15 @@ credentials to minimize the possibility of the workflow getting disrupted by exp
 $ aws-runas -s admin-profile terraform plan
 ```
 
+#### Executing local docker containers using session token credentials
+Special consideration must be given when executing docker containers which need to access AWS services using session token
+credentials, typically for cases where the container app manages their own assume role activities.  Use the `-E` command
+line option, along with the `-s` option  to instruct aws-runas to pass the credentials as environment variable to docker, like this:
+
+```text
+$ aws-runas -Es my-profile docker run -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_REGION ...
+```
+
 #### Injecting session token credentials in the environment
 Much like injecting role credentials into your session's environment, aws-runas supports injecting Session Token
 credentials in to your environment. It's simply a matter of executing aws-runas using the `-s` flag without specifying

go.mod

@@ -4,7 +4,7 @@ require (
 	github.com/alecthomas/kingpin v2.2.6+incompatible
 	github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect
 	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
-	github.com/aws/aws-sdk-go v1.18.6
+	github.com/aws/aws-sdk-go v1.20.21
 	github.com/dustin/go-humanize v1.0.0
 	github.com/go-ini/ini v1.41.0
 	github.com/mmmorris1975/aws-config v0.2.5

go.sum

@@ -5,16 +5,12 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/aws/aws-sdk-go v1.16.31/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.17.4 h1:L2KFocQhg48kIzEAV98SnSz3nmIZ3UDFP+vU647KO3c=
-github.com/aws/aws-sdk-go v1.17.4/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.18.6 h1:NuUz/+bi6C5v3BpIXW/VfovfMpvlhl1WUnD0EiDkOwQ=
-github.com/aws/aws-sdk-go v1.18.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.20.21 h1:22vHWL9rur+SRTYPHAXlxJMFIA9OSYsYDIAHFDhQ7Z0=
+github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/go-ini/ini v1.41.0 h1:526aoxDtxRHFQKMZfcX2OG9oOI8TJ5yPLM0Mkno/uTY=
 github.com/go-ini/ini v1.41.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q=
-github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/mmmorris1975/aws-config v0.2.5 h1:KTu/+lSQjepyPNRmf8l/jKzA04obUvAVuiWNPhVScmk=

lib/credentials/assume_role_provider.go

@@ -8,6 +8,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/mmmorris1975/aws-runas/lib/cache"
+	"os"
 	"time"
 )
 
@@ -168,12 +169,10 @@ func (p *AssumeRoleProvider) debug(f string, v ...interface{}) {
 	}
 }
 
-// StdinTokenProvider will print a prompt to Stdout for a user to enter the MFA code
-// fixme as of the 1.19.0 release of the aws go sdk, the prompt is printed on stderr instead of stdout
-// REF: https://github.com/aws/aws-sdk-go/pull/2481
+// StdinTokenProvider will print a prompt to Stderr for a user to enter the MFA code
 func StdinTokenProvider() (string, error) {
 	var mfaCode string
-	fmt.Print("Enter MFA Code: ")
+	fmt.Fprint(os.Stderr, "Enter MFA Code: ")
 	_, err := fmt.Scanln(&mfaCode)
 	return mfaCode, err
 }

lib/credentials/assume_role_provider_test.go

@@ -246,12 +246,6 @@ func TestAssumeRoleProvider_WithLogger(t *testing.T) {
 	}
 }
 
-func Example_stdinTokenProvider() {
-	StdinTokenProvider()
-	// Output:
-	// Enter MFA Code:
-}
-
 func Example_roleDebugNilCfg() {
 	p := new(AssumeRoleProvider)
 	p.debug("test")

lib/metadata/ecs_metadata_service.go

@@ -0,0 +1,118 @@
+package metadata
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	simple_logger "github.com/mmmorris1975/simple-logger"
+	"net"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+const (
+	// EcsCredentialsPath is the URL path used to retrieve the credentials
+	EcsCredentialsPath = "/credentials"
+)
+
+// EcsMetadataInput contains the options available for customizing the behavior of the ECS Metadata Service
+type EcsMetadataInput struct {
+	// Credentials is the AWS credentials.Credentials object used to fetch the credentials.  This allows us to have
+	// the service return role credentials, or session credentials (in case the caller's code does its own role management)
+	Credentials *credentials.Credentials
+	// Logger is the logging object to configure for the service.  If not provided, a standard logger is configured.
+	Logger *simple_logger.Logger
+}
+
+// EcsMetadataService is the object encapsulating the details of the service
+type EcsMetadataService struct {
+	// Url is the fully-formed URL to use for retrieving credentials from the service
+	Url  *url.URL
+	lsnr net.Listener
+}
+
+// NewEcsMetadataService creates a new EcsMetadataService object using the provided EcsMetadataInput options.
+func NewEcsMetadataService(opts *EcsMetadataInput) (*EcsMetadataService, error) {
+	cred = opts.Credentials
+	log = opts.Logger
+	if log == nil {
+		log = simple_logger.StdLogger
+	}
+
+	s := new(EcsMetadataService)
+
+	// The SDK seems to only support listening on "localhost" and 127.0.0.1, not the ::1 IPv6 loopback, try not to be clever
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		return nil, err
+	}
+	s.lsnr = l
+
+	u, err := url.Parse(fmt.Sprintf("http://%s%s", l.Addr(), EcsCredentialsPath))
+	if err != nil {
+		return nil, err
+	}
+	s.Url = u
+
+	return s, nil
+}
+
+// Run starts the HTTP server used to fetch credentials.  The HTTP server will listen on the loopback address on a
+// randomly chosen port.
+func (s *EcsMetadataService) Run() {
+	http.HandleFunc(EcsCredentialsPath, ecsHandler)
+	if err := http.Serve(s.lsnr, nil); err != nil {
+		log.Error(err)
+	}
+}
+
+func ecsHandler(w http.ResponseWriter, r *http.Request) {
+	var rc = http.StatusOK
+
+	v, err := cred.Get()
+	if err != nil {
+		rc = http.StatusInternalServerError
+		j, err := json.Marshal(&ecsCredentialError{Code: string(rc), Message: err.Error()})
+		if err != nil {
+			log.Warnf("error converting error message to json: %v", err)
+		}
+
+		w.WriteHeader(rc)
+		w.Write(j)
+		return
+	}
+
+	e, err := cred.ExpiresAt()
+	if err != nil {
+		e = time.Now()
+	}
+
+	c := ecsCredentials{
+		AccessKeyId:     v.AccessKeyID,
+		SecretAccessKey: v.SecretAccessKey,
+		Token:           v.SessionToken,
+		Expiration:      e.UTC().Format(time.RFC3339),
+	}
+	log.Debugf("ECS endpoint credentials: %+v", c)
+
+	j, err := json.Marshal(&c)
+	if err != nil {
+		log.Warnf("error converting credentials to json: %v", err)
+	}
+
+	w.WriteHeader(rc)
+	w.Write(j)
+}
+
+type ecsCredentialError struct {
+	Code    string `json:"code"`
+	Message string `json:"message"`
+}
+
+type ecsCredentials struct {
+	AccessKeyId     string
+	SecretAccessKey string
+	Token           string
+	Expiration      string
+}