Merge pull request #4 from cashapp/lnattrass/switch-kong-id-features

Switch to Kong, Additional ID features and logging. Tidy go mod.
cashapp · Dec 8, 2021 · c4617aa · c4617aa
2 parents 313f52f + 211599f
commit c4617aa
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 67 deletions.
diff --git a/README.md b/README.md
@@ -28,16 +28,21 @@ $
 
 <pre>
 
-Usage: awsu [options] &lt;role-arn&gt; -- &lt;command&gt; [arguments]
-
-Options: 
-  -d int
-        Duration of the session (default 3600)
-  -e string
-        ExternalID to authenticate the request
-  -s string
-        Session name of the role to assume (default "awsu")
-  -v    Verbose error logging
+Usage: awsu <role-arn> <command> ...
+
+Arguments:
+  <role-arn>
+  <command> ...
+
+Flags:
+  -h, --help                                   Show context-sensitive help.
+  -s, --session-name="awsu"                    Session name of the role to assume
+  -e, --external-id=STRING                     ExternalID to authenticate the request
+  -d, --duration=3600                          Duration of the session
+  -v, --verbose                                Verbose error logging
+  -t, --session-tags=KEY=VALUE;...             Session tags to apply to the role-assumption (eg: -t tag1=batman)
+  -x, --transitive-tags=TRANSITIVE-TAGS,...    Keys for session tags which are transitive (eg: -x tag1)
+  -i, --source-identity=STRING                 Source identity to set for this session
 </pre>
 
 

diff --git a/assumeRole.go b/assumeRole.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"log"
 	"os"
 	"path/filepath"
 	"strings"
@@ -14,21 +15,37 @@ import (
 
 // renewCredentials gets a new set of credentials from AWS
 // rendering it into the credentials tempfile
-func renewCredentials() error {
+func (c *CLI) renewCredentials() error {
 	sess, err := session.NewSession(&aws.Config{})
 	if err != nil {
 		return fmt.Errorf("failed to retrieve a session: %v", err)
 	}
 
 	svc := sts.New(sess)
 	req := &sts.AssumeRoleInput{
-		RoleArn:         &roleArn,
-		RoleSessionName: sessionName,
-		DurationSeconds: duration,
+		RoleArn:         aws.String(c.RoleArn),
+		RoleSessionName: aws.String(c.SessionName),
+		DurationSeconds: aws.Int64(c.Duration),
 	}
 
-	if *externalID != "" {
-		req.ExternalId = externalID
+	for key := range c.SessionTags {
+		log.Printf("Tagging Session: %q=%q", key, c.SessionTags[key])
+		req.Tags = append(req.Tags, &sts.Tag{
+			Key:   aws.String(key),
+			Value: aws.String(c.SessionTags[key]),
+		})
+	}
+
+	if len(c.TransitiveTags) > 0 {
+		req.TransitiveTagKeys = aws.StringSlice(c.TransitiveTags)
+	}
+
+	if c.ExternalID != "" {
+		req.ExternalId = &c.ExternalID
+	}
+
+	if c.SourceIdentity != "" {
+		req.SourceIdentity = &c.SourceIdentity
 	}
 
 	assumedRole, err := svc.AssumeRole(req)

diff --git a/go.mod b/go.mod
@@ -3,8 +3,8 @@ module github.com/cashapp/awsu
 go 1.15
 
 require (
-	github.com/aws/aws-sdk-go v1.38.46
+	github.com/alecthomas/kong v0.2.20
+	github.com/aws/aws-sdk-go v1.42.20
 	github.com/kr/pretty v0.1.0 // indirect
-	golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,7 +1,10 @@
-github.com/aws/aws-sdk-go v1.38.46 h1:voiwaKmwU1K6Y0dfjqTSiy5xOG4LPyr5sHD92cj+g2c=
-github.com/aws/aws-sdk-go v1.38.46/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/alecthomas/kong v0.2.20 h1:j8icvBJGdkkvv4lZ8rWN9MF5Z9DWBEmQrjZ69Z8XFwM=
+github.com/alecthomas/kong v0.2.20/go.mod h1:ka3VZ8GZNPXv9Ov+j4YNLkI8mTuhXyr/0ktSlqIydQQ=
+github.com/aws/aws-sdk-go v1.42.20 h1:nQkkmTWK5N2Ao1iVzoOx1HTIxwbSWErxyZ1eiwLJWc4=
+github.com/aws/aws-sdk-go v1.42.20/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -11,24 +14,18 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420 h1:a8jGStKg0XqKDlKqjLrXn0ioF5MH36pT7Z0BRTqLhbk=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -37,3 +34,6 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/main.go b/main.go
@@ -1,58 +1,48 @@
 package main
 
 import (
-	"flag"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"os"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"strings"
 	"time"
+
+	"github.com/alecthomas/kong"
 )
 
 var tempDir string
 var credentialsRenew time.Time
 
-// CLI Flags
-var (
-	sessionName = flag.String("s", "awsu", "Session name of the role to assume")
-	externalID  = flag.String("e", "", "ExternalID to authenticate the request")
-	duration    = flag.Int64("d", 3600, "Duration of the session")
-	verbose     = flag.Bool("v", false, "Verbose error logging")
-	roleArn     string
-	command     string
-)
-
-func usage() {
-	fmt.Fprintf(os.Stderr, "Usage: %s [options] <role-arn> -- <command> [arguments]\n\nOptions: \n", path.Base(os.Args[0]))
-	flag.PrintDefaults()
-	fmt.Println()
+type CLI struct {
+	SessionName    string            `name:"session-name" short:"s" help:"Session name of the role to assume" default:"awsu"`
+	ExternalID     string            `name:"external-id" short:"e" help:"ExternalID to authenticate the request"`
+	Duration       int64             `name:"duration" short:"d" help:"Duration of the session" default:"3600"`
+	Verbose        bool              `name:"verbose" short:"v" help:"Verbose error logging"`
+	SessionTags    map[string]string `name:"session-tags" short:"t" help:"Session tags to apply to the role-assumption (eg: -t tag1=batman)"`
+	TransitiveTags []string          `name:"transitive-tags" short:"x" help:"Keys for session tags which are transitive (eg: -x tag1)"`
+	SourceIdentity string            `name:"source-identity" short:"i" help:"Source identity to set for this session"`
+	RoleArn        string            `arg:""`
+	Command        []string          `arg:"" passthrough:""`
 }
 
 func main() {
-	flag.Usage = usage
-	flag.Parse()
-
-	args := flag.Args()
-	if len(args) < 2 {
-		usage()
-		os.Exit(1)
-	}
-	roleArn = args[0]
-	command = args[1]
-	args = args[2:]
+	ctx := kong.Parse(&CLI{})
+	err := ctx.Run()
+	ctx.FatalIfErrorf(err)
+}
 
+func (c *CLI) Run(ctx *kong.Context) error {
 	var err error
 	tempDir, err = ioutil.TempDir("", "awsu")
 	if err != nil {
 		log.Fatalf("Failed to create a tempdir: %v", err)
 	}
 	defer os.RemoveAll(tempDir)
 
-	err = renewCredentials()
+	err = c.renewCredentials()
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -61,24 +51,24 @@ func main() {
 		for {
 			time.Sleep(time.Until(credentialsRenew))
 
-			if *verbose {
+			if c.Verbose {
 				log.Print("awsu: Renewing credentials")
 			}
 
-			if err := renewCredentials(); err != nil {
+			if err := c.renewCredentials(); err != nil {
 				// We don't exit here - let the sub-command die it's own way
-				log.Print("awsu: Failed to renew credentials")
+				log.Printf("awsu: Failed to renew credentials: %v", err)
 				// Renew in a minute
 				credentialsRenew = time.Now().Add(time.Minute)
 			}
 
-			if *verbose {
+			if c.Verbose {
 				log.Printf("awsu: Credentials renewed, next renewal in  %s", humanDur(time.Until(credentialsRenew)))
 			}
 		}
 	}()
 
-	cmd := exec.Command(command, args...)
+	cmd := exec.Command(c.Command[0], c.Command[1:]...)
 	cmd.Env = []string{fmt.Sprintf("AWS_SHARED_CREDENTIALS_FILE=%s", filepath.Join(tempDir, "credentials"))}
 
 	// We strip any AWS_ vars (except region vars), to ensure we have precedence over credentials
@@ -94,14 +84,15 @@ func main() {
 	cmd.Stdout = os.Stdout
 	cmd.Stdin = os.Stdin
 
-	log.Printf("Running %s with assumedRole %s, renewal in %s", command, roleArn, humanDur(time.Until(credentialsRenew)))
+	log.Printf("Running %s with assumedRole %s, renewal in %s", c.Command, c.RoleArn, humanDur(time.Until(credentialsRenew)))
 	err = cmd.Run()
 	if err != nil {
 		if exitErr, ok := err.(*exec.ExitError); ok {
 			os.Exit(exitErr.ExitCode())
 		}
-		log.Fatalf("An error occurred waiting for cmd: %v", err)
+		return fmt.Errorf("an error occurred waiting for cmd; %w", err)
 	}
+	return nil
 }
 
 func humanDur(d time.Duration) string {