Merge branch 'chrome-integ'

README.md

@@ -7,8 +7,9 @@ This is a bash and zsh shell tool for maintaining AWS credentials in one or more
 Requirements:
 * Clone the repo or download only the `session-tool.sh` file.
 * python and pip installed
-* Install the [AWS Command Line tools](https://aws.amazon.com/cli/). AWS official [installation documentation](https://docs.aws.amazon.com/cli/latest/userguide/installing.html).
+* Install the [AWS Command Line tools](https://aws.amazon.com/cli/). AWS official [installation documentation](https://docs.aws.amazon.com/cli/latest/userguide/installing.html). Both AWS CLI version 1 and version 2 are supported. For new installs, version 2 is recommended.
 * Know the bucket name where your organizations roles are defined
+* Session tool is a bash tool, but on Mac OSX zsh is also supported.
 
 Log in to your AWS account and download a set of API keys. Save the csv file to your computer.
 
@@ -44,50 +45,58 @@ for managing your AWS session credentials. This is useful for `terraform` and
 
 ## get_session
 
-`get_session [-h] [-s] [-r] [-l] [-c] [-d] [-u] [-p profile] [-i file -b bucket] [MFA token]`
-
- * `MFA token`    Your one time token. If not provided, and you provided
-                  the -s option, the current credentials are stored.
- * `-p profile`   The aws credentials profile to use as an auth base.
-                  The provided profile name will be cached, and be the
-                  new default for subsequent calls to get_session.
-                  Default: awsops
- * `-s`           Save the resulting session to persistent storage
-                  for retrieval by other shells. You will be prompted
-                  twice for a passphrase to protect the stored credentials.
- * `-r`           Restore previously saved state. You will be prompted for
-                  the passphrase you stated when storing the session.
- * `-l`           List currently stored sessions including a best guess on
-                  when the session expires based on file modification time.
- * `-c`           Resets session.
- * `-d`           Download a list of organization-wide roles to a profile-
-                  specific file ~/.aws/[profile]_session-tool_roles.cfg
-	                These entries can be overwritten in ~/.aws/[profile]_roles.cfg
-                  Fetching is done before getting the session token, using only
-                  the permissions granted by the profile.
-                  Upstream location and name of the roles list are configurable.
-		  Cannot be combined with other options.
-* `-u`            Uploads ~/.aws/[profile]_session-tool_roles.cfg to the
-	                configured location. Requires more priviledges than download,
-	                so is usually done after assume-role.
-			Cannot be combined with other options.
-* `-i file`	  Import csv file containing api key into your aws profile.
-      		  This will create or replace your api key in the awsops profile.
-* `-b bucket`	  Set bucket name during key import for roles file.
-* `-h`            Print this usage.
-
-This command will on a successful authentication return
-session credentials for the AWS account holding the profile's credentials.
-The credentials are returned in the form of environment variables suitable for
-the `aws` cli and `terraform`. The returned session has a duration of 12 hours.
+`get_session [-h] [-s] [-r] [-l] [-c] [-d|-u] [-v] [-i <file> -b <bucket>|-e] [-p <profile>] [<MFA token>]`
+
+
+* `<MFA token>`  Your one time token. If not provided, and you provided
+                 the -s option, the current credentials are stored.
+* `-p <profile>` The aws credentials profile to use as an auth base.
+                 The provided profile name will be cached, and be the
+                 new default for subsequent calls to get_session.
+                 Current cached profile: master
+                 To avoid having to enter a profile every time, you can
+                 use 'aws configure set default.session_tool_default_profile <PROFILE>'
+* `-s`           Save the resulting session to persistent storage
+                 for retrieval by other shells. You will be prompted
+                 twice for a passphrase to protect the stored credentials.
+                 Note that storing with an empty passphrase does not work.
+* `-r`           Restore previously saved state. You will be promptet for
+                 the passphrase you stated when storing the session.
+* `-l`           List currently stored sessions including a best guess on
+                 when the session expires based on file modification time.
+* `-c`           Resets session, removing all environment variables.
+* `-d`           Download a list of organization-wide roles to a profile-
+                 specific file ~/.aws/[profile]_session-tool_roles.cfg
+                 These entries can be overwritten in ~/.aws/[profile]_roles.cfg
+                 Fetching is done before getting the session token, using only
+                 the permissions granted by the profile.
+                 Upstream location and name of the roles list are configurable.
+                 Cannot be combined with other options.
+* `-u`           Uploads ~/.aws/[profile]_session-tool_roles.cfg to the
+                 configured location. Requires more priviledges than download,
+                 so is usually done after assume-role. Cannot be combined with
+                 other options.
+* `-v`           Verifies that the current session (not profile) is valid
+                 and not expired.
+* `-i <file>`    Import csv file containing api key into your aws profile.
+                 This will create or replace your api key in the awsops profile.
+                 Also used to import from the output generated by the below export.
+* `-e`           Export. Output a command line suitable for import on another host.
+* `-b <bucket>`  Set bucket name during import for roles file.
+* `-h`           Print this usage.
+
+This command will on a successful authentication return session credentials
+for the Basefarm main account. The credentials are returned in the form of
+environment variables suitable for the aws and terraform cli. The returned
+session has a duration of 12 hours.
 
 At least one of -s, -r or MFA token needs to be provided.
 
-Session state is stored in: `~/.aws/[profile].aes` encrypted with a passphrase.
+Session state is stored in `~/.aws/<profile>.aes`, encrypted with a passphrase.
 
 ## assume_role
 
-`assume_role [-h] [-l] [role alias]`
+`assume_role [-h] [-l] <role alias>`
 
 * `-h`          Print this usage.
 * `-l`          List available role aliases.
@@ -98,25 +107,67 @@ This command will use session credentials stored in the shell
 from previous calls to get_session The session credentials are
 then used to assume the given role.
 
+The session credentials for the assumed role will replace the
+current session in the shell environment. The only way to retrieve
+the current session after an assume_role is to have stored your
+session using get_session with the -s option and then to
+import them again using get_session -r command.
+
 The assumed role credentials will only be valid for one hour,
 this is a limitation in the underlaying AWS assume_role function.
 
 The selected role alias will be cached in the AWS_ROLE_ALIAS environment
 variable, so you do not have to provide it on subsequent calls to assume_role.
 
+Roles are configured in locally in ~/.aws/awsops_roles.cfg, and
+organization-wide in ~/.aws/awsops_session-tool_roles.cfg. The format of that file
+is as follows. Comment lines begin with #. No other type of comments
+are allowed. One line per role and each line is space separated.
+The role alias is a name you choose as a shortname for the role.
+external_id is optional.
+
+Alias role_arn session_name external_id
+
+Example:
+```
+# Roles for assume_role
+# Alias role_arn session_name external_id
+bf-awsopslab-admin arn:aws:iam::1234567890:role/admin bf-awsopslab-admin BF-AWSOpsLab
+foo-test arn:aws:iam::0987654321:role/admin bf-awsopslab-admin
+```
+
 ## get_console_url
 
-`get_console_url [-h] [-l] [role alias]`
+`get_console_url [-h] [-l] [-o|-d] [-u <url>] <role alias>`
 
 * `-h`          Print this usage.
 * `-l`          List available role aliases.
-* `role alias`  The alias of the role to assume. The alias name will be cached,
-                so subsequent calls to get_console_url will use the cached value.
+* `-o`          Open URL in browser using a role specific profile.
+* `-d`          Open URL in browser using the Default profile.
+* `-u <url>`    Open the specific URL and not the default AWS dashboard.
+* `role alias`  The alias of the role that will temporarily be assumed.
+                The alias name will be cached, so subsequent calls to
+                assume_role or get_console_url will use the cached value.
+                Current cached default: <no cached value>
+
+This command will use session credentials stored in the shell from a previous
+call to get_session The session credentials are then used to temporily assume
+the given role for the purpose of obtaining the console URL.
+
+After this, the session credentials from a previous call to get_session or
+assume_role will be restored. The console URL will only be valid for one hour,
+this is a limitation in the underlaying AWS assume_role function.
 
-This command will use session credentials stored in the shell
-from previous calls to get_session. The session credentials are
-then used to assume the given role and finally to create
-a pre-signed URL for console access.
+The -o and -d options are currently only supported on Mac OS and Linux and
+only using the Chrome browser. You can select which browser binary to use
+by setting the session-tool_chrome configuration parameter in your ~/.aws/config file:
+```
+  aws configure set session-tool_chrome "/Applications/Google Chrome.app" --profile awsops
+  aws configure set session-tool_chrome "/snap/bin/chromium" --profile awsops
+```
+
+See also: get_session, assume_role. The help for assume_role has more
+information about roles definitions and files.
 
 ## rotate_credentials
 

session-tool.sh

@@ -1,4 +1,4 @@
-SESSION_TOOL_VERSION=1.5.9
+SESSION_TOOL_VERSION=1.6.0
 PUBURL="https://raw.githubusercontent.com/basefarm/aws-session-tool/master/session-tool.sh"
 # Bash utility to manage AWS sessions, please see usage per command or
 # https://github.com/basefarm/aws-session-tool
@@ -697,11 +697,18 @@ get_console_url () {
 	local OPTIND
 
 	# extract options and their arguments into variables. Help and List are dealt with directly
-	while getopts ":hl" opt ; do
+	local CONSOLE=$(_rawurlencode "https://console.aws.amazon.com/")
+	local OPEN_BROWSER=0
+	local OPEN_BROWSER_DEFAULT_PROFILE=0
+	while getopts ":hlodu:" opt ; do
 		case "$opt" in
-			h		) _get_console_url_usage ; return 0 ;;
-			l		) _list_roles ; return 0 ;;
-			\?	) echo "Invalid option: -$OPTARG" >&2 ;;
+			h   ) _get_console_url_usage ; return 0 ;;
+			l   ) _list_roles ; return 0 ;;
+			o   ) OPEN_BROWSER=1 ;;
+			d   ) OPEN_BROWSER_DEFAULT_PROFILE=1 ;;
+			u   ) CONSOLE=$(_rawurlencode "$OPTARG");;
+			\?  ) echo "Invalid option: -$OPTARG" >&2
+			      return 1 ;;
 			:		) echo "Option -$OPTARG requires an argument." >&2 ; return 1 ;;
 		esac
 	done
@@ -713,8 +720,30 @@ get_console_url () {
 		local ENCODED_SESSION=$(_rawurlencode ${SESSION})
 		local URL="https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=${ENCODED_SESSION}"
 		local SIGNIN_TOKEN=$(curl --silent ${URL} | $_PYTHON -mjson.tool | grep SigninToken | awk -F\" '{print $4}')
-		local CONSOLE=$(_rawurlencode "https://console.aws.amazon.com/")
-		echo "https://signin.aws.amazon.com/federation?Action=login&Issuer=&Destination=${CONSOLE}&SigninToken=${SIGNIN_TOKEN}"
+                local CONSOLE_URI="https://signin.aws.amazon.com/federation?Action=login&Issuer=&Destination=${CONSOLE}&SigninToken=${SIGNIN_TOKEN}"
+		if [ "$OPEN_BROWSER" = "1" -o "$OPEN_BROWSER_DEFAULT_PROFILE" = "1" ]; then
+		    local CHROME="$(aws configure get session-tool_chrome --profile ${AWS_PROFILE} 2>/dev/null)"
+		    local PROFILE_OPT="--profile-directory=${AWS_ROLE_ALIAS}"
+		    if [ "$OPEN_BROWSER_DEFAULT_PROFILE" = "1" ]; then
+			PROFILE_OPT="--profile-directory=Default"
+		    fi
+		    case $OSTYPE in
+                        darwin* )
+			    if [ "$CHROME" = "" ]; then
+				CHROME="/Applications/Google Chrome.app"
+			    fi
+			    open -n -a "$CHROME" --args --no-first-run --no-default-browser-check $PROFILE_OPT "${CONSOLE_URI}" ;;
+                        linux* )
+			    if [ "$CHROME" = "" ]; then
+				CHROME="/usr/bin/google-chrome"
+			    fi
+			    "$CHROME"  --no-first-run --no-default-browser-check $PROFILE_OPT "${CONSOLE_URI}" 2>&1 | head -3 & ;;
+                        cygwin* ) echo "The -o option is not supported on CygWin";;
+                        *) [[ $- =~ i ]] && echo >&2 "ERROR: Unknown ostype: $OSTYPE, supported types are darwin, linux and cygwin" ;;
+                    esac
+		else
+		    echo "$CONSOLE_URI"
+		fi
 		_popp TEMP_AWS_PARAMETERS
 	else
 		return 1
@@ -723,6 +752,7 @@ get_console_url () {
 
     return 0
 }
+
 _check_exists_rolefiles () {
 	local PROFILE="${AWS_PROFILE:-$(aws configure get default.session_tool_default_profile)}"
 	if [ ! -e ~/.aws/${PROFILE}_session-tool_roles.cfg ]; then
@@ -832,11 +862,11 @@ aws-assume-role () {
 # Help descriptions
 #
 _get_session_usage() {
-	echo "Usage: get_session [-h] [-s] [-r] [-l] [-c] [-d] [-i|-e] [-p profile] [MFA token]"
+	echo "Usage: get_session [-h] [-s] [-r] [-l] [-c] [-d|-u] [-v] [-i <file> -b <bucket>|-e] [-p <profile>] [<MFA token>]"
 	echo ""
-	echo "    MFA token    Your one time token. If not provided, and you provided"
+	echo "    <MFA token>  Your one time token. If not provided, and you provided"
 	echo "                 the -s option, the current credentials are stored."
-	echo "    -p profile   The aws credentials profile to use as an auth base."
+	echo "    -p <profile> The aws credentials profile to use as an auth base."
 	echo "                 The provided profile name will be cached, and be the"
 	echo "                 new default for subsequent calls to get_session."
 	echo "                 Current cached profile: $PROFILE"
@@ -864,11 +894,11 @@ _get_session_usage() {
 	echo "                 other options."
 	echo "    -v           Verifies that the current session (not profile) is valid"
 	echo "                 and not expired."
-	echo "    -i file      Import csv file containing api key into your aws profile."
+	echo "    -i <file>    Import csv file containing api key into your aws profile."
 	echo "                 This will create or replace your api key in the awsops profile."
 	echo "                 Also used to import from the output generated by the below export."
 	echo "    -e           Export. Output a command line suitable for import on another host."
-	echo "    -b bucket    Set bucket name during import for roles file."
+	echo "    -b <bucket>  Set bucket name during import for roles file."
 	echo "    -h           Print this usage."
 	echo ""
 	echo "This command will on a successful authentication return session credentials"
@@ -878,7 +908,7 @@ _get_session_usage() {
 	echo ""
 	echo "At least one of -s, -r or MFA token needs to be provided."
 	echo ""
-	echo "Session state is stored in: ~/.aws/${PROFILE}.aes"
+	echo "Session state is stored in ~/.aws/${PROFILE}.aes, encrypted with a passphrase."
 	echo ""
 	echo "See also: get_console_url, assume_role, rotate_credentials."
 	echo "Version: $SESSION_TOOL_VERSION"
@@ -908,6 +938,9 @@ _assume_role_usage () {
 	echo "The assumed role credentials will only be valid for one hour,"
 	echo "this is a limitation in the underlaying AWS assume_role function."
 	echo ""
+	echo "The selected role alias will be cached in the AWS_ROLE_ALIAS environment"
+	echo "variable, so you do not have to provide it on subsequent calls to assume_role."
+	echo ""
 	echo "Roles are configured in locally in ~/.aws/${AWS_PROFILE}_roles.cfg, and"
 	echo "organization-wide in ~/.aws/${AWS_PROFILE}_session-tool_roles.cfg. The format of that file"
 	echo "is as follows. Comment lines begin with #. No other type of comments"
@@ -929,25 +962,32 @@ _assume_role_usage () {
 
 _get_console_url_usage () {
 	local ROLE_ALIAS_DEFAULT=${STORED_AWS_PARAMETER_AWS_ROLE_ALIAS:-'<no cached value>'}
-	echo "Usage: get_console_url [-h] [-l] <role alias>"
+	echo "Usage: get_console_url [-h] [-l] [-o|-d] [-u <url>] <role alias>"
 	echo ""
 	echo "    -h          Print this usage."
 	echo "    -l          List available role aliases."
+	echo "    -o          Open URL in browser using a role specific profile."
+	echo "    -d          Open URL in browser using the Default profile."
+	echo "    -u <url>    Open the specific URL and not the default AWS dashboard."
 	echo "    role alias  The alias of the role that will temporarily be assumed."
 	echo "                The alias name will be cached, so subsequent calls to"
 	echo "                assume_role or get_console_url will use the cached value."
 	echo "                Current cached default: $ROLE_ALIAS_DEFAULT"
 	echo ""
-	echo "This command will use session credentials stored in the shell"
-	echo "from previous calls to get_session The session credentials are"
-	echo "then used to temporily assume the given role for the purpose of"
-	echo "obtaining the console URL."
+	echo "This command will use session credentials stored in the shell from a previous"
+	echo "call to get_session The session credentials are then used to temporily assume"
+	echo "the given role for the purpose of obtaining the console URL."
 	echo ""
-	echo "After this, the session credentials from previous calls to get_session"
-	echo "or assume_role will be restored."
-	echo "The console URL will only be valid for one hour,"
+	echo "After this, the session credentials from a previous call to get_session or"
+	echo "assume_role will be restored. The console URL will only be valid for one hour,"
 	echo "this is a limitation in the underlaying AWS assume_role function."
 	echo ""
+	echo "The -o and -d options are currently only supported on Mac OS and Linux and"
+	echo "only using the Chrome browser. You can select which browser binary to use"
+	echo "by setting the session-tool_chrome configuration parameter in your ~/.aws/config file:"
+	echo "  $ aws configure set session-tool_chrome \"/Applications/Google Chrome.app\" --profile awsops"
+	echo "  $ aws configure set session-tool_chrome \"/snap/bin/chromium\" --profile awsops"
+	echo ""
 	echo "See also: get_session, assume_role. The help for assume_role has more"
 	echo "information about roles definitions and files."
     return 0