Merge branch 'release/1.0.0'

Author: otm

README.md

@@ -1,7 +1,7 @@
 # Limes
 Limes provides an easy work flow with MFA protected access keys, temporary credentials and access to multiple roles/accounts.
 
-Limes is a Local Instance MEtadata Service and emulates parts of the [AWS Instance Metadata Service](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) running on Amazon Linux. The AWS SDK and AWS CLI can therefor utilize this service to authenticate.
+Limes is the Local Instance MEtadata Service and emulates parts of the [AWS Instance Metadata Service](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) running on Amazon Linux. The AWS SDK and AWS CLI can therefor utilize this service to authenticate.
 
 ## Warning
 The AWS SDK refreshes credentials automatically when using limes. So **all** services will change profile if the profile is changed in limes.
@@ -30,6 +30,31 @@ sudo ip link set dev lo:metadata up
 sudo /sbin/ifconfig lo0 alias 169.254.169.254
 ```
 
+## Bash Completion
+
+##### Linux:
+```
+wget -O /etc/bash_completion.d/limes https://raw.githubusercontent.com/otm/limes/master/assets/limes
+```
+
+##### Mac
+```
+wget -O $(brew --prefix)/etc/bash_completion.d/limes https://raw.githubusercontent.com/otm/limes/master/assets/limes
+```
+
+##### Fixing Completion for AWS CLI
+There is currently a bug in the completer for the AWS CLI that makes it misbehave when used with `_command_offset`. This can be solved by adding a secondary completion entry for the AWS CLI. To make this persistent add it to your bash configuration.  
+
+**Linux**
+```
+complete -C '/usr/local/bin/aws_completer' limes run aws
+```
+
+**Mac (Brew)**
+```
+complete -C "$(brew --prefix)/bin/aws_completer" limes run aws
+```
+
 ## Configuring IAM (Identity and Access Management)
 To be done
 
@@ -50,26 +75,33 @@ Running `limes` in your terminal prints usage information.
 The service is started with `limes start`.
 
 #### Assuming Profiles
-A profile is assumed with `limes profile <profile-name>`, where profile-name is
-a configured profile. Please note that this does not refer to AWS profiles but
-profiles configured in limes.
+A profile is assumed with `limes assume <profile-name>`, where profile-name is a configured profile. Please note that this does not refer to AWS profiles but profiles configured in limes.
+
+#### Running Applications with Alternate Profile
+If you have assumed a role on limes you might want to run an application once with an alternate profile. This is possible without assuming the profile with the `run` subcommand.
+
+```
+limes --profile <name> run <application> [args...]
+```
+
+**Tip**
+With `limes --profile <name> run bash` it is possible to quickly start a shell with exported environment variables that is valid for an hour.
+
+#### Protected Profiles
+By adding `protected: true` to your profile it will not be possible to assume that role. It will only be possible to utilize the subcommands `run` and `env`.
 
 #### Service Status
-By running `limes status` it is possible to see the current status, and also it can detect common problems and misconfigurations.
+By running `limes status` it is possible to see the current status, and also it can detect common problems and misconfiguration.
 
 ## Known Problems
-If AWS environment variables, `.aws/credentials` or `.aws/config` are present there is a chance that the limes does not work. This can be checked with `limes status`
+If AWS environment variables, `.aws/credentials` or `.aws/config` are present there is a chance that the limes does not work. This can be checked with `limes status`.
 
 ## Security
 The service should be configured on the loop back device, and only accessible from the host it is running on.
 
 **Note:** It is important not to run any service that could forwards request on the host running Limes as this would be a security risk. However, this is no difference from the setup on an Amazon Linux instance in AWS. If an attacker could forward requests to 169.254.169.254/24 your credentials could be compromised. Please note that an attacker could utilize a DNS to resolve to this address, so always be aware where you forward requests to.  
 
 ## Roadmap
-* Add support for running commands
-* Add support for providing MFA with client to enable to start as a service
-* Add support for temporary move/remove AWS configuration files
-* Add support for exporting environment variables
 * Windows support (If I get someone to test it)
 
 ## Build

assets/limes

@@ -1,9 +1,22 @@
 # bash completion for limes(8)                              -*- shell-script -*-
 
+__my_init_completion()
+{
+    COMPREPLY=()
+    _get_comp_words_by_ref cur prev words cword
+}
+
+
+
 _limes()
 {
     local cur prev words cword
-    _init_completion || return
+    if declare -F _init_completions >/dev/null 2>&1; then
+        _init_completion
+    else
+        __my_init_completion
+    fi
+    #_init_completion || return
 
     #cur="${COMP_WORDS[COMP_CWORD]}"
     #prev="${COMP_WORDS[COMP_CWORD-1]}"

cli-client.go

@@ -67,10 +67,21 @@ func StartService(configFile, address, profileName, MFA string, port int, fake b
 			log.Fatalf("Error reading config: %s\n", configErr.Error())
 		}
 
-		configParseErr := yaml.Unmarshal(configContents, &config.profiles)
+		configParseErr := yaml.Unmarshal(configContents, &config)
 		if configParseErr != nil {
 			log.Fatalf("Error in parsing config file: %s\n", configParseErr.Error())
 		}
+
+		if len(config.Profiles) == 0 {
+			log.Info("No profiles found, falling back to old config format.\n")
+			configParseErr := yaml.Unmarshal(configContents, &config.Profiles)
+			if configParseErr != nil {
+				log.Fatalf("Error in parsing config file: %s\n", configParseErr.Error())
+			}
+			if len(config.Profiles) > 0 {
+				log.Warning("WARNING: old depricated config format is used.\n")
+			}
+		}
 	} else {
 		log.Debug("No configuration file given\n")
 	}
@@ -80,6 +91,14 @@ func StartService(configFile, address, profileName, MFA string, port int, fake b
 		os.Remove(address)
 	}()
 
+	if port == 0 {
+		port = config.Port
+	}
+
+	if port == 0 {
+		port = 80
+	}
+
 	// Startup the HTTP server and respond to requests.
 	listener, err := net.ListenTCP("tcp", &net.TCPAddr{
 		IP:   net.ParseIP("169.254.169.254"),

cli-handler.go

@@ -122,7 +122,6 @@ func (h *CliHandler) RetrieveRole(ctx context.Context, in *pb.AssumeRoleRequest)
 		return nil, err
 	}
 
-	// TODO: FOO
 	return &pb.StatusReply{
 		Error:           "",
 		Role:            h.credsManager.Role(),
@@ -137,9 +136,9 @@ func (h *CliHandler) RetrieveRole(ctx context.Context, in *pb.AssumeRoleRequest)
 // Config returns the current configuration
 func (h *CliHandler) Config(ctx context.Context, in *pb.Void) (*pb.ConfigReply, error) {
 	res := &pb.ConfigReply{
-		Profiles: make(map[string]*pb.Profile, len(h.config.profiles)),
+		Profiles: make(map[string]*pb.Profile, len(h.config.Profiles)),
 	}
-	for name, profile := range h.config.profiles {
+	for name, profile := range h.config.Profiles {
 		res.Profiles[name] = &pb.Profile{
 			AwsAccessKeyID:     profile.AwsAccessKeyID,
 			AwsSecretAccessKey: profile.AwsSecretAccessKey,

config.example

@@ -1,45 +1,28 @@
 ---
-# The default profile is the profile that is loaded first, and the only role that
-# should need access keys. The default profile is *required*.
-#
-#
-# The default profile should only be able to assume roles. To assume these roles
-# the session should be authorized with a MFA token. With this set up your keys
-# will not be usable without multi factor authentication.
-default:
-  # aws_access_key_id is required on the default profile
-  aws_access_key_id: xxxxxxxxxxxxxxxxxxxx
-
-  # aws_secret_access_key is required on the default profile
-  aws_secret_access_key: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
-
-  # role_session_name specifies the name used when assuming roles. Normaly a
-  # sensible value is your username.
-  role_session_name: yourusername
-
-  # region is used when connection to AWS and you can retrieve it from the
-  # metadata service
-  region: eu-west-1
-
-  # mfa_serial if present will prompt the user for an MFA when the service is
-  # started. The MFA is then used for retrieving a session token.
-  mfa_serial: arn:aws:iam::123456789012:mfa/yourusername
-
-# This is an example of an profile that can be assumed with `limes profile admin`
-admin:
-  # role_arn can be retrived from IAM
-  role_arn: arn:aws:iam::123456789012:role/admin
-
-  # source_profile defines the profile to use when assuming this role
-  source_profile: default
-
-  # assumable controls if it is possible to assume the role for the metadata service
-  # otherwise it is only possible to use with 'run' and 'env' subcommand
-  assumable: false
-  region: eu-west-1
-
-# This is an example of an profile that can be assumed with `limes profile readonly`
-readonly:
-  role_arn: arn:aws:iam::123456789012:role/readonly
-  source_profile: default
-  region: eu-west-1
+port: 80
+profiles:
+  # This defines a base profile, as it has AWS keys in it. Normaly a user like
+  # this should only be allowd to assume other roles if MFA has been provided.
+  # If an MFA serial is defined in the profile limes will promt for a MFA key
+  # when needed.
+  user:
+    aws_access_key_id: xxxxxxxxxxxxxxxxxxxx
+    aws_secret_access_key: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
+    role_session_name: yourusername
+    region: eu-west-1
+    mfa_serial: arn:aws:iam::123456789012:mfa/yourusername
+
+  # This is an example of an profile that can not be assumed as
+  # `protected: true` is defined on the profile. Only `limes run` and `limes env`
+  # will be allowed.
+  admin:
+    role_arn: arn:aws:iam::123456789012:role/admin
+    source_profile: user
+    protected: true
+    region: eu-west-1
+
+  # This is an example of an profile that can be assumed with `limes assume readonly`
+  readonly:
+    role_arn: arn:aws:iam::123456789012:role/readonly
+    source_profile: user
+    region: eu-west-1