New config file format, added checks and a bit more documentation

Author: otm

README.md

@@ -1,7 +1,7 @@
 # Limes
 Limes provides an easy work flow with MFA protected access keys, temporary credentials and access to multiple roles/accounts.
 
-Limes is a Local Instance MEtadata Service and emulates parts of the [AWS Instance Metadata Service](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) running on Amazon Linux. The AWS SDK and AWS CLI can therefor utilize this service to authenticate.
+Limes is the Local Instance MEtadata Service and emulates parts of the [AWS Instance Metadata Service](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) running on Amazon Linux. The AWS SDK and AWS CLI can therefor utilize this service to authenticate.
 
 ## Warning
 The AWS SDK refreshes credentials automatically when using limes. So **all** services will change profile if the profile is changed in limes.
@@ -30,7 +30,7 @@ sudo ip link set dev lo:metadata up
 sudo /sbin/ifconfig lo0 alias 169.254.169.254
 ```
 
-#### Bash Completion
+## Bash Completion
 
 ##### Linux:
 ```
@@ -39,7 +39,7 @@ wget -O /etc/bash_completion.d/limes https://raw.githubusercontent.com/otm/limes
 
 ##### Mac
 ```
-wget -O $(brew --prefix)/etc/bash_completion.d/limes
+wget -O $(brew --prefix)/etc/bash_completion.d/limes https://raw.githubusercontent.com/otm/limes/master/assets/limes
 ```
 
 ##### Fixing Completion for AWS CLI

cli-client.go

@@ -67,10 +67,21 @@ func StartService(configFile, address, profileName, MFA string, port int, fake b
 			log.Fatalf("Error reading config: %s\n", configErr.Error())
 		}
 
-		configParseErr := yaml.Unmarshal(configContents, &config.profiles)
+		configParseErr := yaml.Unmarshal(configContents, &config)
 		if configParseErr != nil {
 			log.Fatalf("Error in parsing config file: %s\n", configParseErr.Error())
 		}
+
+		if len(config.Profiles) == 0 {
+			log.Info("No profiles found, falling back to old config format.\n")
+			configParseErr := yaml.Unmarshal(configContents, &config.Profiles)
+			if configParseErr != nil {
+				log.Fatalf("Error in parsing config file: %s\n", configParseErr.Error())
+			}
+			if len(config.Profiles) > 0 {
+				log.Warning("WARNING: old depricated config format is used.\n")
+			}
+		}
 	} else {
 		log.Debug("No configuration file given\n")
 	}
@@ -80,6 +91,14 @@ func StartService(configFile, address, profileName, MFA string, port int, fake b
 		os.Remove(address)
 	}()
 
+	if port == 0 {
+		port = config.Port
+	}
+
+	if port == 0 {
+		port = 80
+	}
+
 	// Startup the HTTP server and respond to requests.
 	listener, err := net.ListenTCP("tcp", &net.TCPAddr{
 		IP:   net.ParseIP("169.254.169.254"),

cli-handler.go

@@ -136,9 +136,9 @@ func (h *CliHandler) RetrieveRole(ctx context.Context, in *pb.AssumeRoleRequest)
 // Config returns the current configuration
 func (h *CliHandler) Config(ctx context.Context, in *pb.Void) (*pb.ConfigReply, error) {
 	res := &pb.ConfigReply{
-		Profiles: make(map[string]*pb.Profile, len(h.config.profiles)),
+		Profiles: make(map[string]*pb.Profile, len(h.config.Profiles)),
 	}
-	for name, profile := range h.config.profiles {
+	for name, profile := range h.config.Profiles {
 		res.Profiles[name] = &pb.Profile{
 			AwsAccessKeyID:     profile.AwsAccessKeyID,
 			AwsSecretAccessKey: profile.AwsSecretAccessKey,

config.example

@@ -1,45 +1,28 @@
 ---
-# The default profile is the profile that is loaded first, and the only role that
-# should need access keys. The default profile is *required*.
-#
-#
-# The default profile should only be able to assume roles. To assume these roles
-# the session should be authorized with a MFA token. With this set up your keys
-# will not be usable without multi factor authentication.
-default:
-  # aws_access_key_id is required on the default profile
-  aws_access_key_id: xxxxxxxxxxxxxxxxxxxx
-
-  # aws_secret_access_key is required on the default profile
-  aws_secret_access_key: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
-
-  # role_session_name specifies the name used when assuming roles. Normaly a
-  # sensible value is your username.
-  role_session_name: yourusername
-
-  # region is used when connection to AWS and you can retrieve it from the
-  # metadata service
-  region: eu-west-1
-
-  # mfa_serial if present will prompt the user for an MFA when the service is
-  # started. The MFA is then used for retrieving a session token.
-  mfa_serial: arn:aws:iam::123456789012:mfa/yourusername
-
-# This is an example of an profile that can be assumed with `limes profile admin`
-admin:
-  # role_arn can be retrived from IAM
-  role_arn: arn:aws:iam::123456789012:role/admin
-
-  # source_profile defines the profile to use when assuming this role
-  source_profile: default
-
-  # protected controls if it is possible to assume the role for the metadata service
-  # otherwise it is only possible to use with 'run' and 'env' subcommand
-  protected: true
-  region: eu-west-1
-
-# This is an example of an profile that can be assumed with `limes profile readonly`
-readonly:
-  role_arn: arn:aws:iam::123456789012:role/readonly
-  source_profile: default
-  region: eu-west-1
+port: 80
+profiles:
+  # This defines a base profile, as it has AWS keys in it. Normaly a user like
+  # this should only be allowd to assume other roles if MFA has been provided.
+  # If an MFA serial is defined in the profile limes will promt for a MFA key
+  # when needed.
+  user:
+    aws_access_key_id: xxxxxxxxxxxxxxxxxxxx
+    aws_secret_access_key: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
+    role_session_name: yourusername
+    region: eu-west-1
+    mfa_serial: arn:aws:iam::123456789012:mfa/yourusername
+
+  # This is an example of an profile that can not be assumed as
+  # `protected: true` is defined on the profile. Only `limes run` and `limes env`
+  # will be allowed.
+  admin:
+    role_arn: arn:aws:iam::123456789012:role/admin
+    source_profile: user
+    protected: true
+    region: eu-west-1
+
+  # This is an example of an profile that can be assumed with `limes assume readonly`
+  readonly:
+    role_arn: arn:aws:iam::123456789012:role/readonly
+    source_profile: user
+    region: eu-west-1

config.go

@@ -13,13 +13,15 @@ import (
 
 // Config hold configuration read from the configuration file
 type Config struct {
-	profiles Profiles
+	Port    int    `yaml:"port"`
+	Address string `yaml:"address"`
+	Profiles
 }
 
 // NewConfig returns a new Config struct
 func NewConfig() *Config {
 	config := &Config{
-		profiles: make(Profiles),
+		Profiles: make(Profiles),
 	}
 
 	return config

credentials-manager.go

@@ -125,7 +125,7 @@ func (m *CredentialsExpirationManager) SetSourceProfile(name, mfa string) error
 	m.err = nil
 
 	log.Printf("Setting base profile: %v", name)
-	profile, ok := m.config.profiles[name]
+	profile, ok := m.config.Profiles[name]
 	if !ok {
 		m.err = errUnknownProfile
 		if name != profileDefault {
@@ -202,7 +202,7 @@ func (m *CredentialsExpirationManager) Region() string {
 		role = profileDefault
 	}
 
-	profile, ok := m.config.profiles[role]
+	profile, ok := m.config.Profiles[role]
 	if !ok {
 		fmt.Printf("FAiled to lookup: %v\n", role)
 		return ""
@@ -227,7 +227,7 @@ func (m *CredentialsExpirationManager) Refresher() {
 // AssumeRole changes (assumes) the role `name`. An optional MFA can be passed
 // to the function, if set to "" the MFA is ignored
 func (m *CredentialsExpirationManager) AssumeRole(name, MFA string) error {
-	profile, ok := m.config.profiles[name]
+	profile, ok := m.config.Profiles[name]
 	if !ok {
 		return errUnknownProfile
 	}
@@ -266,7 +266,7 @@ func (m *CredentialsExpirationManager) AssumeRole(name, MFA string) error {
 // RetrieveRole will assume and fetch temporary credentials, but does not update
 // the role and credentials stored by the manager.
 func (m *CredentialsExpirationManager) RetrieveRole(name, MFA string) (*AwsCredentials, error) {
-	profile, ok := m.config.profiles[name]
+	profile, ok := m.config.Profiles[name]
 	if !ok {
 		return nil, errUnknownProfile
 	}

main.go

@@ -72,7 +72,7 @@ type Start struct {
 	HelpFlag bool   `flag:"h, help" description:"Display this message and exit"`
 	Fake     bool   `flag:"fake" description:"Do not connect to AWS"`
 	MFA      string `option:"m, mfa" description:"MFA token to start up server"`
-	Port     int    `option:"p, port" default:"80" description:"Port used by the metadata service"`
+	Port     int    `option:"p, port" default:"" description:"Port used by the metadata service, default: 80"`
 }
 
 // Stop defines the "stop" command cli flags and options