Class: Assumer::Assumer

Inherits:

Object

• Object
• Assumer::Assumer

Defined in:

lib/assumer.rb

Overview

This class provides the main functionallity to the Assumer gem

Instance Attribute Summary

• #assume_role_credentials ⇒ Object

  This is the only thing clients are allowed to access It will be an STS::AssumeRoleCredentials object created by AWS.

Instance Method Summary

• #initialize(region: nil, account: nil, role: nil, serial_number: nil, credentials: nil, profile: nil) ⇒ Assumer constructor

  Creates the Assumer object.

• #verify_role(role:) ⇒ String

  Verifies the requested role is valid Only checks syntax, does not guarantee the role exists or can be assumed into.

Constructor Details

#initialize(region: nil, account: nil, role: nil, serial_number: nil, credentials: nil, profile: nil) ⇒ Assumer

Creates the Assumer object

Parameters:

• region (String) (defaults to: nil) —

  The AWS region to establish a connection from (if left nil, Assumer will try and use it’s current region)

• account (String) (defaults to: nil) —

  The AWS account number without dashes

• role (String) (defaults to: nil) —

  The ARN for the role to assume

• serial_number (String) (defaults to: nil) —

  The Serial Number of an MFA device

• credentials (Assumer) (defaults to: nil) —

  An assumer object (to support double-jumps)

# File 'lib/assumer.rb', line 25

def initialize(region: nil, account: nil, role: nil, serial_number: nil, credentials: nil, profile: nil)
  @region = region ? region : my_region # if region is passed in, use it, otherwise find what region we're in and use that
  @account = account
  @role = verify_role(role: role)
  # If we are being passed credentials, it's an Assumer instance, and we can
  # get the creds from it.  Otherwise, establish an STS connection
  @sts_client = establish_sts(
    region: @region,
    passed_credentials: credentials,
    credentials_profile: profile
  )
  @serial_number = serial_number # ARN for the user's MFA serial number

  opts = {
    client: @sts_client,
    role_arn: @role,
    role_session_name: 'AssumedRole'
  }
  # Don't specify MFA serial number or token code if they aren't needed
  unless @serial_number.nil?
    opts[:serial_number] = @serial_number
    opts[:token_code] = MFA.new.request_one_time_code
  end
  @assume_role_credentials = Aws::AssumeRoleCredentials.new(opts)

rescue Aws::STS::Errors::AccessDenied => e
  raise AssumerError, "Access Denied: #{e.message}"
end

Instance Attribute Details

#assume_role_credentials ⇒ Object

This is the only thing clients are allowed to access It will be an STS::AssumeRoleCredentials object created by AWS

# File 'lib/assumer.rb', line 14

def assume_role_credentials
  @assume_role_credentials
end

Instance Method Details

#verify_role(role:) ⇒ String

Verifies the requested role is valid Only checks syntax, does not guarantee the role exists or can be assumed into

Parameters:

• role (String) —

  The ARN of the role to be verified

Returns:

• (String) —

  The ARN of a valid role

Raises:

• (AssumerError) —

  If the ARN is invalid, an exception is raised

# File 'lib/assumer.rb', line 60

def verify_role(role:)
  raise AssumerError, "Invalid ARN for role #{role}" unless role =~ AWS_ROLE_REGEX
  role
end