Class: Miasma::Contrib::Aws::Api::Sts

Inherits:
Types::Api
  • Object
show all
Includes:
Miasma::Contrib::AwsApiCore::ApiCommon, Miasma::Contrib::AwsApiCore::RequestUtils
Defined in:
lib/miasma-aws/api/sts.rb

Overview

STS helper class

Constant Summary collapse

API_SERVICE =

Service name of the API

"sts".freeze
API_VERSION =

Supported version of the STS API

"2011-06-15".freeze

Instance Method Summary collapse

Methods included from Miasma::Contrib::AwsApiCore::RequestUtils

#all_result_pages

Methods included from Miasma::Contrib::AwsApiCore::ApiCommon

#after_setup, #api_for, #connect, #connection, #custom_setup, #endpoint, #extract_creds, #get_credential, #get_region, included, #load_aws_file, #load_ecs_credentials!, #load_instance_credentials!, #make_request, #perform_request_retry, #retryable_allowed?, #signer, #sts_assume_role!, #sts_assume_role_update_required?, #sts_attribute_update_required?, #sts_mfa_session!, #sts_mfa_session_update_required?, #update_request, #uri_escape

Instance Method Details

#assume_role(role_arn, args = {}) ⇒ Hash

Assume new role

Parameters:

  • role_arn (String)

    IAM Role ARN

  • args (Hash) (defaults to: {})

Options Hash (args):

  • :external_id (String)
  • :session_name (String)

Returns:

  • (Hash) 


51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/miasma-aws/api/sts.rb', line 51

def assume_role(role_arn, args = {})
  req_params = Smash.new.tap do |params|
    params["Action"] = "AssumeRole"
    params["RoleArn"] = role_arn
    params["RoleSessionName"] = args[:session_name] || SecureRandom.uuid.tr("-", "")
    params["ExternalId"] = args[:external_id] if args[:external_id]
  end
  result = request(
    :path => "/",
    :params => req_params,
  ).get(:body, "AssumeRoleResponse", "AssumeRoleResult")
  Smash.new(
    :aws_sts_token => result.get("Credentials", "SessionToken"),
    :aws_sts_secret_access_key => result.get("Credentials", "SecretAccessKey"),
    :aws_sts_access_key_id => result.get("Credentials", "AccessKeyId"),
    :aws_sts_token_expires => Time.parse(result.get("Credentials", "Expiration")),
    :aws_sts_assumed_role_arn => result.get("AssumedRoleUser", "Arn"),
    :aws_sts_assumed_role_id => result.get("AssumedRoleUser", "AssumedRoleId"),
  )
end

#default_mfa_serialString

Returns:

  • (String) 


73
74
75
76
77
78
79
80
81
82
 
# File 'lib/miasma-aws/api/sts.rb', line 73

def default_mfa_serial
  user_data = Iam.new(
    Smash[
      [:aws_access_key_id, :aws_secret_access_key, :aws_region].map do |key|
        [key, attributes[key]]
      end
    ]
  ).
  "arn:aws:iam::#{user_data[:account_id]}:mfa/#{user_data[:username]}"
end

#mfa_session(token_code, args = {}) ⇒ Hash

Generate MFA session credentials

Parameters:

  • token_code (String, Proc)

    Code from MFA device

  • args (Hash) (defaults to: {})

Options Hash (args):

  • :duration (Integer)

    life of session in seconds

  • :mfa_serial (String)

    MFA device identification number

Returns:

  • (Hash) 


25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/miasma-aws/api/sts.rb', line 25

def mfa_session(token_code, args = {})
  req_params = Smash.new.tap do |params|
    params["Action"] = "GetSessionToken"
    params["TokenCode"] = token_code.respond_to?(:call) ? token_code.call : token_code
    params["DurationSeconds"] = args[:duration] if args[:duration]
    params["SerialNumber"] = args[:mfa_serial].to_s.empty? ? default_mfa_serial : args[:mfa_serial]
  end
  result = request(
    :path => "/",
    :params => req_params,
  ).get(:body, "GetSessionTokenResponse", "GetSessionTokenResult", "Credentials")
  Smash.new(
    :aws_sts_session_token => result["SessionToken"],
    :aws_sts_session_secret_access_key => result["SecretAccessKey"],
    :aws_sts_session_access_key_id => result["AccessKeyId"],
    :aws_sts_session_token_expires => Time.parse(result["Expiration"]),
  )
end