granted

package
v0.36.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 12, 2024 License: MIT Imports: 79 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// permission for user to read/write.
	USER_READ_WRITE_PERM = 0644
)

Variables

View Source
var AddCredentialsCommand = cli.Command{
	Name:      "add",
	Usage:     "Add IAM credentials to secure storage",
	ArgsUsage: "[<profile>]",
	Action: func(c *cli.Context) error {
		profileName := c.Args().First()
		if profileName == "" {
			in := survey.Input{Message: "Profile Name:"}
			err := testable.AskOne(&in, &profileName, survey.WithValidator(survey.MinLength(1)))
			if err != nil {
				return err
			}
		}

		profiles, err := cfaws.LoadProfiles()
		if err != nil {
			return err
		}
		if profiles.HasProfile(profileName) {
			return fmt.Errorf("a profile with name %s already exists, you can import an existing profile using '%s credentials import %s", profileName, build.GrantedBinaryName(), profileName)
		}

		credentials, err := promptCredentials()
		if err != nil {
			return err
		}

		secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()
		err = secureIAMCredentialStorage.StoreCredentials(profileName, credentials)
		if err != nil {
			return err
		}
		err = updateOrCreateProfileWithCredentialProcess(profileName)
		if err != nil {
			return err
		}
		fmt.Printf("Saved %s to secure storage\n", profileName)

		return nil
	},
}
View Source
var CFCommand = cli.Command{
	Name:        "common-fate",
	Aliases:     []string{"cf"},
	Usage:       "Interact with your Common Fate deployment",
	Subcommands: []*cli.Command{&ConsoleCommand},
}
View Source
var CFConsoleCommand = cli.Command{
	Name:  "console",
	Usage: "Open the Common Fate web console",
	Flags: []cli.Flag{&cli.StringFlag{Name: "profile", Usage: "Open the Common Fate web console for a specific profile"}},
	Action: func(c *cli.Context) error {

		ctx := c.Context
		consoleURL := ""
		profiles, err := cfaws.LoadProfiles()
		if err != nil {
			return err
		}

		profileName := c.String("profile")
		if profileName != "" {
			p, err := profiles.Profile(profileName)
			if err != nil {
				return err
			}
			url, err := cfcfg.GetCommonFateURL(p)
			if err != nil {
				return err
			}
			if url == nil {
				return errors.New("the profile exists but it is not configured with with a Common Fate console url")
			}
			consoleURL = url.String()
		} else {
			foundStartURLs := map[string]bool{}
			for _, profile := range profiles.ProfileNames {
				p, err := profiles.Profile(profile)
				if err != nil {
					return err
				}
				url, err := cfcfg.GetCommonFateURL(p)
				if err != nil {
					clio.Debug(err)
				}
				if url != nil {
					foundStartURLs[url.String()] = true
				}
			}
			keys := make([]string, 0, len(foundStartURLs))
			for k := range foundStartURLs {
				keys = append(keys, k)
			}
			if len(keys) == 0 {

				cfFileConfig, err := sdkconfig.LoadDefault(ctx)
				if err != nil {
					clio.Debug(fmt.Errorf("could not load profile from config file: %w", err))
					return errors.New("no Common Fate deployment urls found in your aws config or the default config file, you can setup now with 'granted login'")
				}
				consoleURL = cfFileConfig.APIURL
			}
			if len(keys) == 1 {
				consoleURL = keys[0]
			}

			err = survey.AskOne(&survey.Select{
				Message: "Please select which Common Fate deployment you would like to open: ",
				Options: keys,
			}, &consoleURL)
			if err != nil {
				return err
			}

		}

		clio.Infof("Opening the Common Fate console (%s) in your default browser...", consoleURL)

		return browser.OpenURL(consoleURL)
	},
}
View Source
var CacheCommand = cli.Command{
	Name:        "cache",
	Usage:       "Manage your cached credentials that are stored in secure storage",
	Subcommands: []*cli.Command{&clearCommand, &listCommand},
}
View Source
var ClearSSOTokensCommand = cli.Command{
	Name:  "clear",
	Usage: "Remove a selected token from the keyring",
	Flags: []cli.Flag{
		&cli.BoolFlag{Name: "all", Aliases: []string{"a"}, Usage: "Remove all saved tokens from keyring"},
	},
	Action: func(c *cli.Context) error {

		if c.Bool("all") {
			err := clearAllTokens()
			if err != nil {
				return err
			}
			clio.Success("Cleared all saved tokens")
			return nil
		}
		var selection string

		if c.Args().First() != "" {
			selection = c.Args().First()
		}

		startUrlMap, err := MapTokens(c.Context)
		if err != nil {
			return err
		}
		if selection == "" {
			var max int
			for k := range startUrlMap {
				if len(k) > max {
					max = len(k)
				}
			}
			selectionsMap := make(map[string]string)
			tokenList := []string{}
			for k, profiles := range startUrlMap {
				stringKey := fmt.Sprintf("%-*s (%s)", max, k, strings.Join(profiles, ", "))
				tokenList = append(tokenList, stringKey)
				selectionsMap[stringKey] = k
			}
			withStdio := survey.WithStdio(os.Stdin, os.Stderr, os.Stderr)
			in := survey.Select{
				Message: "Select a token to remove from keyring",
				Options: tokenList,
			}
			clio.NewLine()
			var out string
			err = testable.AskOne(&in, &out, withStdio)
			if err != nil {
				return err
			}
			selection = selectionsMap[out]
		}

		secureSSOTokenStorage := securestorage.NewSecureSSOTokenStorage()

		err = secureSSOTokenStorage.SecureStorage.Clear(selection)
		if err != nil {
			return err
		}
		clio.Successf("Cleared %s", selection)
		return nil
	},
}
View Source
var CompletionCommand = cli.Command{
	Name:  "completion",
	Usage: "Add autocomplete to your granted cli installation",
	Flags: flags,
	Action: func(c *cli.Context) (err error) {
		shell := c.String("shell")
		switch shell {
		case "fish":
			err = installFishCompletions(c)
		case "zsh":
			err = installZSHCompletions(c)
		case "tcsh":
			err = installTcshCompletions(c)
		case "bash":
			err = installBashCompletions(c)
		default:
			clio.Info("To install completions for other shells, please see our docs: https://docs.commonfate.io/granted/configuration#autocompletion")
		}
		return err
	},

	Description: "Install completions for fish, zsh, or bash. To install completions for other shells, please see our docs:\nhttps://docs.commonfate.io/granted/configuration#autocompletion\n",
}
View Source
var ConsoleCommand = cli.Command{
	Name:  "console",
	Usage: "Generate an AWS console URL using credentials in the environment or with a credential process.",
	Flags: []cli.Flag{

		&cli.StringFlag{Name: "service"},
		&cli.StringFlag{Name: "region", EnvVars: []string{"AWS_REGION"}},
		&cli.StringFlag{Name: "destination", Usage: "The destination URL for the console"},
		&cli.BoolFlag{Name: "url", Usage: "Return the URL to stdout instead of launching the browser"},
		&cli.BoolFlag{Name: "firefox", Usage: "Generate the Firefox container URL"},
		&cli.StringFlag{Name: "color", Usage: "When the firefox flag is true, this specifies the color of the container tab"},
		&cli.StringFlag{Name: "icon", Usage: "When firefox flag is true, this specifies the icon of the container tab"},
		&cli.StringFlag{Name: "container-name", Usage: "When firefox flag is true, this specifies the name of the container of the container tab.", Value: "aws"},
		&cli.StringSliceFlag{Name: "browser-launch-template-arg", Usage: "Additional arguments to provide to the browser launch template command in key=value format, e.g. '--browser-launch-template-arg foo=bar"},
	},
	Action: func(c *cli.Context) error {
		ctx := c.Context
		credentials, err := cfaws.GetAWSCredentials(ctx)
		if err != nil {
			return err
		}
		con := console.AWS{
			Service:     c.String("service"),
			Region:      c.String("region"),
			Destination: c.String("destination"),
		}

		consoleURL, err := con.URL(*credentials)
		if err != nil {
			return err
		}

		cfg, err := config.Load()
		if err != nil {
			return err
		}
		if c.Bool("firefox") || cfg.DefaultBrowser == browser.FirefoxKey || cfg.DefaultBrowser == browser.FirefoxStdoutKey {

			consoleURL = fmt.Sprintf("ext+granted-containers:name=%s&url=%s&color=%s&icon=%s", c.String("container-name"), url.QueryEscape(consoleURL), c.String("color"), c.String("icon"))
		}

		justPrintURL := c.Bool("url") || cfg.DefaultBrowser == browser.StdoutKey || cfg.DefaultBrowser == browser.FirefoxStdoutKey
		if justPrintURL {

			fmt.Print(consoleURL)
			return nil
		}

		var l assume.Launcher
		if cfg.CustomBrowserPath == "" && cfg.DefaultBrowser != "" {
			l = launcher.Open{}
		} else if cfg.CustomBrowserPath == "" && cfg.AWSConsoleBrowserLaunchTemplate == nil {
			return errors.New("default browser not configured. run `granted browser set` to configure")
		} else {
			switch cfg.DefaultBrowser {
			case browser.ChromeKey:
				l = launcher.ChromeProfile{
					ExecutablePath: cfg.CustomBrowserPath,
				}
			case browser.BraveKey:
				l = launcher.ChromeProfile{
					ExecutablePath: cfg.CustomBrowserPath,
				}
			case browser.EdgeKey:
				l = launcher.ChromeProfile{
					ExecutablePath: cfg.CustomBrowserPath,
				}
			case browser.ChromiumKey:
				l = launcher.ChromeProfile{
					ExecutablePath: cfg.CustomBrowserPath,
				}
			case browser.VivaldiKey:
				l = launcher.ChromeProfile{
					ExecutablePath: cfg.CustomBrowserPath,
				}
			case browser.FirefoxKey:
				l = launcher.Firefox{
					ExecutablePath: cfg.CustomBrowserPath,
				}
			case browser.SafariKey:
				l = launcher.Safari{}
			case browser.CustomKey:
				l, err = launcher.CustomFromLaunchTemplate(cfg.AWSConsoleBrowserLaunchTemplate, c.StringSlice("browser-launch-template-arg"))
				if err == launcher.ErrLaunchTemplateNotConfigured {
					return errors.New("error configuring custom browser, ensure that [AWSConsoleBrowserLaunchTemplate] is specified in your Granted config file")
				}
				if err != nil {
					return err
				}
			default:
				l = launcher.Open{}
			}
		}

		args, err := l.LaunchCommand(consoleURL, con.Profile)
		if err != nil {
			return fmt.Errorf("error building browser launch command: %w", err)
		}

		var startErr error
		if l.UseForkProcess() {
			clio.Debugf("running command using forkprocess: %s", args)
			cmd, err := forkprocess.New(args...)
			if err != nil {
				return err
			}
			startErr = cmd.Start()
		} else {
			clio.Debugf("running command without forkprocess: %s", args)
			cmd := exec.Command(args[0], args[1:]...)
			startErr = cmd.Start()
		}

		if startErr != nil {
			return clierr.New(fmt.Sprintf("Granted was unable to open a browser session automatically due to the following error: %s", startErr.Error()),

				clierr.Info("You can open the browser session manually using the following url:"),
				clierr.Info(consoleURL),
			)
		}
		return nil
	},
}
View Source
var CredentialProcess = cli.Command{
	Name:  "credential-process",
	Usage: "Exports AWS session credentials for use with AWS CLI credential_process",
	Flags: []cli.Flag{
		&cli.StringFlag{Name: "profile", Required: true},
		&cli.StringFlag{Name: "url"},
		&cli.DurationFlag{Name: "window", Value: 15 * time.Minute},
		&cli.BoolFlag{Name: "auto-login", Usage: "automatically open the configured browser to log in if needed"},
		&cli.BoolFlag{Name: "no-cache", Usage: "Disables caching of session credentials and forces a refresh", EnvVars: []string{"GRANTED_NO_CACHE"}},
	},
	Action: func(c *cli.Context) error {
		cfg, err := config.Load()
		if err != nil {
			return err
		}

		profileName := c.String("profile")
		autoLogin := c.Bool("auto-login") || cfg.CredentialProcessAutoLogin
		secureSessionCredentialStorage := securestorage.NewSecureSessionCredentialStorage()
		clio.Debugw("running credential process with config", "profile", profileName, "url", c.String("url"), "window", c.Duration("window"), "disableCredentialProcessCache", cfg.DisableCredentialProcessCache)

		cliNoCache := c.Bool("no-cache")
		useCache := !(cfg.DisableCredentialProcessCache || cliNoCache)

		if useCache {

			cachedCreds, err := secureSessionCredentialStorage.GetCredentials(profileName)
			if err != nil {
				clio.Debugw("error loading cached credentials", "error", err, "profile", profileName)
			} else if cachedCreds == nil {
				clio.Debugw("refreshing credentials", "reason", "cachedCreds was nil")
			} else if cachedCreds.CanExpire && cachedCreds.Expires.Add(-c.Duration("window")).Before(time.Now()) {
				clio.Debugw("refreshing credentials", "reason", "credentials are expired")
			} else {

				clio.Debugw("credentials found in cache", "expires", cachedCreds.Expires.String(), "canExpire", cachedCreds.CanExpire, "timeNow", time.Now().String(), "refreshIfBeforeNow", cachedCreds.Expires.Add(-c.Duration("window")).String())
				return printCredentials(*cachedCreds)
			}
		}

		if !useCache {
			clio.Debugw("refreshing credentials", "reason", "credential process cache is disabled via config")
		}

		err = secureSessionCredentialStorage.SecureStorage.Clear(profileName)
		if err != nil {
			clio.Debugw("error clearing cached credentials", "error", err, "profile", profileName)
		}

		profiles, err := cfaws.LoadProfiles()
		if err != nil {
			return err
		}

		profile, err := profiles.LoadInitialisedProfile(c.Context, profileName)
		if err != nil {
			return err
		}

		duration := time.Hour
		if profile.AWSConfig.RoleDurationSeconds != nil {
			duration = *profile.AWSConfig.RoleDurationSeconds
		}

		credentials, err := profile.AssumeTerminal(c.Context, cfaws.ConfigOpts{Duration: duration, UsingCredentialProcess: true, CredentialProcessAutoLogin: autoLogin})
		if err != nil {

			cfg, cfConfigErr := cfcfg.Load(c.Context, profile)
			if cfConfigErr != nil {
				clio.Debugw("failed to load cfconfig, skipping check for active grants in a common fate deployment", "error", cfConfigErr)
				return err
			}

			grantsClient := grants.NewFromConfig(cfg)
			idClient := identitysvc.NewFromConfig(cfg)
			callerID, callerIDErr := idClient.GetCallerIdentity(c.Context, connect.NewRequest(&accessv1alpha1.GetCallerIdentityRequest{}))
			if callerIDErr != nil {
				clio.Debugw("failed to load caller identity for user", "error", callerIDErr)

				return err
			}
			grants, queryGrantsErr := grab.AllPages(c.Context, func(ctx context.Context, nextToken *string) ([]*accessv1alpha1.Grant, *string, error) {
				grants, err := grantsClient.QueryGrants(c.Context, connect.NewRequest(&accessv1alpha1.QueryGrantsRequest{
					Principal: callerID.Msg.Principal.Eid,
					Target:    eid.New("AWS::Account", profile.AWSConfig.SSOAccountID).ToAPI(),

					Status: accessv1alpha1.GrantStatus_GRANT_STATUS_ACTIVE.Enum(),
				}))
				if err != nil {
					return nil, nil, err
				}
				return grants.Msg.Grants, &grants.Msg.NextPageToken, nil
			})

			if queryGrantsErr != nil {
				clio.Debugw("failed to query for active grants", "error", queryGrantsErr)

				return err
			}

			var foundActiveGrant bool
			for _, grant := range grants {
				if grant.Role.Name == profile.AWSConfig.SSORoleName {
					clio.Debugw("found active grant matching the profile, will retry assuming role", "grant", grant)
					foundActiveGrant = true
					break
				}
			}
			if !foundActiveGrant {
				clio.Debug("did not find any matching active grants for the profile, will not retry assuming role")
				clio.Debugw("could not assume role due to the following error, notifying user to try requesting access", "error", err)
				err := accessrequest.Profile{Name: profileName}.Save()
				if err != nil {
					return err
				}
				return errors.New("You don't have access but you can request it with 'granted request latest'")
			}

			b := sethRetry.NewFibonacci(time.Second)
			b = sethRetry.WithMaxDuration(time.Second*30, b)
			err = sethRetry.Do(c.Context, b, func(ctx context.Context) (err error) {
				credentials, err = profile.AssumeTerminal(c.Context, cfaws.ConfigOpts{Duration: duration, UsingCredentialProcess: true, CredentialProcessAutoLogin: autoLogin})
				if err != nil {
					return sethRetry.RetryableError(err)
				}
				return nil
			})
			if err != nil {
				return err
			}
		}
		if !cfg.DisableCredentialProcessCache {
			clio.Debugw("storing refreshed credentials in credential process cache", "expires", credentials.Expires.String(), "canExpire", credentials.CanExpire, "timeNow", time.Now().String())
			if err := secureSessionCredentialStorage.StoreCredentials(profileName, credentials); err != nil {
				return err
			}
		}

		return printCredentials(credentials)
	},
}
View Source
var CredentialsCommand = cli.Command{
	Name:        "credentials",
	Usage:       "Manage secure IAM credentials",
	Subcommands: []*cli.Command{&AddCredentialsCommand, &ImportCredentialsCommand, &UpdateCredentialsCommand, &ListCredentialsCommand, &RemoveCredentialsCommand, &ExportCredentialsCommand, &RotateCredentialsCommand, &ImportCredFromEnvCommand},
}
View Source
var DefaultBrowserCommand = cli.Command{
	Name:        "browser",
	Usage:       "View the web browser that Granted uses to open cloud consoles",
	Subcommands: []*cli.Command{&SetBrowserCommand, &SetSSOBrowserCommand},
	Action: func(c *cli.Context) error {

		conf, err := config.Load()
		if err != nil {
			return err
		}

		clio.Infof("Granted is using %s. To change this run `granted browser set`", conf.DefaultBrowser)

		return nil
	},
}
View Source
var ExportCredentialsCommand = cli.Command{
	Name:      "export-plaintext",
	Usage:     "Export credentials from the secure storage to ~/.aws/credentials file in plaintext",
	ArgsUsage: "[<profile>]",
	Flags: []cli.Flag{
		&cli.BoolFlag{Name: "all", Aliases: []string{"a"}, Usage: "export all credentials from secure storage in plaintext"},
	},
	Action: func(c *cli.Context) error {
		secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()
		profileName := c.Args().First()
		secureProfileKeys, err := secureIAMCredentialStorage.SecureStorage.ListKeys()
		if err != nil {
			return err
		}
		var profileNames []string
		if c.Bool("all") {
			profileNames = append(profileNames, secureProfileKeys...)
		} else {
			if profileName == "" && len(secureProfileKeys) == 0 {
				fmt.Println("No credentials in secure storage")
				return nil
			}

			if profileName == "" {
				in := survey.Select{Message: "Profile Name:", Options: secureProfileKeys}
				err = testable.AskOne(&in, &profileName)
				if err != nil {
					return err
				}
			}
			profileNames = append(profileNames, profileName)
		}

		for _, profileName := range profileNames {
			credentials, err := secureIAMCredentialStorage.GetCredentials(profileName)
			if err != nil {
				return err
			}

			credentialsFilePath := cfaws.GetAWSCredentialsPath()
			credentialsFile, err := ini.LoadSources(ini.LoadOptions{
				AllowNonUniqueSections:  false,
				SkipUnrecognizableLines: false,
				AllowNestedValues:       true,
			}, credentialsFilePath)
			if err != nil {
				return err
			}

			section, err := credentialsFile.NewSection(profileName)
			if err != nil {
				return err
			}
			err = section.ReflectFrom(&struct {
				AWSAccessKeyID     string `ini:"aws_access_key_id"`
				AWSSecretAccessKey string `ini:"aws_secret_access_key"`
				AWSSessionToken    string `ini:"aws_session_token,omitempty"`
			}{
				AWSAccessKeyID:     credentials.AccessKeyID,
				AWSSecretAccessKey: credentials.SecretAccessKey,
				AWSSessionToken:    credentials.SessionToken,
			})
			if err != nil {
				return err
			}
			err = credentialsFile.SaveTo(credentialsFilePath)
			if err != nil {
				return err
			}
			configPath := cfaws.GetAWSConfigPath()
			configFile, err := ini.LoadSources(ini.LoadOptions{
				AllowNonUniqueSections:  false,
				SkipUnrecognizableLines: false,
				AllowNestedValues:       true,
			}, configPath)
			if err != nil {
				return err
			}
			sectionName := "profile " + profileName
			if section, _ := configFile.GetSection(sectionName); section != nil {
				if section.HasKey("credential_process") {

					if len(section.Keys()) > 1 {
						section.DeleteKey("credential_process")
					} else {
						configFile.DeleteSection(sectionName)
					}
					err = configFile.SaveTo(configPath)
					if err != nil {
						return err
					}

				}
			}

			fmt.Printf("Exported %s in plaintext from secure storage to %s\n", profileName, credentialsFilePath)
			fmt.Printf("The %s credentials have not been removed from secure storage. If you'd like to delete them, you can run '%s credentials remove %s'\n", profileName, build.GrantedBinaryName(), profileName)

		}
		return nil
	},
}
View Source
var GenerateCommand = cli.Command{
	Name:      "generate",
	Usage:     "Prints an AWS configuration file to stdout with profiles from accounts and roles available in AWS SSO",
	UsageText: "granted [global options] sso generate [command options] [sso-start-url]",
	Flags: []cli.Flag{
		&cli.StringFlag{Name: "config", Usage: "Specify the SSO config section in the Granted config file ([SSO.name])", Value: "default"},
		&cli.StringFlag{Name: "prefix", Usage: "Specify a prefix for all generated profile names"},
		&cli.StringFlag{Name: "sso-region", Usage: "Specify the SSO region"},
		&cli.StringSliceFlag{Name: "source", Usage: "The sources to load AWS profiles from (valid values are: 'aws-sso', 'commonfate')", Value: cli.NewStringSlice("aws-sso")},
		&cli.BoolFlag{Name: "no-credential-process", Usage: "Generate profiles without the Granted credential-process integration"},
		&cli.StringFlag{Name: "profile-template", Usage: "Specify profile name template", Value: awsconfigfile.DefaultProfileNameTemplate}},
	Action: func(c *cli.Context) error {
		ctx := c.Context
		fullCommand := fmt.Sprintf("%s %s", c.App.Name, c.Command.FullName())

		cfg, err := grantedconfig.Load()
		if err != nil {
			clio.Errorf("Error reading default config (~/.granted/config)")
			return nil
		}

		cfgSSO := cfg.SSO[c.String("config")]
		startURL := coalesceString(c.Args().First(), cfgSSO.StartURL)
		if startURL == "" {
			return clierr.New(fmt.Sprintf("Usage: %s [sso-start-url]", fullCommand), clierr.Infof("For example, %s https://example.awsapps.com/start", fullCommand))
		}

		ssoRegion := coalesceString(c.String("sso-region"), cfgSSO.SSORegion)
		if ssoRegion == "" {
			clio.Errorf("Please specify the --sso-region flag: '%s --sso-region us-east-1 %s'", fullCommand, startURL)
			return nil
		}

		// Since `profile-template` has a default value, need to check IsSet instead of having a value
		var profileNameTemplate string
		if c.IsSet("profile-template") {

			profileNameTemplate = c.String("profile-template")
		} else {

			profileNameTemplate = coalesceString(cfgSSO.ProfileTemplate, c.String("profile-template"))
		}

		prefix := coalesceString(c.String("prefix"), cfgSSO.Prefix)
		noCredentialProcess := c.Bool("no-credential-process") || cfgSSO.NoCredentialProcess

		g := awsconfigfile.Generator{
			Config:              ini.Empty(),
			ProfileNameTemplate: profileNameTemplate,
			NoCredentialProcess: noCredentialProcess,
			Prefix:              prefix,
		}

		for _, s := range c.StringSlice("source") {
			switch s {
			case "aws-sso":
				g.AddSource(AWSSSOSource{SSORegion: ssoRegion, StartURL: startURL})
			case "commonfate", "common-fate", "cf":
				ps, err := getCFProfileSource(c, ssoRegion, startURL)
				if err != nil {
					return err
				}
				g.AddSource(ps)
			default:
				return fmt.Errorf("unknown profile source %s: allowed sources are aws-sso, commonfate", s)
			}
		}

		err = g.Generate(ctx)
		if err != nil {
			return err
		}

		_, err = g.Config.WriteTo(os.Stdout)
		if err != nil {
			return err
		}

		return nil
	},
}

in dev: go run ./cmd/granted/main.go sso generate --sso-region ap-southeast-2 url

View Source
var ImportCredFromEnvCommand = cli.Command{
	Name:  "import-from-env",
	Usage: "Create a new AWS config profile with IAM credentials imported from environment. You must have $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY set in  your environment",
	Flags: []cli.Flag{
		&cli.StringFlag{Name: "profile", Required: true},
	},
	Action: func(c *cli.Context) error {
		ctx := c.Context

		accessKeyFromEnv, accessKeyFromEnvExists := os.LookupEnv("AWS_ACCESS_KEY_ID")
		secretAccessKeyFromEnv, secretAccessKeyFromEnvExists := os.LookupEnv("AWS_SECRET_ACCESS_KEY")

		if accessKeyFromEnvExists && secretAccessKeyFromEnvExists {
			profileName := c.String("profile")
			profiles, err := cfaws.LoadProfiles()
			if err != nil {
				return err
			}

			if profiles.HasProfile(profileName) {
				return fmt.Errorf("profile with name '%s' already exist", profileName)
			}

			credentials, err := credentials.NewStaticCredentialsProvider(accessKeyFromEnv, secretAccessKeyFromEnv, "").Retrieve(ctx)
			if err != nil {
				return err
			}

			secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()
			err = secureIAMCredentialStorage.StoreCredentials(profileName, credentials)
			if err != nil {
				return err
			}

			credentialsFilePath := cfaws.GetAWSCredentialsPath()
			credentialsFile, err := ini.LoadSources(ini.LoadOptions{
				AllowNonUniqueSections:  false,
				SkipUnrecognizableLines: false,
				AllowNestedValues:       true,
			}, credentialsFilePath)
			if err != nil {
				return err
			}

			section, err := credentialsFile.NewSection(profileName)
			if err != nil {
				return err
			}
			err = section.ReflectFrom(&struct {
				AWSAccessKeyID     string `ini:"aws_access_key_id"`
				AWSSecretAccessKey string `ini:"aws_secret_access_key"`
			}{
				AWSAccessKeyID:     accessKeyFromEnv,
				AWSSecretAccessKey: secretAccessKeyFromEnv,
			})
			if err != nil {
				return err
			}
			err = credentialsFile.SaveTo(credentialsFilePath)
			if err != nil {
				return err
			}

			err = updateOrCreateProfileWithCredentialProcess(profileName)
			if err != nil {
				return err
			}

			clio.Successf("successfully created new profile %s", profileName)

			return nil

		}

		clio.Error("you don't have variables $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY set in your environment.")
		clio.Info("If you instead want to import plain-text credentials from ~/.aws/credentials to secure storage then run 'granted credentials import'")

		return nil

	},
}
View Source
var ImportCredentialsCommand = cli.Command{
	Name:      "import",
	Usage:     "Import plaintext IAM user credentials from AWS credentials file into secure storage",
	ArgsUsage: "[<profile>]",
	Flags: []cli.Flag{
		&cli.BoolFlag{Name: "overwrite", Usage: "Overwrite an existing profile saved in secure storage with values from the AWS credentials file"},
	},
	Action: func(c *cli.Context) error {
		profileName := c.Args().First()
		profiles, err := cfaws.LoadProfiles()
		if err != nil {
			return err
		}

		if profileName == "" {
			in := survey.Select{Message: "Profile Name:", Options: profiles.ProfileNames}
			err := testable.AskOne(&in, &profileName, survey.WithValidator(func(ans interface{}) error {
				option := ans.(core.OptionAnswer)

				return validateProfileForImport(c.Context, profiles, option.Value, c.Bool("overwrite"))
			}))
			if err != nil {
				return err
			}
		} else {
			err = validateProfileForImport(c.Context, profiles, profileName, c.Bool("overwrite"))
			if err != nil {
				return err
			}
		}

		profile, err := profiles.LoadInitialisedProfile(c.Context, profileName)
		if err != nil {
			return err
		}
		secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()
		err = secureIAMCredentialStorage.StoreCredentials(profileName, profile.AWSConfig.Credentials)
		if err != nil {
			return err
		}

		err = updateOrCreateProfileWithCredentialProcess(profileName)
		if err != nil {
			return err
		}

		credentialsFilePath := cfaws.GetAWSCredentialsPath()
		credentialsFile, err := ini.LoadSources(ini.LoadOptions{
			AllowNonUniqueSections:  false,
			SkipUnrecognizableLines: false,
			AllowNestedValues:       true,
		}, credentialsFilePath)
		if err != nil {
			return err
		}

		items, err := credentialsFile.GetSection(profileName)
		if err != nil {
			return err
		}

		configPath := cfaws.GetAWSConfigPath()
		configFile, err := ini.LoadSources(ini.LoadOptions{
			AllowNonUniqueSections:  false,
			SkipUnrecognizableLines: false,
			AllowNestedValues:       true,
		}, configPath)
		if err != nil {
			return err
		}
		sectionName := "profile " + profileName

		for _, key := range items.Keys() {

			if !(key.Name() == "aws_access_key_id" || key.Name() == "aws_secret_access_key" || key.Name() == "aws_session_token") {
				section, err := configFile.GetSection(sectionName)
				if err != nil {
					return err
				}
				if !section.HasKey(key.Name()) {
					_, err = section.NewKey(key.Name(), key.Value())
					if err != nil {
						return err
					}
				}
			}
		}

		err = configFile.SaveTo(configPath)
		if err != nil {
			return err
		}

		credentialsFile.DeleteSection(profileName)
		err = credentialsFile.SaveTo(credentialsFilePath)
		if err != nil {
			return err
		}
		fmt.Printf("Saved %s to secure storage\n", profileName)

		return nil
	},
}
View Source
var ListCredentialsCommand = cli.Command{
	Name:  "list",
	Usage: "Lists the profile names for credentials in secure storage",
	Action: func(c *cli.Context) error {
		secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()
		profiles, err := secureIAMCredentialStorage.SecureStorage.List()
		if err != nil {
			return err
		}
		if len(profiles) == 0 {
			clio.Info("No IAM user credentials stored in secure storage")
			return nil
		}
		for _, profile := range profiles {

			fmt.Printf("%s\n", profile.Key)
		}
		return nil
	},
}
View Source
var ListSSOTokensCommand = cli.Command{
	Name:  "list",
	Usage: "Lists all access tokens saved in the keyring",
	Action: func(ctx *cli.Context) error {

		startUrlMap, err := MapTokens(ctx.Context)
		if err != nil {
			return err
		}

		var max int
		for k := range startUrlMap {
			if len(k) > max {
				max = len(k)
			}
		}
		secureSSOTokenStorage := securestorage.NewSecureSSOTokenStorage()
		keys, err := secureSSOTokenStorage.SecureStorage.ListKeys()
		if err != nil {
			return err
		}

		for _, key := range keys {
			clio.Logf("%-*s (%s)", max, key, strings.Join(startUrlMap[key], ", "))
		}
		return nil
	},
}
View Source
var LoginCommand = cli.Command{
	Name:  "login",
	Usage: "Log in via AWS SSO interactive credential process",
	Flags: []cli.Flag{
		&cli.StringFlag{Name: "sso-region", Usage: "Specify the SSO region"},
		&cli.StringFlag{Name: "sso-start-url", Usage: "Specify the SSO start url"},
		&cli.StringSliceFlag{Name: "sso-scope", Usage: "Specify the SSO scopes"},
	},
	Action: func(c *cli.Context) error {
		ctx := c.Context
		ssoStartUrl := c.String("sso-start-url")

		if ssoStartUrl == "" {
			in1 := survey.Input{Message: "SSO Start URL"}
			err := testable.AskOne(&in1, &ssoStartUrl)
			if err != nil {
				return err
			}
		}

		ssoRegion := c.String("sso-region")

		if ssoRegion == "" {

			resp, err := http.Get(ssoStartUrl)
			if err != nil {
				return err
			}
			defer resp.Body.Close()

			re := regexp.MustCompile(`<meta\s+name="region"\s+content="(.*?)"/>`)
			body, err := io.ReadAll(resp.Body)
			if err != nil {
				return err
			}

			match := re.FindStringSubmatch(string(body))
			if len(match) == 2 {
				ssoRegion = match[1]
			}

			if ssoRegion == "" {
				in2 := survey.Input{Message: "Region"}
				err := testable.AskOne(&in2, &ssoRegion)
				if err != nil {
					return err
				}
			}
		}

		ssoScopes := c.StringSlice("sso-scope")

		cfg := aws.NewConfig()
		cfg.Region = ssoRegion

		secureSSOTokenStorage := securestorage.NewSecureSSOTokenStorage()

		newSSOToken, err := idclogin.Login(ctx, *cfg, ssoStartUrl, ssoScopes)
		if err != nil {
			return err
		}

		secureSSOTokenStorage.StoreSSOToken(ssoStartUrl, *newSSOToken)

		clio.Successf("Successfully logged into Start URL: %s", ssoStartUrl)

		return nil
	},
}
View Source
var PopulateCommand = cli.Command{
	Name:      "populate",
	Usage:     "Populate your local AWS configuration file with profiles from accounts and roles available in AWS SSO",
	UsageText: "granted [global options] sso populate [command options] [sso-start-url]",
	Flags: []cli.Flag{
		&cli.StringFlag{Name: "config", Usage: "Specify the SSO config section ([SSO.name])", Value: "default"},
		&cli.StringFlag{Name: "prefix", Usage: "Specify a prefix for all generated profile names"},
		&cli.StringFlag{Name: "sso-region", Usage: "Specify the SSO region"},
		&cli.StringSliceFlag{Name: "sso-scope", Usage: "Specify the SSO scopes"},
		&cli.StringSliceFlag{Name: "source", Usage: "The sources to load AWS profiles from", Value: cli.NewStringSlice("aws-sso")},
		&cli.BoolFlag{Name: "prune", Usage: "Remove any generated profiles with the 'common_fate_generated_from' key which no longer exist"},
		&cli.StringFlag{Name: "profile-template", Usage: "Specify profile name template", Value: awsconfigfile.DefaultProfileNameTemplate},
		&cli.BoolFlag{Name: "no-credential-process", Usage: "Generate profiles without the Granted credential-process integration"},
	},
	Action: func(c *cli.Context) error {
		ctx := c.Context
		fullCommand := fmt.Sprintf("%s %s", c.App.Name, c.Command.FullName())

		cfg, err := grantedconfig.Load()
		if err != nil {
			clio.Errorf("Error reading default config (~/.granted/config)")
			return nil
		}

		cfgSSO := cfg.SSO[c.String("config")]

		startURL := coalesceString(c.Args().First(), cfgSSO.StartURL)
		if startURL == "" {
			return clierr.New(fmt.Sprintf("Usage: %s [sso-start-url]", fullCommand), clierr.Infof("For example, %s https://example.awsapps.com/start", fullCommand))
		}

		ssoRegion := coalesceString(c.String("sso-region"), cfgSSO.SSORegion)
		if ssoRegion == "" {
			clio.Errorf("Please specify the --sso-region flag: '%s --sso-region us-east-1 %s'", fullCommand, startURL)
			return nil
		}

		// Since `profile-template` has a default value, need to check IsSet instead of having a value
		var profileNameTemplate string
		if c.IsSet("profile-template") {

			profileNameTemplate = c.String("profile-template")
		} else {

			profileNameTemplate = coalesceString(cfgSSO.ProfileTemplate, c.String("profile-template"))
		}

		prefix := coalesceString(c.String("prefix"), cfgSSO.Prefix)
		noCredentialProcess := c.Bool("no-credential-process") || cfgSSO.NoCredentialProcess

		configFilename := cfaws.GetAWSConfigPath()

		dir := filepath.Dir(configFilename)
		if _, err := os.Stat(dir); os.IsNotExist(err) {
			clio.Infof("created AWS config file: %s", dir)
			err = os.MkdirAll(dir, USER_READ_WRITE_PERM)
			if err != nil {
				return err
			}
		}

		config, err := ini.LoadSources(ini.LoadOptions{
			AllowNonUniqueSections:  false,
			SkipUnrecognizableLines: false,
			AllowNestedValues:       true,
		}, configFilename)
		if err != nil {
			if !os.IsNotExist(err) {
				return err
			}
			config = ini.Empty()
		}

		var pruneStartURLs []string

		if c.Bool("prune") {
			pruneStartURLs = []string{startURL}
		}

		g := awsconfigfile.Generator{
			Config:              config,
			ProfileNameTemplate: profileNameTemplate,
			NoCredentialProcess: noCredentialProcess,
			Prefix:              prefix,
			PruneStartURLs:      pruneStartURLs,
		}

		for _, s := range c.StringSlice("source") {
			switch s {
			case "aws-sso":
				g.AddSource(AWSSSOSource{SSORegion: ssoRegion, StartURL: startURL, SSOScopes: c.StringSlice("sso-scope")})
			case "commonfate", "common-fate", "cf":
				ps, err := getCFProfileSource(c, ssoRegion, startURL)
				if err != nil {
					return err
				}
				g.AddSource(ps)
			default:
				return fmt.Errorf("unknown profile source %s: allowed sources are aws-sso, commonfate", s)
			}
		}
		err = g.Generate(ctx)
		if err != nil {
			return err
		}

		err = config.SaveTo(configFilename)
		if err != nil {
			return err
		}

		return nil
	},
}
View Source
var RemoveCredentialsCommand = cli.Command{
	Name:      "remove",
	Usage:     "Remove credentials from secure storage and an associated profile if it exists in the AWS config file",
	ArgsUsage: "[<profile>]",
	Flags: []cli.Flag{
		&cli.BoolFlag{Name: "all", Aliases: []string{"a"}, Usage: "Remove all credentials from secure storage and an associated profile if it exists in the AWS config file"},
	},
	Action: func(c *cli.Context) error {
		secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()
		configPath := cfaws.GetAWSConfigPath()
		configFile, err := ini.LoadSources(ini.LoadOptions{
			AllowNonUniqueSections:  false,
			SkipUnrecognizableLines: false,
			AllowNestedValues:       true,
		}, configPath)
		if err != nil {
			return err
		}
		profileName := c.Args().First()
		secureProfileKeys, err := secureIAMCredentialStorage.SecureStorage.ListKeys()
		if err != nil {
			return err
		}
		var profileNames []string
		if c.Bool("all") {
			profileNames = append(profileNames, secureProfileKeys...)
		} else {
			if profileName == "" && len(secureProfileKeys) == 0 {
				fmt.Println("No credentials in secure storage")
				return nil
			}
			if profileName == "" {
				in := survey.Select{Message: "Profile Name:", Options: secureProfileKeys}
				err = testable.AskOne(&in, &profileName)
				if err != nil {
					return err
				}
			}
			profileNames = append(profileNames, profileName)
		}
		fmt.Printf(`Removing credentials from secure storage will cause them to be permanently deleted.
To avoid losing your credentials you may first want to export them to plaintext using 'granted credentials export-plaintext <profile name>'
This command will remove a profile with the same name from the AWS config file if it has a 'credential_process = granted credential-process --profile=<profile name>'
If you have already used 'granted credentials export-plaintext <profile name>' to export the credentials, the profile will not be removed by this command.

`)
		var confirm bool
		s := &survey.Confirm{
			Message: "Are you sure you want to remove these credentials and profile from your AWS config?",
			Default: true,
		}
		err = survey.AskOne(s, &confirm)
		if err != nil {
			return err
		}
		if !confirm {
			fmt.Printf("Cancelled clearing credentials\n")
			return nil
		}

		for _, profileName := range profileNames {
			fmt.Printf("Removing %s credentials from secure storage\n", profileName)
			err = secureIAMCredentialStorage.SecureStorage.Clear(profileName)
			if err != nil {
				return err
			}
			sectionName := "profile " + profileName
			if section, _ := configFile.GetSection(sectionName); section != nil {
				if key, _ := section.GetKey("credential_process"); key != nil {
					if strings.HasPrefix(key.Value(), fmt.Sprintf("%s credential-process", build.GrantedBinaryName())) {
						fmt.Printf("Removing profile %s AWS config file\n", profileName)
						configFile.DeleteSection(sectionName)
					}
				}
			}
		}
		err = configFile.SaveTo(configPath)
		if err != nil {
			return err
		}
		fmt.Printf("Cleared credentials from secure storage\n")
		return nil
	},
}
View Source
var RotateCredentialsCommand = cli.Command{
	Name:  "rotate",
	Usage: "Generates new access key for the profile in AWS, and updates the profile",
	Flags: []cli.Flag{
		&cli.StringFlag{Name: "profile", Usage: "If provided, generates new access key for the specified profile"},
		&cli.BoolFlag{Name: "delete", Usage: "delete the previous active key"},
	},
	Action: func(c *cli.Context) error {
		profileName := c.String("profile")

		secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()

		if profileName == "" {
			profileNames, err := secureIAMCredentialStorage.SecureStorage.ListKeys()
			if err != nil {
				return err
			}
			if len(profileNames) == 0 {
				fmt.Println("No credentials in secure storage")
				return nil
			}
			in := survey.Select{Message: "Profile Name:", Options: profileNames}
			err = testable.AskOne(&in, &profileName)
			if err != nil {
				return err
			}
		}

		has, err := secureIAMCredentialStorage.SecureStorage.HasKey(profileName)
		if err != nil {
			return err
		}
		if !has {
			return fmt.Errorf("no credentials exist for %s in secure storage. If you wanted to add a new profile, run '%s credentials add'", profileName, build.GrantedBinaryName())
		}

		var t aws.Credentials
		err = secureIAMCredentialStorage.SecureStorage.Retrieve(profileName, &t)
		if err != nil {
			return err
		}

		opts := []func(*config.LoadOptions) error{

			config.WithSharedConfigProfile(profileName),
		}

		cfg, err := config.LoadDefaultConfig(c.Context, opts...)
		if err != nil {
			return err
		}

		iamClient := iam.NewFromConfig(cfg)

		res, err := iamClient.CreateAccessKey(c.Context, &iam.CreateAccessKeyInput{})
		if err != nil {
			return err
		}

		err = secureIAMCredentialStorage.StoreCredentials(profileName, aws.Credentials{AccessKeyID: *res.AccessKey.AccessKeyId, SecretAccessKey: *res.AccessKey.SecretAccessKey})
		if err != nil {
			return err
		}

		_, err = iamClient.UpdateAccessKey(c.Context, &iam.UpdateAccessKeyInput{AccessKeyId: &t.AccessKeyID, Status: "Inactive"})
		if err != nil {
			return err
		}

		if c.Bool("delete") {
			_, err = iamClient.DeleteAccessKey(c.Context, &iam.DeleteAccessKeyInput{AccessKeyId: &t.AccessKeyID})
			if err != nil {
				return err
			}
		}

		clio.Successf("Access Key of '%s' profile has been successfully rotated and updated in secure storage\n", profileName)

		return nil
	},
}
View Source
var SSOCommand = cli.Command{
	Name:        "sso",
	Usage:       "Manage your local AWS configuration file from information available in AWS SSO",
	Subcommands: []*cli.Command{&GenerateCommand, &PopulateCommand, &LoginCommand},
}
View Source
var SSOTokensCommand = cli.Command{
	Name:        "sso-tokens",
	Usage:       "Manage AWS SSO tokens",
	Subcommands: []*cli.Command{&ListSSOTokensCommand, &ClearSSOTokensCommand, &TokenExpiryCommand},
	Action:      ListSSOTokensCommand.Action,
}
View Source
var SetBrowserCommand = cli.Command{
	Name:  "set",
	Usage: "Change the web browser that Granted uses to open cloud consoles",
	Flags: []cli.Flag{&cli.StringFlag{Name: "browser", Aliases: []string{"b"}, Usage: "Specify a default browser without prompts, e.g `-b firefox`, `-b chrome`"},
		&cli.StringFlag{Name: "path", Aliases: []string{"p"}, Usage: "Specify a path to the browser without prompts, requires -browser to be provided"}},
	Action: func(c *cli.Context) (err error) {
		outcome := c.String("browser")
		path := c.String("path")

		if outcome == "" {
			if path != "" {
				clio.Info("-path flag must be used with -browser flag, provided path will be ignored")
			}
			outcome, err = browser.HandleManualBrowserSelection()
			if err != nil {
				return err
			}
		}

		return browser.ConfigureBrowserSelection(outcome, path)
	},
}
View Source
var SetSSOBrowserCommand = cli.Command{
	Name:  "set-sso",
	Usage: "Change the web browser that Granted uses to sso flows",
	Flags: []cli.Flag{&cli.StringFlag{Name: "browser", Aliases: []string{"b"}, Usage: "Specify a default browser without prompts, e.g `-b firefox`, `-b chrome`"},
		&cli.StringFlag{Name: "path", Aliases: []string{"p"}, Usage: "Specify a path to the browser without prompts, requires -browser to be provided"}},
	Action: func(c *cli.Context) (err error) {
		outcome := c.String("browser")
		path := c.String("path")

		conf, err := config.Load()
		if err != nil {
			return err
		}
		var browserPath string

		if outcome == "" {
			if path != "" {
				clio.Info("-path flag must be used with -browser flag, provided path will be ignored")
			}
			customBrowserPath, err := browser.AskAndGetBrowserPath()
			if err != nil {
				return err
			}
			browserPath = customBrowserPath

		}

		conf.CustomSSOBrowserPath = browserPath
		err = conf.Save()
		if err != nil {
			return err
		}
		clio.Successf("Granted will default to using %s for SSO flows.", browserPath)
		return nil
	},
}
View Source
var TokenCommand = cli.Command{
	Name:  "token",
	Usage: "Deprecated: Use 'sso-tokens' instead",
	Action: func(ctx *cli.Context) error {
		fmt.Println("The 'token' command has been deprecated and will be removed in a future release, it has been renamed to 'sso-tokens'")
		return SSOTokensCommand.Run(ctx)
	},
}

TokenCommand has been deprecated in favour of 'sso-tokens' @TODO: remove this when suitable after deprecation

View Source
var TokenExpiryCommand = cli.Command{
	Name:  "expiry",
	Usage: "Lists expiry status for all access tokens saved in the keyring",
	Flags: []cli.Flag{&cli.StringFlag{Name: "url", Usage: "If provided, prints the expiry of the token for the specific SSO URL"},
		&cli.BoolFlag{Name: "json", Usage: "If provided, prints the expiry of the tokens in JSON"}},
	Action: func(c *cli.Context) error {
		url := c.String("url")
		ctx := c.Context

		secureSSOTokenStorage := securestorage.NewSecureSSOTokenStorage()

		if url != "" {
			token := secureSSOTokenStorage.GetValidSSOToken(ctx, url)

			var expiry string
			if token == nil {
				return errors.New("SSO token is expired")
			}
			expiry = token.Expiry.Local().Format(time.RFC3339)
			fmt.Println(expiry)

			return nil
		}

		startUrlMap, err := MapTokens(ctx)
		if err != nil {
			return err
		}

		var max int
		for k := range startUrlMap {
			if len(k) > max {
				max = len(k)
			}
		}

		keys, err := secureSSOTokenStorage.SecureStorage.ListKeys()
		if err != nil {
			return err
		}

		jsonflag := c.Bool("json")

		type sso_expiry struct {
			StartURLs string `json:"start_urls"`
			ExpiresAt string `json:"expires_at"`
			IsExpired bool   `json:"is_expired"`
		}

		var jsonDataArray []sso_expiry

		for _, key := range keys {
			token := secureSSOTokenStorage.GetValidSSOToken(ctx, key)

			var expiry string
			if token == nil {
				expiry = "EXPIRED"
			} else {
				expiry = token.Expiry.Local().Format(time.RFC3339)
			}
			if jsonflag {
				sso_expiry_data := sso_expiry{
					StartURLs: key,
					ExpiresAt: expiry,
					IsExpired: expiry == "EXPIRED",
				}
				jsonDataArray = append(jsonDataArray, sso_expiry_data)
			} else {
				clio.Logf("%-*s (%s) expires at: %s", max, key, strings.Join(startUrlMap[key], ", "), expiry)
			}
		}

		if jsonflag {
			jsonData, err := json.Marshal(jsonDataArray)
			if err != nil {
				return err
			}
			fmt.Println(string(jsonData))
		}

		return nil
	},
}
View Source
var UninstallCommand = cli.Command{
	Name:  "uninstall",
	Usage: "Remove all Granted configuration",
	Action: func(c *cli.Context) error {
		withStdio := survey.WithStdio(os.Stdin, os.Stderr, os.Stderr)
		in := &survey.Confirm{
			Message: "Are you sure you want to remove your Granted config?",
			Default: true,
		}
		var confirm bool
		err := survey.AskOne(in, &confirm, withStdio)
		if err != nil {
			return err
		}
		if confirm {

			err = alias.UninstallDefaultShellAlias()
			if err != nil {
				clio.Error(err.Error())
			}
			grantedFolder, err := config.GrantedFolders()
			if err != nil {
				return err
			}

			for _, dir := range grantedFolder {
				err = os.RemoveAll(dir)
				if err != nil {
					return err
				}

				clio.Successf("Removed Granted config folder %s", dir)
			}
		}
		return nil
	},
}
View Source
var UpdateCredentialsCommand = cli.Command{
	Name:      "update",
	Usage:     "Update existing credentials in secure storage",
	ArgsUsage: "[<profile>]",
	Action: func(c *cli.Context) error {
		profileName := c.Args().First()
		secureIAMCredentialStorage := securestorage.NewSecureIAMCredentialStorage()

		if profileName == "" {
			profileNames, err := secureIAMCredentialStorage.SecureStorage.ListKeys()
			if err != nil {
				return err
			}
			if profileName == "" && len(profileNames) == 0 {
				fmt.Println("No credentials in secure storage")
				return nil
			}
			in := survey.Select{Message: "Profile Name:", Options: profileNames}
			err = testable.AskOne(&in, &profileName)
			if err != nil {
				return err
			}
		}

		has, err := secureIAMCredentialStorage.SecureStorage.HasKey(profileName)
		if err != nil {
			return err
		}
		if !has {
			return fmt.Errorf("no credentials exist for %s in secure storage. If you wanted to add a new profile, run '%s credentials add'", profileName, build.GrantedBinaryName())
		}

		credentials, err := promptCredentials()
		if err != nil {
			return err
		}
		err = secureIAMCredentialStorage.StoreCredentials(profileName, credentials)
		if err != nil {
			return err
		}

		fmt.Printf("Updated %s in secure storage\n", profileName)

		return nil
	},
}

Functions

func GetCliApp

func GetCliApp() *cli.App

func HandleChromeExtensionCall added in v0.35.0

func HandleChromeExtensionCall(c *cli.Context) error

func MapTokens added in v0.1.8

func MapTokens(ctx context.Context) (map[string][]string, error)

Types

type AWSSSOSource added in v0.8.0

type AWSSSOSource struct {
	SSORegion string
	StartURL  string
	SSOScopes []string
}

func (AWSSSOSource) GetProfiles added in v0.8.0

func (s AWSSSOSource) GetProfiles(ctx context.Context) ([]awsconfigfile.SSOProfile, error)

type AutoCompleteTemplateData added in v0.2.1

type AutoCompleteTemplateData struct {
	Program string
}

Directories

Path Synopsis
Package awsmerge contains logic to merge multiple AWS config files together.
Package awsmerge contains logic to merge multiple AWS config files together.
exp
Package exp holds experimental commands.
Package exp holds experimental commands.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL