From 74ce7fdbee071c28c77fd148d4ba02515f272d10 Mon Sep 17 00:00:00 2001 From: Harry Hodge Date: Mon, 20 Mar 2023 20:56:12 +0000 Subject: [PATCH] feat(aws): Adds support for AWS_CREDENTIAL_EXPIRATION environment variable (#5002) feat(aws): supports AWS_CREDENTIAL_EXPIRATION environment variable Adds support for the AWS_CREDENTIAL_EXPIRATION environment variable which was adopted as the standard way to set the expiration for temporary credentials. The existing AWS_SESSION_EXPIRATION environment variable is not dropped for backwards compatibility. See https://github.com/aws/aws-cli/pull/7398 --- .github/config-schema.json | 2 +- src/configs/aws.rs | 3 ++- src/modules/aws.rs | 50 ++++++++++++++++++++++---------------- 3 files changed, 32 insertions(+), 23 deletions(-) diff --git a/.github/config-schema.json b/.github/config-schema.json index fcd128c4f..cf03dce7b 100644 --- a/.github/config-schema.json +++ b/.github/config-schema.json @@ -1775,7 +1775,7 @@ "definitions": { "AwsConfig": { "title": "AWS", - "description": "The `aws` module shows the current AWS region and profile and an expiration timer when using temporary credentials. The output of the module uses the `AWS_REGION`, `AWS_DEFAULT_REGION`, and `AWS_PROFILE` env vars and the `~/.aws/config` and `~/.aws/credentials` files as required.\n\nThe module will display a profile only if its credentials are present in `~/.aws/credentials` or if a `credential_process` or `sso_start_url` are defined in `~/.aws/config`. Alternatively, having any of the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_SESSION_TOKEN` env vars defined will also suffice. If the option `force_display` is set to `true`, all available information will be displayed even if no credentials per the conditions above are detected.\n\nWhen using [aws-vault](https://github.com/99designs/aws-vault) the profile is read from the `AWS_VAULT` env var and the credentials expiration date is read from the `AWS_SESSION_EXPIRATION` env var.\n\nWhen using [awsu](https://github.com/kreuzwerker/awsu) the profile is read from the `AWSU_PROFILE` env var.\n\nWhen using [`AWSume`](https://awsu.me) the profile is read from the `AWSUME_PROFILE` env var and the credentials expiration date is read from the `AWSUME_EXPIRATION` env var.", + "description": "The `aws` module shows the current AWS region and profile and an expiration timer when using temporary credentials. The output of the module uses the `AWS_REGION`, `AWS_DEFAULT_REGION`, and `AWS_PROFILE` env vars and the `~/.aws/config` and `~/.aws/credentials` files as required.\n\nThe module will display a profile only if its credentials are present in `~/.aws/credentials` or if a `credential_process` or `sso_start_url` are defined in `~/.aws/config`. Alternatively, having any of the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_SESSION_TOKEN` env vars defined will also suffice. If the option `force_display` is set to `true`, all available information will be displayed even if no credentials per the conditions above are detected.\n\nWhen using [aws-vault](https://github.com/99designs/aws-vault) the profile is read from the `AWS_VAULT` env var and the credentials expiration date is read from the `AWS_SESSION_EXPIRATION` or `AWS_CREDENTIAL_EXPIRATION` var.\n\nWhen using [awsu](https://github.com/kreuzwerker/awsu) the profile is read from the `AWSU_PROFILE` env var.\n\nWhen using [`AWSume`](https://awsu.me) the profile is read from the `AWSUME_PROFILE` env var and the credentials expiration date is read from the `AWSUME_EXPIRATION` env var.", "type": "object", "properties": { "format": { diff --git a/src/configs/aws.rs b/src/configs/aws.rs index 45b06f870..92e981d4d 100644 --- a/src/configs/aws.rs +++ b/src/configs/aws.rs @@ -18,7 +18,8 @@ use std::collections::HashMap; /// /// When using [aws-vault](https://github.com/99designs/aws-vault) the profile /// is read from the `AWS_VAULT` env var and the credentials expiration date -/// is read from the `AWS_SESSION_EXPIRATION` env var. +/// is read from the `AWS_SESSION_EXPIRATION` or `AWS_CREDENTIAL_EXPIRATION` +/// var. /// /// When using [awsu](https://github.com/kreuzwerker/awsu) the profile /// is read from the `AWSU_PROFILE` env var. diff --git a/src/modules/aws.rs b/src/modules/aws.rs index ec21408e3..c9400d96f 100644 --- a/src/modules/aws.rs +++ b/src/modules/aws.rs @@ -121,7 +121,11 @@ fn get_credentials_duration( aws_profile: Option<&Profile>, aws_creds: &AwsCredsFile, ) -> Option { - let expiration_env_vars = ["AWS_SESSION_EXPIRATION", "AWSUME_EXPIRATION"]; + let expiration_env_vars = [ + "AWS_CREDENTIAL_EXPIRATION", + "AWS_SESSION_EXPIRATION", + "AWSUME_EXPIRATION", + ]; let expiration_date = if let Some(expiration_date) = expiration_env_vars .iter() .find_map(|env_var| context.get_env(env_var)) @@ -636,28 +640,32 @@ credential_process = /opt/bin/awscreds-retriever fn expiration_date_set() { use chrono::{DateTime, NaiveDateTime, SecondsFormat, Utc}; - let now_plus_half_hour: DateTime = chrono::DateTime::from_utc( - NaiveDateTime::from_timestamp_opt(chrono::Local::now().timestamp() + 1800, 0).unwrap(), - Utc, - ); + let expiration_env_vars = ["AWS_SESSION_EXPIRATION", "AWS_CREDENTIAL_EXPIRATION"]; + expiration_env_vars.iter().for_each(|env_var| { + let now_plus_half_hour: DateTime = chrono::DateTime::from_utc( + NaiveDateTime::from_timestamp_opt(chrono::Local::now().timestamp() + 1800, 0) + .unwrap(), + Utc, + ); - let actual = ModuleRenderer::new("aws") - .env("AWS_PROFILE", "astronauts") - .env("AWS_REGION", "ap-northeast-2") - .env("AWS_ACCESS_KEY_ID", "dummy") - .env( - "AWS_SESSION_EXPIRATION", - now_plus_half_hour.to_rfc3339_opts(SecondsFormat::Secs, true), - ) - .collect(); - let expected = Some(format!( - "on {}", - Color::Yellow - .bold() - .paint("☁️ astronauts (ap-northeast-2) [30m] ") - )); + let actual = ModuleRenderer::new("aws") + .env("AWS_PROFILE", "astronauts") + .env("AWS_REGION", "ap-northeast-2") + .env("AWS_ACCESS_KEY_ID", "dummy") + .env( + env_var, + now_plus_half_hour.to_rfc3339_opts(SecondsFormat::Secs, true), + ) + .collect(); + let expected = Some(format!( + "on {}", + Color::Yellow + .bold() + .paint("☁️ astronauts (ap-northeast-2) [30m] ") + )); - assert_eq!(expected, actual); + assert_eq!(expected, actual); + }); } #[test]