Refactor credential provider

Make it easier to use credentials in AWS config.

Author: wjordan

README.md

@@ -65,28 +65,18 @@ role_credentials = Aws::Google.new(
 puts Aws::STS::Client.new(credentials: role_credentials).get_caller_identity
 ```
 
-- Or, set `Aws::Google.config` hash to add Google auth to the default credential provider chain:
-
-```ruby
-Aws::Google.config = {
-  role_arn: aws_role,
-  google_client_id: client_id,
-  google_client_secret: client_secret,
-}
-
-puts Aws::STS::Client.new.get_caller_identity
+- Or, add the properties to your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to use Google as the AWS credential provider without any changes to your application code:
+
+```ini
+[my_profile]
+google =
+    role_arn = arn:aws:iam::[AccountID]:role/[Role]
+    client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
+    client_secret = 01234567890abcdefghijklmn
+credential_process = aws-google
 ```
 
-- Or, set `credential_process` in your AWS config profile ([`~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-where)) to `aws-google` to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) without any change to your application code:
-
-```
-[profile my_google]
-credential_process = aws-google --profile my_google
-aws_role = arn:aws:iam::[AccountID]:role/[Role]
-google_client_id = 123456789012-abcdefghijklmnopqrstuvwzyz0123456.apps.googleusercontent.com
-google_client_secret = 01234567890abcdefghijklmn
-
-```
+The extra `credential_process` config line tells AWS to [Source Credentials with an External Process](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html), in this case the `aws-google` script, which allows you to seamlessly use the same Google login configuration from non-Ruby SDKs (like the CLI).
 
 ## Development
 

exe/aws-google

@@ -6,61 +6,8 @@
 require 'aws/google'
 require 'time'
 require 'json'
-require 'optparse'
 
-def error(msg)
-  puts msg
-  exit 1
-end
-
-options = {}
-OptionParser.new do |opts|
-  opts.on('-p PROFILE', '--profile PROFILE', 'Profile') do |p|
-    options[:profile] = p
-  end
-  opts.on('-v', '--version', 'Version') do
-    require 'aws/google/version'
-    puts Aws::Google::VERSION
-    exit 0
-  end
-  opts.on('-r ROLE', '--role ROLE', 'AWS Role arn') do |r|
-    options[:role_arn] = r
-  end
-  opts.on('-i ID', '--client-id ID', 'Google Client ID') do |id|
-    options[:google_client_id] = id
-  end
-  opts.on('-s SECRET', '--client-secret SECRET', 'Google Client Secret') do |secret|
-    options[:google_client_secret] = secret
-  end
-  opts.on('-h DOMAIN', '--domain DOMAIN', 'Google Domain') do |hd|
-    options[:domain] = hd
-  end
-  opts.on('-d DURATION', '--duration DURATION', 'Duration in seconds') do |d|
-    options[:duration_seconds] = d.to_i
-  end
-  opts.on('--port PORT', 'Port number for local server') do |p|
-    options[:port] = p.to_i
-  end
-  opts.on('--online', 'Online authentication, no refresh token') do |o|
-    options[:online] = true
-  end
-end.parse!
-
-config = Aws.shared_config
-profile = options[:profile] || ENV['AWS_PROFILE'] || 'default'
-
-options[:role_arn] ||= config.get('aws_role', profile: profile) ||
-                   error('Missing config: aws_role')
-options[:google_client_id] ||= config.get('google_client_id', profile: profile) ||
-                        error('Missing config: google_client_id')
-options[:google_client_secret] ||= config.get('google_client_secret', profile: profile) ||
-                            error('Missing config: google_client_secret')
-
-# Cache temporary-session credentials in a separately-named profile.
-# Stored credentials take priority over credential_process,
-# so they would never be refreshed if stored in the same profile.
-options[:profile] += '_session'
-google = Aws::Google.new(options)
+google = ::Aws::CredentialProviderChain.new.resolve
 credentials = google.credentials
 output = {
   Version: 1,
@@ -69,5 +16,4 @@ output = {
   SessionToken: credentials.session_token,
   Expiration: Time.at(google.expiration.to_i).iso8601
 }
-require 'json'
 puts output.to_json

lib/aws/google.rb

@@ -1,6 +1,7 @@
 require_relative 'google/version'
 require 'aws-sdk-core'
 require_relative 'google/credential_provider'
+require_relative 'google/cached_credentials'
 
 require 'googleauth'
 require 'google/api_client/auth/storage'
@@ -23,7 +24,7 @@ module Aws
   # constructed.
   class Google
     include ::Aws::CredentialProvider
-    include ::Aws::RefreshingCredentials
+    include ::Aws::Google::CachedCredentials
 
     class << self
       attr_accessor :config
@@ -34,40 +35,29 @@ class << self
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client STS::Client to use (default: create new client)
-    # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
     # @option options [String] :domain G Suite domain for account-selection hint
     # @option options [String] :online if `true` only a temporary access token will be provided,
     #                 a long-lived refresh token will not be created and stored on the filesystem.
     # @option options [String] :port port for local server to listen on to capture oauth browser redirect.
     #                 Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
-    # @option options [::Google::Auth::ClientId] :google_id
+    # @option options [String] :client_id Google client ID
+    # @option options [String] :client_secret Google client secret
     def initialize(options = {})
       @oauth_attempted = false
       @assume_role_params = options.slice(
         *Aws::STS::Client.api.operation(:assume_role_with_web_identity).
           input.shape.member_names
       )
 
-      @profile = options[:profile] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
       @google_id = ::Google::Auth::ClientId.new(
-        options[:google_client_id],
-        options[:google_client_secret]
+        options[:client_id],
+        options[:client_secret]
       )
       @client = options[:client] || Aws::STS::Client.new(credentials: nil)
       @domain = options[:domain]
       @online = options[:online]
       @port = options[:port] || 1234
-
-      # Use existing AWS credentials stored in the shared config if available.
-      # If this is `nil` or expired, #refresh will be called on the first AWS API service call
-      # to generate AWS credentials derived from Google authentication.
-      @expiration = Aws.shared_config.get('expiration', profile: @profile) rescue nil
-      @mutex = Mutex.new
-      if near_expiration?
-        refresh!
-      else
-        @credentials = Aws.shared_config.credentials(profile: @profile) rescue nil
-      end
+      super
     end
 
     private
@@ -199,35 +189,8 @@ def refresh
         c.session_token
       )
       @expiration = c.expiration.to_i
-      write_credentials
-    end
-
-    # Write credentials and expiration to AWS credentials file.
-    def write_credentials
-      # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
-      return unless system('which aws >/dev/null 2>&1')
-      %w[
-        access_key_id
-        secret_access_key
-        session_token
-      ].map {|x| ["aws_#{x}", @credentials.send(x)]}.
-        to_h.
-        merge(expiration: @expiration).each do |key, value|
-        system("aws configure set #{key} #{value} --profile #{@profile}")
-      end
-    end
-  end
-
-  # Patch Aws::SharedConfig to allow fetching arbitrary keys from the shared config.
-  module SharedConfigGetKey
-    def get(key, opts = {})
-      profile = opts.delete(:profile) || @profile_name
-      if @parsed_config && (prof_config = @parsed_config[profile])
-        prof_config[key]
-      end
     end
   end
-  Aws::SharedConfig.prepend SharedConfigGetKey
 
   # Extend ::Google::APIClient::Storage to write {type: 'authorized_user'} to credentials,
   # as required by Google's default credentials loader.

lib/aws/google/cached_credentials.rb

@@ -0,0 +1,47 @@
+module Aws
+  class Google
+    Aws::SharedConfig.config_reader :expiration
+
+    # Mixin module extending `RefreshingCredentials` that caches temporary credentials
+    # in the credentials file, so a single session can be reused across multiple processes.
+    # The temporary credentials are saved to a separate profile with a '_session' suffix.
+    module CachedCredentials
+      include RefreshingCredentials
+
+      # @option options [String] :profile AWS Profile to store temporary credentials (default `default`)
+      def initialize(options = {})
+        # Use existing AWS credentials stored in the shared session config if available.
+        # If this is `nil` or expired, #refresh will be called on the first AWS API service call
+        # to generate AWS credentials derived from Google authentication.
+        @mutex = Mutex.new
+
+        @profile = options[:profile] || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+        @session_profile = @profile + '_session'
+        @expiration = Aws.shared_config.expiration(profile: @session_profile) rescue nil
+        @credentials = Aws.shared_config.credentials(profile: @session_profile) rescue nil
+        refresh_if_near_expiration
+      end
+
+      def refresh_if_near_expiration
+        if near_expiration?
+          @mutex.synchronize do
+            if near_expiration?
+              refresh
+              write_credentials
+            end
+          end
+        end
+      end
+
+      # Write credentials and expiration to AWS credentials file.
+      def write_credentials
+        # AWS CLI is needed because writing AWS credentials is not supported by the AWS Ruby SDK.
+        return unless system('which aws >/dev/null 2>&1')
+        Aws::SharedCredentials::KEY_MAP.transform_values(&@credentials.method(:send)).
+          merge(expiration: @expiration).each do |key, value|
+          system("aws configure set #{key} #{value} --profile #{@session_profile}")
+        end
+      end
+    end
+  end
+end

lib/aws/google/credential_provider.rb

@@ -3,16 +3,34 @@ class Google
     # Inserts GoogleCredentials into the default AWS credential provider chain.
     # Google credentials will only be used if Aws::Google.config is set before initialization.
     module CredentialProvider
-      # Insert google_credentials as the second-to-last credentials provider
-      # (in front of instance profile, which makes an http request).
+      # Insert google_credentials as the third-to-last credentials provider
+      # (in front of process credentials and instance_profile credentials).
       def providers
-        super.insert(-2, [:google_credentials, {}])
+        super.insert(-3, [:google_credentials, {}])
       end
 
       def google_credentials(options)
-        (config = Google.config) && Google.new(options.merge(config))
+        profile_name = determine_profile_name(options)
+        if Aws.shared_config.config_enabled?
+          Aws.shared_config.google_credentials_from_config(profile: profile_name)
+        end
+      rescue Errors::NoSuchProfileError
+        nil
       end
     end
     ::Aws::CredentialProviderChain.prepend CredentialProvider
+
+    module GoogleSharedCredentials
+      def google_credentials_from_config(opts = {})
+        p = opts[:profile] || @profile_name
+        if @config_enabled && @parsed_config
+          entry = @parsed_config.fetch(p, {})
+          if (google_opts = entry['google'])
+            Google.new(google_opts.transform_keys(&:to_sym))
+          end
+        end
+      end
+    end
+    ::Aws::SharedConfig.prepend GoogleSharedCredentials
   end
 end