Netflix · castrapel · Oct 16, 2020 · Oct 16, 2020 · Oct 16, 2020 · Oct 16, 2020
diff --git a/README.md b/README.md
@@ -106,6 +106,27 @@ weep file exampleRole -o /tmp/credentials
 
 Weep will do its best to preserve existing credentials in the file (but it will overwrite a conflicting profile name, so be careful!).
 
+### Credentials Process
+The AWS CLI can source credentials from weep using the `credential_process` configuration which can be defined for a
+profile in the `~/.aws/config` file. Read more about this process [here](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html).
+
+Here's an example of an `~/.aws/config` file:
+
+```bash
+[profile role1]
+credential_process = /path/to/weep credential_process role1
+
+[profile role2]
+credential_process = /path/to/weep credential_process role2
+```
+
+To use the credential process, you would invoke the AWS CLI with the `AWS_PROFILE` environment variable set  to the
+profile you wanted to use. Example:
+
+```bash
+AWS_PROFILE=role1 aws s3 ls
+```
+
 ## Building
 
 In most cases, `weep` can be built by running the `make` command in the repository root. `make release` (requires

diff --git a/cmd/credential_process.go b/cmd/credential_process.go
@@ -0,0 +1,54 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/netflix/weep/consoleme"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"time"
+)
+
+func init() {
+	CredentialProcessCmd.PersistentFlags().BoolVarP(&noIpRestrict, "no-ip", "n", false, "remove IP restrictions")
+	rootCmd.AddCommand(CredentialProcessCmd)
+}
+
+var CredentialProcessCmd = &cobra.Command{
+	Use:   "credential_process [role_name]",
+	Short: "Retrieve credentials and writes them in credential_process format",
+	Args:  cobra.ExactArgs(1),
+	RunE:  runCredentialProcess,
+}
+
+func runCredentialProcess(cmd *cobra.Command, args []string) error {
+	role = args[0]
+	client, err := consoleme.GetClient()
+	if err != nil {
+		return err
+	}
+	creds, err := client.GetRoleCredentials(role, noIpRestrict)
+	if err != nil {
+		return err
+	}
+	printCredentialProcess(creds)
+	return nil
+}
+
+func printCredentialProcess(creds consoleme.AwsCredentials) {
+	expirationTimeFormat := time.Unix(creds.Expiration, 0).Format(time.RFC3339)
+
+	credentialProcessOutput := &consoleme.CredentialProcess{
+		Version:         1,
+		AccessKeyId:     creds.AccessKeyId,
+		SecretAccessKey: creds.SecretAccessKey,
+		SessionToken:    creds.SessionToken,
+		Expiration:      expirationTimeFormat,
+	}
+
+	b, err := json.Marshal(credentialProcessOutput)
+	if err != nil {
+		log.Error(err)
+	}
+	fmt.Printf(string(b))
+}
diff --git a/cmd/export.go b/cmd/export.go
@@ -8,13 +8,8 @@ import (
 	"strings"
 )
 
-var (
-	exportRole         string
-	exportNoIPRestrict bool
-)
-
 func init() {
-	exportCmd.PersistentFlags().BoolVarP(&exportNoIPRestrict, "no-ip", "n", false, "remove IP restrictions")
+	exportCmd.PersistentFlags().BoolVarP(&noIpRestrict, "no-ip", "n", false, "remove IP restrictions")
 	rootCmd.AddCommand(exportCmd)
 }
 
@@ -26,12 +21,12 @@ var exportCmd = &cobra.Command{
 }
 
 func runExport(cmd *cobra.Command, args []string) error {
-	exportRole = args[0]
+	role = args[0]
 	client, err := consoleme.GetClient()
 	if err != nil {
 		return err
 	}
-	creds, err := client.GetRoleCredentials(exportRole, exportNoIPRestrict)
+	creds, err := client.GetRoleCredentials(role, noIpRestrict)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/file.go b/cmd/file.go
@@ -11,17 +11,10 @@ import (
 	"path"
 )
 
-var (
-	fileDestination  string
-	fileNoIPRestrict bool
-	fileProfileName  string
-	fileRole         string
-)
-
 func init() {
-	fileCmd.PersistentFlags().BoolVarP(&fileNoIPRestrict, "no-ip", "n", false, "remove IP restrictions")
-	fileCmd.PersistentFlags().StringVarP(&fileDestination, "output", "o", getDefaultCredentialsFile(), "output file for credentials")
-	fileCmd.PersistentFlags().StringVarP(&fileProfileName, "profile", "p", "consoleme", "profile name")
+	fileCmd.PersistentFlags().BoolVarP(&noIpRestrict, "no-ip", "n", false, "remove IP restrictions")
+	fileCmd.PersistentFlags().StringVarP(&destination, "output", "o", getDefaultCredentialsFile(), "output file for credentials")
+	fileCmd.PersistentFlags().StringVarP(&profileName, "profile", "p", "consoleme", "profile name")
 	rootCmd.AddCommand(fileCmd)
 }
 
@@ -33,12 +26,12 @@ var fileCmd = &cobra.Command{
 }
 
 func runFile(cmd *cobra.Command, args []string) error {
-	fileRole = args[0]
+	role = args[0]
 	client, err := consoleme.GetClient()
 	if err != nil {
 		return err
 	}
-	credentials, err := client.GetRoleCredentials(fileRole, fileNoIPRestrict)
+	credentials, err := client.GetRoleCredentials(role, noIpRestrict)
 	if err != nil {
 		return err
 	}
@@ -66,19 +59,19 @@ func writeCredentialsFile(credentials consoleme.AwsCredentials) error {
 	ini.PrettyFormat = false
 	ini.PrettyEqual = true
 
-	if util.FileExists(fileDestination) {
-		credentialsINI, err = ini.Load(fileDestination)
+	if util.FileExists(destination) {
+		credentialsINI, err = ini.Load(destination)
 		if err != nil {
 			return err
 		}
 	} else {
 		credentialsINI = ini.Empty()
 	}
 
-	credentialsINI.Section(fileProfileName).Key("aws_access_key_id").SetValue(credentials.AccessKeyId)
-	credentialsINI.Section(fileProfileName).Key("aws_secret_access_key").SetValue(credentials.SecretAccessKey)
-	credentialsINI.Section(fileProfileName).Key("aws_session_token").SetValue(credentials.SessionToken)
-	err = credentialsINI.SaveTo(fileDestination)
+	credentialsINI.Section(profileName).Key("aws_access_key_id").SetValue(credentials.AccessKeyId)
+	credentialsINI.Section(profileName).Key("aws_secret_access_key").SetValue(credentials.SecretAccessKey)
+	credentialsINI.Section(profileName).Key("aws_session_token").SetValue(credentials.SessionToken)
+	err = credentialsINI.SaveTo(destination)
 	if err != nil {
 		return err
 	}

diff --git a/cmd/metadata.go b/cmd/metadata.go
@@ -15,13 +15,6 @@ import (
 	"syscall"
 )
 
-var (
-	metadataRole       string
-	metadataRegion     string
-	metadataListenAddr string
-	metadataListenPort int
-)
-
 func init() {
 	metadataCmd.PersistentFlags().StringVarP(&metadataRegion, "region", "r", "us-east-1", "region of metadata service")
 	metadataCmd.PersistentFlags().StringVarP(&metadataListenAddr, "listen-address", "a", "127.0.0.1", "IP address for metadata service to listen on")
@@ -37,8 +30,8 @@ var metadataCmd = &cobra.Command{
 }
 
 func runMetadata(cmd *cobra.Command, args []string) error {
-	metadataRole = args[0]
-	metadata.Role = metadataRole
+	role = args[0]
+	metadata.Role = role
 	metadata.MetadataRegion = metadataRegion
 	client, err := consoleme.GetClient()
 	if err != nil {

diff --git a/cmd/root.go b/cmd/root.go
@@ -14,10 +14,6 @@ import (
 )
 
 var (
-	cfgFile   string
-	logLevel  string
-	logFormat string
-
 	rootCmd = &cobra.Command{
 		Use:   "weep",
 		Short: "weep helps you get the most out of ConsoleMe credentials",

diff --git a/cmd/vars.go b/cmd/vars.go
@@ -0,0 +1,14 @@
+package cmd
+
+var (
+	role        string
+	profileName string
+	destination string
+	noIpRestrict bool
+	metadataRegion string
+	metadataListenAddr string
+	metadataListenPort int
+	cfgFile   string
+	logLevel  string
+	logFormat string
+)
diff --git a/consoleme/types.go b/consoleme/types.go
@@ -7,6 +7,14 @@ type AwsCredentials struct {
 	Expiration      int64  `json:"Expiration"`
 }
 
+type CredentialProcess struct {
+	Version         int    `json:"Version"`
+	AccessKeyId     string `json:"AccessKeyId"`
+	SecretAccessKey string `json:"SecretAccessKey"`
+	SessionToken    string `json:"SessionToken"`
+	Expiration      string `json:"Expiration"`
+}
+
 type ConsolemeCredentialResponseType struct {
 	Credentials AwsCredentials `json:"Credentials"`
 }
@@ -23,5 +31,3 @@ type ConsolemeCredentialErrorMessageType struct {
 	Exception     string `json:"exception"`
 	RequestID     string `json:"request_id"`
 }
-
-
diff --git a/go.sum b/go.sum
@@ -353,8 +353,6 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.60.0 h1:P5ZzC7RJO04094NJYlEnBdFK2wwmnCAy/+7sAzvWs60=
-gopkg.in/ini.v1 v1.60.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=