PKòr‡G}²ÄßBBberry/__main__.pyimport berry.cli if __name__ == '__main__': berry.cli.main() PKór‡G>yu|berry/__init__.py__version__ = '1.0.8' PKòr‡GÙ1ƒnn berry/cli.py#!/usr/bin/env python3 import argparse import boto.exception import boto.s3 import boto.utils import json import logging import os import yaml import time class UsageError(Exception): def __init__(self, msg): self.msg = msg def __str__(self): return 'Usage Error: {}'.format(self.msg) def lookup_aws_credentials(application_id, path): with open(path) as fd: for line in fd: line = line.strip() if not line.startswith('#'): parts = line.split(':') if parts[0] == application_id: return parts[1], parts[2] return None, None def use_aws_credentials(application_id, path): access_key_id, secret_access_key = lookup_aws_credentials(application_id, path) if not access_key_id: raise UsageError('No AWS credentials found for application "{}" in {}'.format(application_id, path)) os.environ['AWS_ACCESS_KEY_ID'] = access_key_id os.environ['AWS_SECRET_ACCESS_KEY'] = secret_access_key def run_berry(args): try: with open(args.config_file) as fd: config = yaml.load(fd) except Exception as e: logging.warn('Could not load configuration from {}: {}'.format(args.config_file, e)) config = {} application_id = args.application_id or config.get('application_id') mint_bucket = args.mint_bucket or config.get('mint_bucket') local_directory = args.local_directory if not application_id: raise UsageError('Application ID missing, please set "application_id" in your configuration YAML') if not mint_bucket: raise UsageError('Mint Bucket is not configured, please set "mint_bucket" in your configuration YAML') if args.aws_credentials_file: use_aws_credentials(application_id, args.aws_credentials_file) s3 = boto.connect_s3() if not s3: raise Exception('Could not connect to S3') bucket = s3.get_bucket(mint_bucket, validate=False) while True: # download credentials for fn in ['user', 'client']: key_name = '{}/{}.json'.format(application_id, fn) try: local_file = os.path.join(local_directory, '{}.json'.format(fn)) tmp_file = local_file + '.tmp' key = bucket.get_key(key_name, validate=False) json_data = key.get_contents_as_string() # check that the file contains valid JSON new_data = json.loads(json_data.decode('utf-8')) try: with open(local_file, 'r') as fd: old_data = json.load(fd) except: old_data = None # check whether the file contents changed if new_data != old_data: with open(tmp_file, 'wb') as fd: fd.write(json_data) os.rename(tmp_file, local_file) logging.info('Rotated {} credentials for {}'.format(fn, application_id)) except boto.exception.S3ResponseError as e: # more friendly error messages # https://github.com/zalando-stups/berry/issues/2 if e.status == 403: logging.error(('Access denied while trying to read "{}" from mint S3 bucket "{}". ' + 'Check your IAM role/user policy to allow read access!').format( key_name, mint_bucket)) elif e.status == 404: logging.error(('Credentials file "{}" not found in mint S3 bucket "{}". ' + 'Mint either did not sync them yet or the mint configuration is wrong.').format( key_name, mint_bucket)) else: logging.error('Could not read from mint S3 bucket "{}": {} {}: {}'.format( mint_bucket, e.status, e.reason, e.message)) except: logging.exception('Failed to download {} credentials'.format(fn)) if args.once: break time.sleep(args.interval) def main(): parser = argparse.ArgumentParser() parser.add_argument('local_directory', help='Local directory to write credentials to') parser.add_argument('-f', '--config-file', help='Read berry settings from given YAML file', default='/etc/taupage.yaml') parser.add_argument('-a', '--application-id', help='Application ID as registered in Kio') parser.add_argument('-m', '--mint-bucket', help='Mint S3 bucket name') parser.add_argument('-c', '--aws-credentials-file', help='Lookup AWS credentials by application ID in the given file') parser.add_argument('-i', '--interval', help='Interval in seconds', default=120) parser.add_argument('--once', help='Download credentials once and exit', action='store_true') args = parser.parse_args() logging.basicConfig(level=logging.INFO, format='%(levelname)s: %(message)s') try: run_berry(args) except UsageError as e: logging.error(e) if __name__ == '__main__': main() PKôr‡G3i«%ïï+stups_berry-1.0.8.dist-info/DESCRIPTION.rst===== berry ===== .. image:: https://travis-ci.org/zalando-stups/berry.svg?branch=master :target: https://travis-ci.org/zalando-stups/berry :alt: Build Status .. image:: https://coveralls.io/repos/zalando-stups/berry/badge.svg :target: https://coveralls.io/r/zalando-stups/berry :alt: Code Coverage .. image:: https://img.shields.io/pypi/dw/stups-berry.svg :target: https://pypi.python.org/pypi/stups-berry/ :alt: PyPI Downloads .. image:: https://img.shields.io/pypi/v/stups-berry.svg :target: https://pypi.python.org/pypi/stups-berry/ :alt: Latest PyPI version .. image:: https://img.shields.io/pypi/l/stups-berry.svg :target: https://pypi.python.org/pypi/stups-berry/ :alt: License Berry is the partner component for `mint`_. Berry is a tiny agent, that constantly updates the local credentials file, so that applications can read their most recent passwords easily. Installation ============ Python 2.7+ is required. .. code-block:: bash $ sudo pip3 install --upgrade stups-berry Usage ===== See the help for configuration options: .. code-block:: bash $ berry --help In addition, berry takes all the `standard AWS SDK inputs`_ (local credentials file, environment variables and instance profiles). License ======= Copyright © 2015 Zalando SE Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. .. _mint: https://github.com/zalando-stups/mint .. _standard AWS SDK inputs: http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs PKôr‡GÃ_3a**,stups_berry-1.0.8.dist-info/entry_points.txt[console_scripts] berry = berry.cli:main PKôr‡G­à<œœ)stups_berry-1.0.8.dist-info/metadata.json{"classifiers": ["Development Status :: 4 - Beta", "Environment :: Console", "Intended Audience :: System Administrators", "License :: OSI Approved :: Apache Software License", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: Implementation :: CPython"], "extensions": {"python.commands": {"wrap_console": {"berry": "berry.cli:main"}}, "python.details": {"contacts": [{"email": "henning.jacobs@zalando.de", "name": "Henning Jacobs", "role": "author"}], "document_names": {"description": "DESCRIPTION.rst"}, "project_urls": {"Home": "https://github.com/zalando-stups/berry"}}, "python.exports": {"console_scripts": {"berry": "berry.cli:main"}}}, "extras": [], "generator": "bdist_wheel (0.26.0)", "keywords": ["credentials", "distribution", "aws", "s3", "stups"], "license": "Apache License 2.0", "metadata_version": "2.0", "name": "stups-berry", "run_requires": [{"requires": ["PyYAML", "boto (>=2.37.0)"]}], "summary": "Credentials distribution agent", "test_requires": [{"requires": ["mock", "pytest", "pytest-cov"]}], "version": "1.0.8"}PKôr‡GGG-)stups_berry-1.0.8.dist-info/top_level.txtberry PKôr‡G}À‚¼\\!stups_berry-1.0.8.dist-info/WHEELWheel-Version: 1.0 Generator: bdist_wheel (0.26.0) Root-Is-Purelib: true Tag: py3-none-any PKôr‡G™j¶Û  $stups_berry-1.0.8.dist-info/METADATAMetadata-Version: 2.0 Name: stups-berry Version: 1.0.8 Summary: Credentials distribution agent Home-page: https://github.com/zalando-stups/berry Author: Henning Jacobs Author-email: henning.jacobs@zalando.de License: Apache License 2.0 Keywords: credentials distribution aws s3 stups Platform: UNKNOWN Classifier: Development Status :: 4 - Beta Classifier: Environment :: Console Classifier: Intended Audience :: System Administrators Classifier: License :: OSI Approved :: Apache Software License Classifier: Operating System :: POSIX :: Linux Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: Implementation :: CPython Requires-Dist: PyYAML Requires-Dist: boto (>=2.37.0) ===== berry ===== .. image:: https://travis-ci.org/zalando-stups/berry.svg?branch=master :target: https://travis-ci.org/zalando-stups/berry :alt: Build Status .. image:: https://coveralls.io/repos/zalando-stups/berry/badge.svg :target: https://coveralls.io/r/zalando-stups/berry :alt: Code Coverage .. image:: https://img.shields.io/pypi/dw/stups-berry.svg :target: https://pypi.python.org/pypi/stups-berry/ :alt: PyPI Downloads .. image:: https://img.shields.io/pypi/v/stups-berry.svg :target: https://pypi.python.org/pypi/stups-berry/ :alt: Latest PyPI version .. image:: https://img.shields.io/pypi/l/stups-berry.svg :target: https://pypi.python.org/pypi/stups-berry/ :alt: License Berry is the partner component for `mint`_. Berry is a tiny agent, that constantly updates the local credentials file, so that applications can read their most recent passwords easily. Installation ============ Python 2.7+ is required. .. code-block:: bash $ sudo pip3 install --upgrade stups-berry Usage ===== See the help for configuration options: .. code-block:: bash $ berry --help In addition, berry takes all the `standard AWS SDK inputs`_ (local credentials file, environment variables and instance profiles). License ======= Copyright © 2015 Zalando SE Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. .. _mint: https://github.com/zalando-stups/mint .. _standard AWS SDK inputs: http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs PKôr‡Gfa;¢AA"stups_berry-1.0.8.dist-info/RECORDberry/__init__.py,sha256=mFFUUCx5TqyW1TTFRrWDhXXVMJDMRxXWrkHanVtp9oY,22 berry/__main__.py,sha256=AKpj5jeTwqUG2kkT7U3iiCg-W3gfRlMWnIcjOYhoFuw,66 berry/cli.py,sha256=kzs7bxQyMyD83eqXxaRd_I2xLjo5M7o7rL1uLBZfb3c,5230 stups_berry-1.0.8.dist-info/DESCRIPTION.rst,sha256=AjG2pUKJ_Hq_Vlyvqe3V7XiKfJRTHbTUyqLy3xmMcNA,2031 stups_berry-1.0.8.dist-info/METADATA,sha256=DbsOH3YATYTH_fy9zSwlev6ork4VJTxQ5WB1AYljLso,2845 stups_berry-1.0.8.dist-info/RECORD,, stups_berry-1.0.8.dist-info/WHEEL,sha256=zX7PHtH_7K-lEzyK75et0UBa3Bj8egCBMXe1M4gc6SU,92 stups_berry-1.0.8.dist-info/entry_points.txt,sha256=sQvm37j6KZi6NH_oIzkk6Xk3x2KXjgLk0y3Y61ca2zg,42 stups_berry-1.0.8.dist-info/metadata.json,sha256=nYX0OcrSIox1cHW5j__a9b5C4BzKf_sM48Ie05FoDGU,1180 stups_berry-1.0.8.dist-info/top_level.txt,sha256=JKTZcaiRj_etA2oZQ_QVz2Ybq5kOF8BWxRHfDzpYXhg,6 PKòr‡G}²ÄßBBberry/__main__.pyPKór‡G>yu|qberry/__init__.pyPKòr‡GÙ1ƒnn ¶berry/cli.pyPKôr‡G3i«%ïï+Nstups_berry-1.0.8.dist-info/DESCRIPTION.rstPKôr‡GÃ_3a**,†stups_berry-1.0.8.dist-info/entry_points.txtPKôr‡G­à<œœ)ústups_berry-1.0.8.dist-info/metadata.jsonPKôr‡GGG-)Ý"stups_berry-1.0.8.dist-info/top_level.txtPKôr‡G}À‚¼\\!*#stups_berry-1.0.8.dist-info/WHEELPKôr‡G™j¶Û  $Å#stups_berry-1.0.8.dist-info/METADATAPKôr‡Gfa;¢AA"$/stups_berry-1.0.8.dist-info/RECORDPK ¥2