#!/usr/bin/env python3

"""
Helper utility that retrieves secrets (credentials) from an S3 bucket.

Upload and manage credentials with ``aegea secrets``. On an EC2
instance, read credentials with ``aegea-get-secret``. Once you
retrieve a secret with ``aegea-get-secret``, try to avoid saving it on
the filesystem or passing it in process arguments. Instead, try
passing it as an environment variable value or on process standard
input.

For more information, see ``aegea secrets --help``.
"""

import os, sys, subprocess, argparse, logging, json

import boto3, requests

logging.basicConfig(level=logging.ERROR)
logger = logging.getLogger(__name__)
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument("secret_name")
parser.add_argument("--bucket_name")
args = parser.parse_args()

class ARN:
    fields = "arn partition service region account_id resource".split()
    def __init__(self, arn):
        self.__dict__.update(dict(zip(self.fields, arn.split(":", 5))))

def get_metadata(path):
    return requests.get("http://169.254.169.254/latest/meta-data/{}".format(path)).content.decode()

az = get_metadata("placement/availability-zone")
iam_info = json.loads(get_metadata("iam/info"))
role_name = get_metadata("iam/security-credentials/")
s3 = boto3.Session(region_name=az[:-1]).resource("s3")
account_id = ARN(iam_info["InstanceProfileArn"]).account_id
if args.bucket_name is None:
    args.bucket_name = "credentials-{}".format(account_id)
secret_path = os.path.join("role", role_name, args.secret_name)
secret_object = s3.Bucket(args.bucket_name).Object(secret_path)
sys.stdout.buffer.write(secret_object.get()["Body"].read())
