add doc for aws secrets manager

README.md

@@ -69,8 +69,6 @@ SUBCOMMANDS:
 
 ### Authentication 
 
-Storing username, password, and session token in AWS Secrets Manager is not implemented yet
-
 ```
 ➜  ~ xcodeinstall authenticate -h 
 
@@ -80,6 +78,8 @@ USAGE: xcodeinstall authenticate [--verbose]
 
 OPTIONS:
   -v, --verbose           Produce verbose output for debugging
+  -s, --secretmanager-region <secretmanager-region>
+                          Instructs to use AWS Secrets Manager to store and read secrets in the given AWS Region  
   --version               Show the version.
   -h, --help              Show help information.
 ```
@@ -102,8 +102,18 @@ Authenticating...
 🔐 Two factors authentication is enabled, enter your 2FA code: 000000
 ✅ Authenticated with MFA.
 ```
+When your Apple Developer Portal crednetials are stored on AWS Secrets Manager, you can just specify the AWS Region 
 
-The above triggers the following prompt on your registered machines (laptop, phone, or tablet)
+```
+➜  ~ xcodeinstall authenticate -s us-east-1
+
+Retrieving Apple Developer Portal credentials...
+Authenticating...
+🔐 Two factors authentication is enabled, enter your 2FA code: 00000
+✅ Authenticated with MFA.
+```
+
+The two above command (interactive and AWS Secrets Manager based) triggers the following prompt on your registered machines (laptop, phone, or tablet)
 
 ![Apple MFA Authorization](img/mfa-01.png)
 
@@ -125,6 +135,8 @@ OPTIONS:
                           Filter on provided Xcode version number (default: 13)
   -m, --most-recent-first Sort by most recent releases first
   -d, --date-published    Show publication date
+  -s, --secretmanager-region <secretmanager-region>
+                          Instructs to use AWS Secrets Manager to store and read secrets in the given AWS Region  
   --version               Show the version.
   -h, --help              Show help information.
   ```
@@ -146,6 +158,8 @@ OPTIONS:
   -m, --most-recent-first Sort by most recent releases first
   -d, --date-published    Show publication date
   -n, --name <name>       The exact package name to downloads. When omited, it asks interactively
+  -s, --secretmanager-region <secretmanager-region>
+                          Instructs to use AWS Secrets Manager to store and read secrets in the given AWS Region
   --version               Show the version.
   -h, --help              Show help information.
   ```
@@ -185,9 +199,121 @@ When you known the name of the file (for example `Xcode 13.4.1.xip`), you can us
   xcodeinstall install --name "Xcode 13.4.1.xip"
   ```
 
+## Minimum IAM Permissions required to use AWS Secrets Manager 
+
+To be authorized to call AWS Secrets Manager from the EC2 instance where you run `xcodeinstall`, create an IAM role that contains the minimum set of permissions to allow `xcodeinstall` to interact with AWS Secrets Manager.
+
+From a machine where the AWS CLI is installed and where you have AWS credentials to create roles and permissions, type the following commands :
+
+
+1. First create a role that can be attached (trusted) by any EC2 instances:
+
+```zsh
+# Create the trust policy file 
+cat << EOF > ec2-role-trust-policy.json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": { "Service": "ec2.amazonaws.com"},
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+
+# Create the role itself (with no permission at the moment)
+aws iam create-role \
+    --role-name xcodeinstall \
+    --assume-role-policy-document file://ec2-role-trust-policy.json
+```
+
+2. Second, create a policy that contains the minimum set of permissions to interact with AWS Secrets Manager 
+
+```zsh 
+# Create the policy file with the set of permissions
+# CHANGE 000000000000 with your AWS Account ID
+cat << EOF > ec2-policy.json 
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "xcodeinstall",
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:CreateSecret",
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:PutSecretValue"
+            ],
+            "Resource": "arn:aws:secretsmanager:*:000000000000:secret:xcodeinstall-*"
+        }
+    ]
+}
+EOF
+
+# Create the policy 
+aws iam create-policy                      \
+    --policy-name xcodeinstall-permissions \
+    --policy-document file://ec2-policy.json
+```
+
+3. Third, attach the policy to the role 
+
+```zsh
+# Attach a policy to a role 
+# CHANGE 000000000000 with your AWS Account ID
+aws iam attach-role-policy                                            \
+     --policy-arn arn:aws:iam::000000000000:policy/xcodeinstall-permissions    \
+     --role-name xcodeinstall
+```
+
+4. Fourth, attach the role to your EC2 Mac instance (through an instance profile)
+
+```zsh
+# Create an instance profile 
+aws iam create-instance-profile                   \
+     --instance-profile-name xcodeinstall-profile
+
+# Attach the role to the profile
+aws iam add-role-to-instance-profile             \
+    --instance-profile-name xcodeinstall-profile \
+    --role-name xcodeinstall   
+
+# Identify the Instance ID of your EC2 Mac Instance.
+# You may use the AWS Console or search by tags like this (replace the tag value with yours)
+INSTANCE_ID=$(aws ec2 describe-instances                                                 \
+               --filter "Name=tag:Name,Values=M1 Monterey"                            \
+               --query "Reservations[].Instances[?State.Name == 'running'].InstanceId[]" \
+               --output text)
+
+# verify you have an ID (you may add --region to target the correct AWS Region)
+echo $INSTANCE_ID
+
+# Associate the profile to the instance 
+aws ec2 associate-iam-instance-profile \
+    --instance-id $INSTANCE_ID         \
+    --iam-instance-profile Name="xcodeinstall-profile"
+```
+
+When you start other EC2 Mac instance, you just need to attach the profile to the new instance.  The Policy and Role can be reused for multiple EC2 instances.
+
 ## How to store your secrets on AWS Secrets Manager
 
-to be implemented 
+When using AWS Secrets Manager to retrieve your Apple Developer Portal username and password, you have to prepare an AWS Secrets Manager secret as following:
+
+- secret name : `xcodeinstall-apple-credentials`
+- secret format : a JSON string similar to this one :
+
+```json
+{"username":"your_username","password":"your_password"}
+```
+
+To help you to create this secret, you may use the following command: (Be sure to adjust the name of the AWS Region to your requirements. Using an AWS Region geographically close to you helps to reduce latency)
+
+```zsh
+➜  ~ xcodeinstall storesecrets -s us-east-1
+```
 
 ## How to contribute 
 
@@ -198,8 +324,6 @@ I listed a couple of ideas below.
 
 ## List of ideas 
 
-- add possibility to retrieve username and password from AWS Secrets Manager 
-- add possibility to store session cookies to AWS Secrets Manager 
 - add a CloudWatch Log backend to Logging framework 
 - add possibility to emit SNS notifications on error, such as Session Expired  
 - add support to install with homebrew

Sources/xcodeinstall/CLI/StoreSecretsCommand.swift

@@ -18,8 +18,10 @@ extension XCodeInstall {
 
         do {
             display("""
+
 This command captures your Apple ID username and password and store them securely in AWS Secrets Manager.
 It allows this command to authenticate automatically, as long as no MFA is prompted.
+
 """)
 
             guard let username = input.readLine(prompt: "⌨️  Enter your Apple ID username: ", silent: false) else {

iam/createRole.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+aws iam create-role          \
+    --role-name xcodeinstall \
+    --assume-role-policy-document file://ec2-role-trust-policy.json
+
+aws iam create-policy                      \
+    --policy-name xcodeinstall-permissions \
+    --policy-document file://ec2-policy.json

iam/ec2-policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "xcodeinstall",
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:CreateSecret",
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:PutSecretValue"
+            ],
+            "Resource": "arn:aws:secretsmanager:*:000000000000:secret:xcodeinstall-*"
+        }
+    ]
+}

iam/ec2-role-trust-policy.json

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": { "Service": "ec2.amazonaws.com"},
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}