Tighten CodeDeploy config file permissions

.changes/next-release/bugfix-codedeploy-54753.json

@@ -0,0 +1,5 @@
+{
+  "type": "bugfix",
+  "category": "codedeploy",
+  "description": "Tighten file permissions for CodeDeploy configuration file"
+}

awscli/customizations/codedeploy/register.py

@@ -11,13 +11,19 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 
+import os
 import sys
 
-from awscli.customizations.commands import BasicCommand
 from awscli.customizations.codedeploy.systems import DEFAULT_CONFIG_FILE
-from awscli.customizations.codedeploy.utils import \
-    validate_region, validate_instance_name, validate_tags, \
-    validate_iam_user_arn, INSTANCE_NAME_ARG, IAM_USER_ARN_ARG
+from awscli.customizations.codedeploy.utils import (
+    IAM_USER_ARN_ARG,
+    INSTANCE_NAME_ARG,
+    validate_iam_user_arn,
+    validate_instance_name,
+    validate_region,
+    validate_tags,
+)
+from awscli.customizations.commands import BasicCommand
 from awscli.utils import create_nested_client
 
 
@@ -39,15 +45,15 @@ class Register(BasicCommand):
                 "Key": {
                     "description": "The tag key.",
                     "type": "string",
-                    "required": True
+                    "required": True,
                 },
                 "Value": {
                     "description": "The tag value.",
                     "type": "string",
-                    "required": True
-                }
-            }
-        }
+                    "required": True,
+                },
+            },
+        },
     }
 
     ARG_TABLE = [
@@ -61,9 +67,9 @@ class Register(BasicCommand):
             'help_text': (
                 'Optional. The list of key/value pairs to tag the on-premises '
                 'instance.'
-            )
+            ),
         },
-        IAM_USER_ARN_ARG
+        IAM_USER_ARN_ARG,
     ]
 
     def _run_main(self, parsed_args, parsed_globals):
@@ -79,12 +85,10 @@ def _run_main(self, parsed_args, parsed_globals):
             'codedeploy',
             region_name=params.region,
             endpoint_url=parsed_globals.endpoint_url,
-            verify=parsed_globals.verify_ssl
+            verify=parsed_globals.verify_ssl,
         )
         self.iam = create_nested_client(
-            self._session,
-            'iam',
-            region_name=params.region
+            self._session, 'iam', region_name=params.region
         )
 
         try:
@@ -97,54 +101,41 @@ def _run_main(self, parsed_args, parsed_globals):
             if params.tags:
                 self._add_tags(params)
             sys.stdout.write(
-                'Copy the on-premises configuration file named {0} to the '
+                f'Copy the on-premises configuration file named {DEFAULT_CONFIG_FILE} to the '
                 'on-premises instance, and run the following command on the '
                 'on-premises instance to install and configure the AWS '
                 'CodeDeploy Agent:\n'
-                'aws deploy install --config-file {0}\n'.format(
-                    DEFAULT_CONFIG_FILE
-                )
+                f'aws deploy install --config-file {DEFAULT_CONFIG_FILE}\n'
             )
         except Exception as e:
             sys.stdout.flush()
             sys.stderr.write(
                 'ERROR\n'
-                '{0}\n'
+                f'{e}\n'
                 'Register the on-premises instance by following the '
                 'instructions in "Configure Existing On-Premises Instances by '
                 'Using AWS CodeDeploy" in the AWS CodeDeploy User '
-                'Guide.\n'.format(e)
+                'Guide.\n'
             )
 
     def _create_iam_user(self, params):
         sys.stdout.write('Creating the IAM user... ')
         params.user_name = params.instance_name
         response = self.iam.create_user(
-            Path='/AWS/CodeDeploy/',
-            UserName=params.user_name
+            Path='/AWS/CodeDeploy/', UserName=params.user_name
         )
         params.iam_user_arn = response['User']['Arn']
-        sys.stdout.write(
-            'DONE\n'
-            'IamUserArn: {0}\n'.format(
-                params.iam_user_arn
-            )
-        )
+        sys.stdout.write('DONE\n' f'IamUserArn: {params.iam_user_arn}\n')
 
     def _create_access_key(self, params):
         sys.stdout.write('Creating the IAM user access key... ')
-        response = self.iam.create_access_key(
-            UserName=params.user_name
-        )
+        response = self.iam.create_access_key(UserName=params.user_name)
         params.access_key_id = response['AccessKey']['AccessKeyId']
         params.secret_access_key = response['AccessKey']['SecretAccessKey']
         sys.stdout.write(
             'DONE\n'
-            'AccessKeyId: {0}\n'
-            'SecretAccessKey: {1}\n'.format(
-                params.access_key_id,
-                params.secret_access_key
-            )
+            f'AccessKeyId: {params.access_key_id}\n'
+            f'SecretAccessKey: {params.secret_access_key}\n'
         )
 
     def _create_user_policy(self, params):
@@ -163,49 +154,50 @@ def _create_user_policy(self, params):
         self.iam.put_user_policy(
             UserName=params.user_name,
             PolicyName=params.policy_name,
-            PolicyDocument=params.policy_document
+            PolicyDocument=params.policy_document,
         )
         sys.stdout.write(
             'DONE\n'
-            'PolicyName: {0}\n'
-            'PolicyDocument: {1}\n'.format(
-                params.policy_name,
-                params.policy_document
-            )
+            f'PolicyName: {params.policy_name}\n'
+            f'PolicyDocument: {params.policy_document}\n'
         )
 
     def _create_config(self, params):
         sys.stdout.write(
-            'Creating the on-premises instance configuration file named {0}'
-            '...'.format(DEFAULT_CONFIG_FILE)
+            f'Creating the on-premises instance configuration file named {DEFAULT_CONFIG_FILE}'
+            '...'
         )
-        with open(DEFAULT_CONFIG_FILE, 'w') as f:
-            f.write(
-                '---\n'
-                'region: {0}\n'
-                'iam_user_arn: {1}\n'
-                'aws_access_key_id: {2}\n'
-                'aws_secret_access_key: {3}\n'.format(
-                    params.region,
-                    params.iam_user_arn,
-                    params.access_key_id,
-                    params.secret_access_key
+        try:
+            fd = os.open(
+                DEFAULT_CONFIG_FILE,
+                os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
+                0o600,
+            )
+            with os.fdopen(fd, 'w') as f:
+                os.chmod(DEFAULT_CONFIG_FILE, 0o600)
+                f.write(
+                    '---\n'
+                    f'region: {params.region}\n'
+                    f'iam_user_arn: {params.iam_user_arn}\n'
+                    f'aws_access_key_id: {params.access_key_id}\n'
+                    f'aws_secret_access_key: {params.secret_access_key}\n'
                 )
+        except OSError as e:
+            raise RuntimeError(
+                f'Failed to create config file {DEFAULT_CONFIG_FILE}: {e}'
             )
         sys.stdout.write('DONE\n')
 
     def _register_instance(self, params):
         sys.stdout.write('Registering the on-premises instance... ')
         self.codedeploy.register_on_premises_instance(
-            instanceName=params.instance_name,
-            iamUserArn=params.iam_user_arn
+            instanceName=params.instance_name, iamUserArn=params.iam_user_arn
         )
         sys.stdout.write('DONE\n')
 
     def _add_tags(self, params):
         sys.stdout.write('Adding tags to the on-premises instance... ')
         self.codedeploy.add_tags_to_on_premises_instances(
-            tags=params.tags,
-            instanceNames=[params.instance_name]
+            tags=params.tags, instanceNames=[params.instance_name]
         )
         sys.stdout.write('DONE\n')