Merge pull request #67 from trussworks/cg_update_profiles

Managing AWS profiles

Author: Chris Gilmer

.gitignore

@@ -1,2 +1,3 @@
 bin/
 dist/
+coverage.out

Makefile

@@ -1,5 +1,5 @@
 # goreleaser removes the `v` prefix when building and this does too
-VERSION = 0.0.1
+VERSION = 0.5.0
 
 ifdef CIRCLECI
 	UNAME_S := $(shell uname -s)
@@ -19,6 +19,11 @@ bin/setup-new-aws-user: ## Build setup-new-aws-user
 test:
 	go test -v ./cmd/...
 
+.PHONY: test_coverage
+test_coverage:
+	go test -v -coverprofile=coverage.out -covermode=count ./cmd/...
+	go tool cover -html=coverage.out
+
 .PHONY: clean
 clean:
 	rm -f .*.stamp

README.md

@@ -15,54 +15,65 @@ brew tap trussworks/tap
 brew install setup-new-aws-user
 ```
 
-## Usage
-
-### Prerequisites
+### Dependencies
 
-#### Dependencies
+This tool requires aws-vault be installed. You can install via homebrew:
 
 ```shell
 brew cask install aws-vault
 ```
 
+## Usage
+
+This tool has several subcommands. Read each section to learn more.
+
+### setup-new-aws-user setup
+
 Before running this tool, you will need to following pieces of information
 
+* IAM user name - This is your IAM username. Use the flag `--iam-user` with this value.
 * IAM role name - This is the IAM Role with permissions allowing access to AWS APIs
   and services. This is usually something like `admin` or `engineer`. Use the flag
   `--iam-role` with this value.
-* IAM user name - This is your IAM username. Use the flag `--iam-user` with this value.
-* AWS profile - This is the name that populates your `~/.aws/config` profile
-  name. It is usually the name of the aws account alias you are trying to access.
-  Use the flag name `--aws-profile` with this value.
-* AWS account Id - This is the 12-digit account number of the AWS account you
-  are trying to access. Use the flag `--aws-account-id` with this value.
+* AWS Profiles and Account IDs - This is the set of aws profile names you wish to
+  add along with the corresponding AWS account ID. They are referenced as
+  `<AWS_PROFILE>:<AWS_ACCOUNT_ID>`. Use the flag name `--aws-profile-account`
+  with each set you wish to add.
 * Temporary AWS access keys - These should be given to you by an administrator
   of the AWS account you are trying to access. The tool will prompt you for
   the access key id and secret access key.
 
-## Running the tool
+1. Run the setup-new-user script
+
+    ```sh
+    setup-new-aws-user setup \
+      --iam-user <USER> \
+      --iam-role <ROLE> \
+      --aws-profile-account <AWS_PROFILE1>:<AWS_ACCOUNT_ID1> \
+      --aws-profile-account <AWS_PROFILE2>:<AWS_ACCOUNT_ID2>
+    ```
 
-1. Run the setup-new-user script - `setup-new-aws-user setup --iam-role <IAM_ROLE> --iam-user <USER> --aws-profile=<AWS_PROFILE> --aws-account-id=<AWS_ACCOUNT_ID>`
 2. Enter the access keys generated when prompted.
 3. The script will open a window with a QR code, which you will use to configure a temporary one time password (TOTP).
 4. You'll then need to create a new entry in your 1Password account configure it with a TOTP field.
 5. Use 1Password to scan the QR code and hit save. New TOTP tokens should generate every 30 seconds.
 6. From here the tool will prompt you for 3 unique TOTP tokens. **NOTE Take care not to use the same token more than once, as this will cause the process to fail.**
-7. Once the tool has completed, you should be able to access the AWS account. You can run the following command filling in the AWS_PROFILE value
+7. Once the tool has completed, you should be able to access the AWS account. You can run the following command filling in the `AWS_PROFILE` value
 
-```shell
-aws-vault exec $AWS_PROFILE -- aws sts get-session
-```
+    ```sh
+    aws-vault exec $AWS_PROFILE -- aws sts get-session
+    ```
 
-## How this tool modifies your ~/.aws/config
+#### How `setup` modifies your ~/.aws/config
 
 While your AWS access keys are stored in a password protected keychain managed by `aws-vault`, the configuration for
-how you should access AWS accounts lives in ~/.aws/config. The setup-new-aws-user tool creates two profiles your
+how you should access AWS accounts lives in ~/.aws/config. The `setup-new-aws-user setup` tool creates new profiles in
 `~/.aws/config`. The first is the base profile containing your long lived AWS Access Keys and is tied to your IAM user
 and MFA device. Since these keys are long lived, you should be rotating them regularly with `aws-vault rotate`.
 The second profile is the IAM role granting you elevated access to the AWS account. Typically these IAM roles are
 named `admin` or `engineer` and only uses temporary credentials leveraging AWS's Security Token Service (STS).
-Below is an example config generated from this tool.
+Below is an example config generated from this tool. Additional profiles will be similarly added and reference the
+base profile.
 
 ```ini
 [profile corp-id-base]
@@ -78,7 +89,7 @@ region=us-west-2
 output=json
 ```
 
-### MFA Management
+#### MFA Management
 
 This tool will help create and enable a virtual MFA device. The interface for the MFA device is a QR code
 which will be shown to the user during setup. This QR code can be used with a password manager to provide the
@@ -88,6 +99,71 @@ In the case where the user has a virtual MFA device already set up they can choo
 This is done by issuing the `--no-mfa` flag on the command line in conjunction with the regular command from
 above.
 
+### setup-new-aws-user add-profile
+
+Before running this tool, you will need to following pieces of information
+
+* IAM role name - This is the IAM Role with permissions allowing access to AWS APIs
+  and services. This is usually something like `admin` or `engineer`. Use the flag
+  `--iam-role` with this value.
+* AWS profile - This is the name of the profile in your `~/.aws/config` profile
+  that you wish to use as the basis for adding new profiles. The `source_profile`
+  and `mfa_serial` is pulled from this profile.
+  Use the flag name `--aws-profile` with this value.
+* AWS Profiles and Account IDs - This is the set of aws profile names you wish to
+  add along with the corresponding AWS account ID. They are referenced as
+  `<AWS_PROFILE>:<AWS_ACCOUNT_ID>`. Use the flag name `--aws-profile-account`
+  with each set you wish to add.
+
+1. Run the setup-new-user script -
+
+    ```sh
+    setup-new-aws-user add-profile \
+      --aws-profile <AWS_PROFILE> \
+      --iam-role <IAM_ROLE> \
+      --aws-profile-account <AWS_PROFILE1>:<AWS_ACCOUNT_ID1> \
+      --aws-profile-account <AWS_PROFILE2>:<AWS_ACCOUNT_ID2>
+    ```
+
+2. Once the tool has completed, you should be able to access the AWS account. You can run the following command filling in the `AWS_PROFILE` value
+
+    ```sh
+    aws-vault exec $AWS_PROFILE -- aws sts get-session
+    ```
+
+#### How `add-profile` modifies your ~/.aws/config
+
+While your AWS access keys are stored in a password protected keychain managed by `aws-vault`, the configuration for
+how you should access AWS accounts lives in ~/.aws/config. The `setup-new-aws-user add-profile` tool creates new profiles in
+`~/.aws/config`. New profiles reference the `source_profile` and `mfa_serial` of the `--aws-profile` used in
+the command and uses the IAM role granting you elevated access to the AWS account. Typically these IAM roles are
+named `admin` or `engineer` and only uses temporary credentials leveraging AWS's Security Token Service (STS).
+Below is an example config generated from this tool. Additional profiles will be similarly added and reference the
+base profile.
+
+```ini
+[profile corp-new]
+source_profile=corp-id-base
+mfa_serial=arn:aws:iam::123456789012:mfa/alice
+role_arn=arn:aws:iam::123456789012:role/engineer
+region=us-west-2
+output=json
+```
+
+**NOTE:** If you supply an aws-profile name that already exists in '~/.aws/config` this script will rewrite
+that profile in your config.
+
+### setup-new-aws-user version
+
+To get the version of the tool run:
+
+```sh
+setup-new-aws-user version
+```
+
+In development mode you may see the word `development` returned. Otherwise you should see the version of the tool
+as it was built by the release pipeline.
+
 ## Development setup
 
 1. First, install these packages: `brew install pre-commit direnv go`
@@ -119,7 +195,7 @@ use the real AWS account ID.
 Example:
 
 ```shell
-go run ./cmd setup --iam-role engineer --iam-user testuser --aws-profile test-profile-name --aws-account-id 123456789012
+go run ./cmd setup --iam-role engineer --iam-user testuser --aws-profile-account test-profile-name:123456789012
 ```
 
 After running the script, try a command to ensure the new profile works as