Managing AWS profiles

[chrisgilmerproj]

In this change we want to be able to handle a couple cases:

• Update existing profiles when running the tool where before the tool would error out if profiles existed
• Allow adding new profiles as they are made available
• Generate all profiles at once given a list of new profiles

Setup

New setup-new-aws-user setup usage:

setup-new-aws-user setup \
  --iam-user cgilmer-delete-me \
  --iam-role engineer \
  --no-mfa \
  --aws-profile-account delete-id:123456789012 \
  --aws-profile-account delete-ci:123456789013 \
  --aws-profile-account delete-sandbox:123456789014 \
  --aws-profile-account delete-prod:123456789015

You should see this output:

Enter Access Key ID: *****
Enter Secret Access Key: *****
Added credentials to profile "delete-id-base" in vault
Getting the existing MFA device...
Updating the AWS config file: /Users/cgilmer/.aws/config
Adding the profile "delete-id-base" to the AWS config file
Adding the profile "delete-id" to the AWS config file
Adding the profile "delete-ci" to the AWS config file
Adding the profile "delete-sandbox" to the AWS config file
Adding the profile "delete-prod" to the AWS config file
Removing aws-vault session
Rotating AWS access keys
A new unique MFA token is needed to rotate the AWS access keys
Third MFA token (5 attempts remaining): *****
Creating new access key
Added credentials to profile "delete-id-base" in vault
Deleting old access key
Victory!

Add Profiles

The new subcommand allows for adding a new profile based on an existing profile. It's important to note that the assumption here is that the BASE account and the MFA will remain the same. If this was not true then I'd expect the user to run the setup subcommand instead of the add-profile sub command.

New setup-new-aws-user add-profile usage:

setup-new-aws-user add-profile \
  --iam-user cgilmer-delete-me 
  --iam-role diff-role \
  --aws-profile delete-id \
  --aws-profile-account delete-test:123456789016 

go run ./cmd/ add-profile

You should see this output:

Adding new profiles to the AWS config file: /Users/cgilmer/.aws/config
Adding the profile "delete-test" to the AWS config file
Victory!

Generates this in the ~/.aws/config file:

[profile delete-test]
source_profile=delete-id-base
mfa_serial=arn:aws:iam::REDACTED:mfa/cgilmer-delete-me
role_arn=arn:aws:iam::123456789016:role/diff-role
region=us-west-2
output=json

Testing

Try out the new tests with make test. To review test coverage you can run make test_coverage and view the covered code in the browser.

References

Pivotal tickets:

• Add new profiles
• Generate all profiles

[chrisgilmerproj]

I believe this PR is ready. I'm struggling to think of ways to pull this into more, smaller and focused PRs. Let's give reviewing this a go and if its too hard I can try again.

[eeeady]

I haven't done the full... pull/test/read code cycles of this PR... just purely a thought/question around your example:

Add Profiles

The new subcommand allows for adding a new profile based on an existing profile. It's important to note that the assumption here is that the BASE account and the MFA will remain the same. If this was not true then I'd expect the user to run the setup subcommand instead of the add-profile sub command.

New setup-new-aws-user add-profile usage:

setup-new-aws-user add-profile \
  --iam-user cgilmer-delete-me 
  --iam-role diff-role \
  --aws-profile delete-id \
  --aws-profile-account delete-test:123456789016 

go run ./cmd/ add-profile

You should see this output:

Adding new profiles to the AWS config file: /Users/cgilmer/.aws/config
Adding the profile "delete-test" to the AWS config file
Victory!

Generates this in the ~/.aws/config file:

[profile delete-test]
source_profile=delete-id-base
mfa_serial=arn:aws:iam::REDACTED:mfa/cgilmer-delete-me
role_arn=arn:aws:iam::123456789016:role/diff-role
region=us-west-2
output=json

is --aws-profile flag the new profile delete-test will be inheriting? I guess the name of the flag throws me off.

[eeeady]

Actually reading the code makes me think the --aws-profile flag is actually the profile you're copying source profile etc from.

[chrisgilmerproj]

Actually reading the code makes me think the --aws-profile flag is actually the profile you're copying source profile etc from.

I landed on this for a couple reasons:

• with spf13/pflags --aws-profile is actually using the same reserved env var as the AWS cli, $AWS_PROFILE.
• If we were going to make add-profile subcommand do any future calls via the AWS SDK for validation it would have to be with this pre-existing profile
• In all our examples in ~/.aws/config the *-id profile is the template, making it seem like the right one to copy from.

I had considered some other options but they really muddied the meaning or use of the tool. This seemed more elegant and reusuable for future cases.

[eeeady]

That took me a while to go through... Generally I'm happy with it... still confused about naming that variable... gotta reread your response.

[eeeady]

Probably should add a note that it will override existing configuration if you supply a profile name that already exists.

[chrisgilmerproj]

I added a note at the bottom of this section.

[eeeady]

Actually reading the code makes me think the --aws-profile flag is actually the profile you're copying source profile etc from.

I landed on this for a couple reasons:

• with spf13/pflags --aws-profile is actually using the same reserved env var as the AWS cli, $AWS_PROFILE.
• If we were going to make add-profile subcommand do any future calls via the AWS SDK for validation it would have to be with this pre-existing profile
• In all our examples in ~/.aws/config the *-id profile is the template, making it seem like the right one to copy from.

I had considered some other options but they really muddied the meaning or use of the tool. This seemed more elegant and reusuable for future cases.

TBH I have no idea what I'd call it... cuz it's not like you're explicitly defining the source profile here so you can't call it that...

I get that if you know your "base" account is in *-id you could move to the *-id folder and use $AWS_PROFILE as the argument for that flag and it would work... To me it's confusing because I'm not immediately sure if --aws-profile somehow the name of the profile i'd like to add or is the source... when really it is where we're copying some values from.

[chrisgilmerproj]

TBH I have no idea what I'd call it... cuz it's not like you're explicitly defining the source profile here so you can't call it that...

I get that if you know your "base" account is in *-id you could move to the *-id folder and use $AWS_PROFILE as the argument for that flag and it would work... To me it's confusing because I'm not immediately sure if --aws-profile somehow the name of the profile i'd like to add or is the source... when really it is where we're copying some values from.

Yeah, its a tough problem. I'd love to get opinions on this because honestly its easy to change if folks hate it. I think the logic of the PR is sound, its this user interface that needs some attention.

[chrisgilmerproj]

Bug: null pointer dereference when creating a new MFA device. Double check that this works.

[chrisgilmerproj]

Bug: null pointer dereference when creating a new MFA device. Double check that this works.

Fixed!

[eeeady]