Skip to content

Credentials transparency #1378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Sep 25, 2020
Merged

Credentials transparency #1378

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
a5a6821
Testing TBD
vishalbollu Sep 23, 2020
9f7622f
Update lib_aws_creds.go
vishalbollu Sep 23, 2020
dfb5636
Self review
vishalbollu Sep 23, 2020
e4f363b
Rename CORTEX_AWS_* to CLUSTER_AWS_*
vishalbollu Sep 23, 2020
a81747f
Update security.md
vishalbollu Sep 23, 2020
7e9fe92
Complete renaming
vishalbollu Sep 23, 2020
e76e1cd
Merge branch 'master' into credentials-transparency
vishalbollu Sep 23, 2020
4f1100b
Fix merge conflict
vishalbollu Sep 23, 2020
9019983
Update docs
vishalbollu Sep 23, 2020
7cf7986
Credentials for local operator
vishalbollu Sep 23, 2020
787d4dd
Update lib_aws_creds.go
vishalbollu Sep 23, 2020
5b17d4a
Update lib_aws_creds.go
vishalbollu Sep 23, 2020
0bee81e
Add deprecation warning
vishalbollu Sep 24, 2020
8da78f2
Update errors.go
vishalbollu Sep 24, 2020
37f20e0
Update security.md
vishalbollu Sep 24, 2020
840ca2c
Update cli.md
deliahu Sep 24, 2020
5ce9c24
Merge branch 'master' into credentials-transparency
vishalbollu Sep 25, 2020
f3dc51f
Respond to nits
vishalbollu Sep 25, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 66 additions & 16 deletions cli/cmd/cluster.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,36 +47,46 @@ import (
)

var (
_flagClusterEnv string
_flagClusterConfig string
_flagClusterInfoDebug bool
_flagClusterDisallowPrompt bool
_flagClusterEnv string
_flagClusterConfig string
_flagClusterInfoDebug bool
_flagClusterDisallowPrompt bool
_flagAWSAccessKeyID string
_flagAWSSecretAccessKey string
_flagClusterAWSAccessKeyID string
_flagClusterAWSSecretAccessKey string
)

func clusterInit() {
defaultEnv := getDefaultEnv(_clusterCommandType)

_upCmd.Flags().SortFlags = false
addClusterConfigFlag(_upCmd)
_upCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to configure")
addAWSCredentials(_upCmd)
_upCmd.Flags().StringVar(&_flagClusterAWSAccessKeyID, "cluster-aws-key", "", "aws access key id to be used by the cluster")
_upCmd.Flags().StringVar(&_flagClusterAWSSecretAccessKey, "cluster-aws-secret", "", "aws secret access key to be used by the cluster")
_upCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to create")
_upCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
_clusterCmd.AddCommand(_upCmd)

_infoCmd.Flags().SortFlags = false
addClusterConfigFlag(_infoCmd)
_infoCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to configure")
addAWSCredentials(_infoCmd)
_infoCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to update")
_infoCmd.Flags().BoolVarP(&_flagClusterInfoDebug, "debug", "d", false, "save the current cluster state to a file")
_infoCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
_clusterCmd.AddCommand(_infoCmd)

_configureCmd.Flags().SortFlags = false
addClusterConfigFlag(_configureCmd)
_configureCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to configure")
addAWSCredentials(_configureCmd)
_configureCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to update")
_configureCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
_clusterCmd.AddCommand(_configureCmd)

_downCmd.Flags().SortFlags = false
addClusterConfigFlag(_downCmd)
addAWSCredentials(_downCmd)
_downCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
_clusterCmd.AddCommand(_downCmd)
}
Expand All @@ -86,6 +96,11 @@ func addClusterConfigFlag(cmd *cobra.Command) {
cmd.Flags().SetAnnotation("config", cobra.BashCompFilenameExt, _configFileExts)
}

func addAWSCredentials(cmd *cobra.Command) {
cmd.Flags().StringVar(&_flagAWSAccessKeyID, "aws-key", "", "aws access key id")
cmd.Flags().StringVar(&_flagAWSSecretAccessKey, "aws-secret", "", "aws secret access key")
}

var _clusterCmd = &cobra.Command{
Use: "cluster",
Short: "manage a cluster",
Expand All @@ -110,7 +125,14 @@ var _upCmd = &cobra.Command{
promptForEmail()
}

awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
if _flagClusterConfig != "" {
// Deprecation: specifying aws creds in cluster configuration is no longer supported
if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
exit.Error(err)
}
}

awsCreds, err := awsCredentialsForCreatingCluster(_flagClusterDisallowPrompt)
if err != nil {
exit.Error(err)
}
Expand Down Expand Up @@ -254,15 +276,17 @@ var _upCmd = &cobra.Command{
Name: _flagClusterEnv,
Provider: types.AWSProviderType,
OperatorEndpoint: pointer.String("https://" + *loadBalancer.DNSName),
AWSAccessKeyID: pointer.String(awsCreds.CortexAWSAccessKeyID),
AWSSecretAccessKey: pointer.String(awsCreds.CortexAWSSecretAccessKey),
AWSAccessKeyID: pointer.String(awsCreds.ClusterAWSAccessKeyID),
AWSSecretAccessKey: pointer.String(awsCreds.ClusterAWSSecretAccessKey),
}

err = addEnvToCLIConfig(newEnvironment)
if err != nil {
exit.Error(errors.Append(err, fmt.Sprintf("unable to configure cli environment; you can attempt to resolve this issue and configure your CLI environment by running `cortex cluster info --env %s`", _flagClusterEnv)))
}

cacheAWSCredentials(awsCreds, accessConfig)

fmt.Printf(console.Bold("\nan environment named \"%s\" has been configured for this cluster; append `--env %s` to cortex commands to connect to it (e.g. `cortex deploy --env %s`), or set it as your default with `cortex env default %s`\n"), _flagClusterEnv, _flagClusterEnv, _flagClusterEnv, _flagClusterEnv)
},
}
Expand All @@ -282,12 +306,19 @@ var _configureCmd = &cobra.Command{
exit.Error(err)
}

awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
if _flagClusterConfig != "" {
// Deprecation: specifying aws creds in cluster configuration is no longer supported
if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
exit.Error(err)
}
}

accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
if err != nil {
exit.Error(err)
}

accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
awsCreds, err := awsCredentialsForManagingCluster(*accessConfig, _flagClusterDisallowPrompt)
if err != nil {
exit.Error(err)
}
Expand Down Expand Up @@ -324,6 +355,8 @@ var _configureCmd = &cobra.Command{
fmt.Println(helpStr)
exit.Error(ErrorClusterConfigure(out + helpStr))
}

cacheAWSCredentials(awsCreds, *accessConfig)
},
}

Expand All @@ -341,12 +374,19 @@ var _infoCmd = &cobra.Command{
exit.Error(err)
}

awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
if _flagClusterConfig != "" {
// Deprecation: specifying aws creds in cluster configuration is no longer supported
if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
exit.Error(err)
}
}

accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
if err != nil {
exit.Error(err)
}

accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
awsCreds, err := awsCredentialsForManagingCluster(*accessConfig, _flagClusterDisallowPrompt)
if err != nil {
exit.Error(err)
}
Expand All @@ -356,6 +396,8 @@ var _infoCmd = &cobra.Command{
} else {
cmdInfo(awsCreds, accessConfig, _flagClusterDisallowPrompt)
}

cacheAWSCredentials(awsCreds, *accessConfig)
},
}

Expand All @@ -370,12 +412,19 @@ var _downCmd = &cobra.Command{
exit.Error(err)
}

awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
if _flagClusterConfig != "" {
// Deprecation: specifying aws creds in cluster configuration is no longer supported
if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
exit.Error(err)
}
}

accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
if err != nil {
exit.Error(err)
}

accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
awsCreds, err := awsCredentialsForManagingCluster(*accessConfig, _flagClusterDisallowPrompt)
if err != nil {
exit.Error(err)
}
Expand Down Expand Up @@ -480,6 +529,7 @@ var _downCmd = &cobra.Command{

cachedClusterConfigPath := cachedClusterConfigPath(*accessConfig.ClusterName, *accessConfig.Region)
os.Remove(cachedClusterConfigPath)
uncacheAWSCredentials(*accessConfig)
},
}

Expand Down
33 changes: 25 additions & 8 deletions cli/cmd/errors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,14 +58,16 @@ const (
ErrAPINotReady = "cli.api_not_ready"
ErrOneAWSEnvVarSet = "cli.one_aws_env_var_set"
ErrOneAWSConfigFieldSet = "cli.one_aws_config_field_set"
ErrOneAWSConfigFlagSet = "cli.one_aws_config_flag_set"
ErrMissingAWSCredentials = "cli.missing_aws_credentials"
ErrCredentialsInClusterConfig = "cli.credentials_in_cluster_config"
ErrClusterUp = "cli.cluster_up"
ErrClusterConfigure = "cli.cluster_configure"
ErrClusterInfo = "cli.cluster_info"
ErrClusterDebug = "cli.cluster_debug"
ErrClusterRefresh = "cli.cluster_refresh"
ErrClusterDown = "cli.cluster_down"
ErrDuplicateCLIEnvNames = "cli.duplicate_cli_env_names"
ErrAWSCredentialsRequired = "cli.aws_credentials_required"
ErrClusterConfigOrPromptsRequired = "cli.cluster_config_or_prompts_required"
ErrClusterAccessConfigOrPromptsRequired = "cli.cluster_access_config_or_prompts_required"
ErrShellCompletionNotSupported = "cli.shell_completion_not_supported"
Expand Down Expand Up @@ -213,6 +215,28 @@ func ErrorOneAWSConfigFieldSet(setConfigField string, missingConfigField string,
})
}

func ErrorOneAWSFlagSet(setFlag string, missingFlag string) error {
return errors.WithStack(&errors.Error{
Kind: ErrOneAWSConfigFlagSet,
Message: fmt.Sprintf("only flag %s was provided; please provide %s as well", setFlag, missingFlag),
})
}

func ErrorMissingAWSCredentials() error {
return errors.WithStack(&errors.Error{
Kind: ErrMissingAWSCredentials,
Message: "unable to find aws credentials; please specify aws credentials using the flags --aws-key and --aws-secret",
})
}

// Deprecation: specifying aws creds in cluster configuration is no longer supported
func ErrorCredentialsInClusterConfig(cmd string, path string) error {
return errors.WithStack(&errors.Error{
Kind: ErrCredentialsInClusterConfig,
Message: fmt.Sprintf("specifying credentials in the cluster configuration is no longer supported, please specify aws credentials using flags (e.g. cortex cluster %s --config %s --aws-key <AWS_ACCESS_KEY_ID> --aws-secret <AWS_SECRET_ACCESS_KEY>) or set environment variables; see https://docs.cortex.dev/v/%s/miscellaneous/security#iam-permissions for more information", cmd, path, consts.CortexVersionMinor),
})
}

func ErrorClusterUp(out string) error {
return errors.WithStack(&errors.Error{
Kind: ErrClusterUp,
Expand Down Expand Up @@ -261,13 +285,6 @@ func ErrorClusterDown(out string) error {
})
}

func ErrorAWSCredentialsRequired() error {
return errors.WithStack(&errors.Error{
Kind: ErrAWSCredentialsRequired,
Message: "AWS credentials are required; please set them in your cluster configuration file (if you're using one), your environment variables (i.e. AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), or your AWS CLI (i.e. via `aws configure`)",
})
}

func ErrorClusterConfigOrPromptsRequired() error {
return errors.WithStack(&errors.Error{
Kind: ErrClusterConfigOrPromptsRequired,
Expand Down
Loading