Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read AWS credentials from disk (#14382) #14460

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

lefth
Copy link

@lefth lefth commented Apr 5, 2022

Description

Other programs can read the AWS key and secret from ~/.aws/credentials
(or other configuration file), and with this change Algo can as well.

Optional environment variables: AWS_PROFILE, AWS_SHARED_CREDENTIALS_FILE

The file is not read if the credentials are already set as an Ansible
variable or an environment variable.

Motivation and Context

Setting the credentials on the command line or as an environment variable is an unnecessary annoyance when the credentials are already configured in the official AWS way (like you would have after running aws configure). And the security implications are debatable, but if I already have the credentials in a config file, I don't want them in my shell history or my shell initialization.

Issue here: #14382

How Has This Been Tested?

With AWS, I ran the main playbook:

 ansible-playbook main.yml -e "provider=ec2
                                server_name=algo
                                ondemand_cellular=false
                                ondemand_wifi=false
                                dns_adblocking=true
                                ssh_tunneling=true
                                store_pki=false
                                region=us-east-1
                                do_token=token"

I tested the following config file situations:

  • with a configuration file set properly
  • with a missing configuration file
  • with a configuration file with no section header
  • with a custom section header (and AWS_PROFILE set)
  • with wrong data in the config file but correct data set as environment variables (this worked)

Errors that came up did not stop execution unless the authentication info was wrong. The "Deploy the template" task often failed during my testing, but this is an unrelated issue--the playbook can only get to that stage if the authentication info is okay.

I also added a test script that is more limited, but does some of the above checks.

Types of changes

  • Bug fix (non-breaking change which fixes an issue). I consider this a bugfix because the credentials file is standard and it's unusual that Algo doesn't read it.
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • I have read the CONTRIBUTING document.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly. This is a core AWS feature, I don't think we need to document it.
  • I have added tests to cover my changes.
  • All new and existing tests passed. The existing tests seem unrelated. Is the test procedure documented, or can we skip it?

Other programs can read the AWS key and secret from ~/.aws/credentials
(or other configuration file), and with this change Algo can as well.

Optional environment variables: AWS_PROFILE, AWS_SHARED_CREDENTIALS_FILE

The file is not read if the credentials are already set as an Ansible
variable or an environment variable.
@CLAassistant
Copy link

CLAassistant commented Apr 5, 2022

CLA assistant check
All committers have signed the CLA.

@cageyv
Copy link

cageyv commented Dec 14, 2022

We could use https://github.com/99designs/aws-vault instead of files
Store AWS secrets inside ~/.aws/credentials is not secure way
Also there is post about this issue: https://cageyv.dev/posts/aws-vault/

@glennschler
Copy link
Contributor

I do not use ~/.aws/credentials for security reason. I like ansible vault. I think it is already installed with the ansible requirements of Algo, or it is a small extra step

mkdir vars
SECURE_VIM=Y ansible-vault create vars/aws-secrets.vault.yml
SECURE_VIM=Y ansible-vault edit vars/aws-secrets.vault.yml

e.g. aws-secrets.vault.yml

aws_access_key: ...
aws_secret_key: ...

The command

./algo --ask-vault-pass -e @vars/aws-secrets.vault.yml -e '{provider: ec2,
  ondemand_cellular: false,
  ondemand_wifi: false,
  dns_adblocking: false,
  ssh_tunneling: false,
  store_pki: false }' -e server_name=algo-$(date +%Y%b%d-%H%M)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants