From ae6bdc916c46c3af0cc8152e2004bc08e96a4e4a Mon Sep 17 00:00:00 2001 From: Dan Zwell Date: Tue, 5 Apr 2022 17:40:44 +0800 Subject: [PATCH] Read AWS credentials from disk (#14382) Other programs can read the AWS key and secret from ~/.aws/credentials (or other configuration file), and with this change Algo can as well. Optional environment variables: AWS_PROFILE, AWS_SHARED_CREDENTIALS_FILE The file is not read if the credentials are already set as an Ansible variable or an environment variable. --- .../cloud-ec2/tasks/discover-credentials.yml | 35 +++++++++++++++++++ roles/cloud-ec2/tasks/main.yml | 3 ++ tests/.aws/credentials | 3 ++ tests/.aws/credentials2 | 7 ++++ tests/aws-credentials.sh | 24 +++++++++++++ tests/validate-aws-credentials.yml | 7 ++++ 6 files changed, 79 insertions(+) create mode 100644 roles/cloud-ec2/tasks/discover-credentials.yml create mode 100644 tests/.aws/credentials create mode 100644 tests/.aws/credentials2 create mode 100755 tests/aws-credentials.sh create mode 100644 tests/validate-aws-credentials.yml diff --git a/roles/cloud-ec2/tasks/discover-credentials.yml b/roles/cloud-ec2/tasks/discover-credentials.yml new file mode 100644 index 000000000..91259c700 --- /dev/null +++ b/roles/cloud-ec2/tasks/discover-credentials.yml @@ -0,0 +1,35 @@ +--- +- name: "Find AWS profile and credentials file" + block: + - set_fact: + aws_credentials_path: "{{ lookup('env', 'HOME') }}/.aws/credentials" + + - set_fact: + aws_credentials_path: "{{ lookup('env', 'AWS_SHARED_CREDENTIALS_FILE') }}" + when: + - lookup('env', 'AWS_SHARED_CREDENTIALS_FILE')|length > 0 + - debug: var=aws_credentials_path + + - set_fact: + aws_profile_id: "default" + + - set_fact: + aws_profile_id: "{{ lookup('env', 'AWS_PROFILE') }}" + when: + - lookup('env', 'AWS_PROFILE')|length > 0 + +- name: "Look up AWS credentials" + block: + - set_fact: + aws_access_key: "{{ lookup('ini', 'aws_access_key_id', section=aws_profile_id, file=aws_credentials_path) }}" + ignore_errors: true + when: + - aws_access_key is undefined + - lookup('env', 'AWS_ACCESS_KEY_ID')|length <= 0 + + - set_fact: + aws_secret_key: "{{ lookup('ini', 'aws_secret_access_key', section=aws_profile_id, file=aws_credentials_path) }}" + ignore_errors: true + when: + - aws_secret_key is undefined + - lookup('env', 'AWS_SECRET_ACCESS_KEY')|length <= 0 diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 3b47b50f0..bb9cc5bf8 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -2,6 +2,9 @@ - name: Build python virtual environment import_tasks: venv.yml +- name: Include credential discovery + import_tasks: discover-credentials.yml + - name: Include prompts import_tasks: prompts.yml diff --git a/tests/.aws/credentials b/tests/.aws/credentials new file mode 100644 index 000000000..2daae2233 --- /dev/null +++ b/tests/.aws/credentials @@ -0,0 +1,3 @@ +[default] +aws_access_key_id=example_key +aws_secret_access_key=example_secret diff --git a/tests/.aws/credentials2 b/tests/.aws/credentials2 new file mode 100644 index 000000000..44e41b2b2 --- /dev/null +++ b/tests/.aws/credentials2 @@ -0,0 +1,7 @@ +[default] +aws_access_key_id=WRONG +aws_secret_access_key=WRONG + +[profile1] +aws_access_key_id=example_key +aws_secret_access_key=example_secret diff --git a/tests/aws-credentials.sh b/tests/aws-credentials.sh new file mode 100755 index 000000000..f027549f9 --- /dev/null +++ b/tests/aws-credentials.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +# command line credentials should still work: +ansible-playbook tests/validate-aws-credentials.yml \ + -e aws_access_key=example_key \ + -e aws_secret_key=example_secret + +# command line credentials should override config files: +ansible-playbook tests/validate-aws-credentials.yml \ + -e aws_access_key=example_key \ + -e aws_secret_key=example_secret + +# In this case the config file is bad but the command line should win: +AWS_SHARED_CREDENTIALS_FILE="$PWD/tests/.aws/credentials2" \ + ansible-playbook tests/validate-aws-credentials.yml \ + -e aws_access_key=example_key \ + -e aws_secret_key=example_secret + +# should read from the config file in tests/.aws: +HOME="$PWD/tests" \ + ansible-playbook tests/validate-aws-credentials.yml + +AWS_SHARED_CREDENTIALS_FILE="$PWD/tests/.aws/credentials2" AWS_PROFILE=profile1 \ + ansible-playbook tests/validate-aws-credentials.yml diff --git a/tests/validate-aws-credentials.yml b/tests/validate-aws-credentials.yml new file mode 100644 index 000000000..431028a10 --- /dev/null +++ b/tests/validate-aws-credentials.yml @@ -0,0 +1,7 @@ +- name: test + hosts: localhost + tasks: + - include_tasks: ../roles/cloud-ec2/tasks/discover-credentials.yml + - assert: { that: "aws_access_key == 'example_key'" } + - assert: { that: "aws_secret_key == 'example_secret'" } +