Aws profile #201
Aws profile #201
Conversation
|
I believe the AWS SDK will respect the use of the |
|
@patrobinson yes by default the SDK will use the environment variable. This approach is handy though one use case the China region where you will need different credentials for that stack. Means you can throw them in the stack_master config rather than having to remember to change |
|
Specifying a profile in a file that is supposed to be portable across multiple users is never a good idea. I don't name my profile the same as you. |
|
I'm coming from a corporate environment where when staff start part of the setup process is setting their profile for the company to be a standard string. |
patrobinson
left a comment
patrobinson
left a comment
There was a problem hiding this comment.
I've thought about similar proposals a lot. Generally I'm not in favour of more tightly coupling the authentication mechanism to StackMaster. At present we do not know nor care about the value of AWS_PROFILE, that's all handled transparently by the SDK. Pushing credential handling to the SDK as much as possible is desirable.
While this is a fairly simple implementation, it's geared towards only those that have standardised credential settings. Internally we take a different approach, each user can configure a bash alias, that calls aws-vault with the appropriate arguments, to get the right credentials.
credential-alias stack_master apply us-east-1 my-stack
Indeed this could work the same way here
AWS_PROFILE=credentials stack_master apply us-east-1 my-stack
So I'm on the fence on whether to accept this PR. At a glance it doesn't make things too difficult going forwards, but I'd prefer to avoid needing to pass profile to every place we call the SDK. I might be convinced if some tests are added to ensure the profile setting takes affect.
| region: region, | ||
| retry_limit: 10, | ||
| } | ||
| params[:credentials] = Aws::SharedCredentials.new(profile_name: profile_name) if profile_name |
There was a problem hiding this comment.
It seems like it would be easier to just over-write the environment variable rather than pass it down the stack.
There was a problem hiding this comment.
From memory I did it this way so that if you simply do stack_master apply different stacks can have different profiles. i.e. the Chine situation
|
I worry that if you add this the next thing people will want is the ability to pass credentials via access key and secret parameters. Then, they'll want you to have profile prompt for an MFA code if one is required. I was on the side of wanting all these args a while back when using tools like this, but now I've learned to keep things modular and portable by just using tools like aws-runas. As long as the tool supports env vars for key, secret key, and session token (like stack_master does) then you can use aws-runas. |
|
Happy to add tests if that helps get it landed. |
|
@et304383 This is my concern too. But I'm hoping we can tackle this problem in a 2.0 release of StackMaster where we better handle "environments" to make it easier while keeping the authentication mechanisms de-coupled. I'm not sure how we'll do that yet, open to ideas! In the mean time I think it should be OK to keep some features, like this, which do not impact other users in the 1.x release. It's likely we'll cull them though if/when there's a better way of managing it. But as you say, I'm not happy to tightly couple StackMaster to the authentication tool someone chooses. |
|
This PR is a bit stale. Happy to re-review when tests are added, in the mean time closing it. |
3 participants
Support specifying aws profiles in the config