From 0994c4da19d5c779057e2efc290a0e6fedc87644 Mon Sep 17 00:00:00 2001 From: Mike Mondragon Date: Fri, 9 Feb 2024 11:05:38 -0800 Subject: [PATCH] Process credentials format was not emitting JSON correctly when `--write-aws-credentials` flag is present. Closes #169 --- CHANGELOG.md | 3 ++- internal/config/config.go | 8 ++++---- internal/output/aws_credentials_file.go | 3 ++- internal/output/output.go | 17 ++++++++++++++++- 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e96aa95..6fdc15e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,8 @@ TBD ### BUG FIXES -* Open browser and open browser command behavior was fouled in v2 release [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)! +* Process credentials format was not emitting JSON correctly when `--write-aws-credentials` flag is present [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)! +* Open browser and open browser command behavior was fouled in v2 release [#172](https://github.com/okta/okta-aws-cli/pull/172), thanks [@monde](https://github.com/monde)! ## 2.0.1 (January 31, 2024) diff --git a/internal/config/config.go b/internal/config/config.go index 9c10fa2..43727db 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -441,12 +441,12 @@ func readConfig() (Attributes, error) { if !attrs.WriteAWSCredentials { attrs.WriteAWSCredentials = viper.GetBool(downCase(WriteAWSCredentialsEnvVar)) } - if attrs.WriteAWSCredentials { - // writing aws creds option implies "aws-credentials" format + if attrs.WriteAWSCredentials && attrs.Format != ProcessCredentialsFormat { + // writing aws creds option implies "aws-credentials" format unless format has already been set as process credentials attrs.Format = AWSCredentialsFormat } - if attrs.AllProfiles { - // writing all aws profiles option implies "aws-credentials" format + if attrs.AllProfiles && attrs.Format != ProcessCredentialsFormat { + // writing all aws profiles option implies "aws-credentials" format unless format has already been set as process credentials attrs.Format = AWSCredentialsFormat } if !attrs.OpenBrowser { diff --git a/internal/output/aws_credentials_file.go b/internal/output/aws_credentials_file.go index 646d57a..ac49d36 100644 --- a/internal/output/aws_credentials_file.go +++ b/internal/output/aws_credentials_file.go @@ -124,12 +124,13 @@ func updateConfig(filename, profile string, cfc *oaws.CredsFileCredential, legac } // updateIni will comment out any keys that are not "aws_access_key_id", -// "aws_secret_access_key", or "aws_session_token" +// "aws_secret_access_key", "aws_session_token", "credential_process" func updateINI(config *ini.File, profile string, legacyVars bool, expiryVars bool) (*ini.File, error) { ignore := []string{ "aws_access_key_id", "aws_secret_access_key", "aws_session_token", + "credential_process", } if legacyVars { ignore = append(ignore, "aws_security_token") diff --git a/internal/output/output.go b/internal/output/output.go index a78f6d0..5a90fa0 100644 --- a/internal/output/output.go +++ b/internal/output/output.go @@ -30,13 +30,28 @@ type Outputter interface { // RenderAWSCredential Renders the credentials in the prescribed format. func RenderAWSCredential(cfg *config.Config, cc *oaws.CredentialContainer) error { + expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339) var o Outputter switch cfg.Format() { case config.AWSCredentialsFormat: - expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339) o = NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry) case config.ProcessCredentialsFormat: o = NewProcessCredentials() + + // check special case where we are running in process credentials + // format but we also need to write to the credentials file e.g. in + // ~/.aws/credentials: + // + // [default] + // credential_process = okta-aws-cli web --format process-credentials --oidc-client-id abc123 --org-domain test.okta.com --aws-iam-idp arn:aws:iam::123:saml-provider/ForOkta --aws-iam-role arn:aws:iam::123:role/S3_Read --open-browser --write-aws-credentials + // + if cfg.WriteAWSCredentials() { + // attempt to write the creds first + credsOut := NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry) + if err := credsOut.Output(cfg, cc); err != nil { + return err + } + } case config.NoopFormat: o = NewNoopCredentials() default: