Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix process credentials format bug when --write-aws-credentials flag is present. #173

Merged
merged 1 commit into from
Feb 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ TBD

### BUG FIXES

* Open browser and open browser command behavior was fouled in v2 release [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)!
* Process credentials format was not emitting JSON correctly when `--write-aws-credentials` flag is present [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)!
* Open browser and open browser command behavior was fouled in v2 release [#172](https://github.com/okta/okta-aws-cli/pull/172), thanks [@monde](https://github.com/monde)!

## 2.0.1 (January 31, 2024)

Expand Down
8 changes: 4 additions & 4 deletions internal/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -441,12 +441,12 @@ func readConfig() (Attributes, error) {
if !attrs.WriteAWSCredentials {
attrs.WriteAWSCredentials = viper.GetBool(downCase(WriteAWSCredentialsEnvVar))
}
if attrs.WriteAWSCredentials {
// writing aws creds option implies "aws-credentials" format
if attrs.WriteAWSCredentials && attrs.Format != ProcessCredentialsFormat {
// writing aws creds option implies "aws-credentials" format unless format has already been set as process credentials
attrs.Format = AWSCredentialsFormat
}
if attrs.AllProfiles {
// writing all aws profiles option implies "aws-credentials" format
if attrs.AllProfiles && attrs.Format != ProcessCredentialsFormat {
// writing all aws profiles option implies "aws-credentials" format unless format has already been set as process credentials
attrs.Format = AWSCredentialsFormat
}
if !attrs.OpenBrowser {
Expand Down
3 changes: 2 additions & 1 deletion internal/output/aws_credentials_file.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,12 +124,13 @@ func updateConfig(filename, profile string, cfc *oaws.CredsFileCredential, legac
}

// updateIni will comment out any keys that are not "aws_access_key_id",
// "aws_secret_access_key", or "aws_session_token"
// "aws_secret_access_key", "aws_session_token", "credential_process"
func updateINI(config *ini.File, profile string, legacyVars bool, expiryVars bool) (*ini.File, error) {
ignore := []string{
"aws_access_key_id",
"aws_secret_access_key",
"aws_session_token",
"credential_process",
}
if legacyVars {
ignore = append(ignore, "aws_security_token")
Expand Down
17 changes: 16 additions & 1 deletion internal/output/output.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,28 @@ type Outputter interface {

// RenderAWSCredential Renders the credentials in the prescribed format.
func RenderAWSCredential(cfg *config.Config, cc *oaws.CredentialContainer) error {
expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339)
var o Outputter
switch cfg.Format() {
case config.AWSCredentialsFormat:
expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339)
o = NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry)
case config.ProcessCredentialsFormat:
o = NewProcessCredentials()

// check special case where we are running in process credentials
// format but we also need to write to the credentials file e.g. in
// ~/.aws/credentials:
//
// [default]
// credential_process = okta-aws-cli web --format process-credentials --oidc-client-id abc123 --org-domain test.okta.com --aws-iam-idp arn:aws:iam::123:saml-provider/ForOkta --aws-iam-role arn:aws:iam::123:role/S3_Read --open-browser --write-aws-credentials
//
if cfg.WriteAWSCredentials() {
// attempt to write the creds first
credsOut := NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry)
if err := credsOut.Output(cfg, cc); err != nil {
return err
}
}
case config.NoopFormat:
o = NewNoopCredentials()
default:
Expand Down
Loading