gimme-aws-creds
gimme-aws-creds copied to clipboard
Nike-Inc
resolve_aws_alias is not honored when user has only one role
Expected Behavior
Scenario: user assigned a single role in Okta: the IAM role 'myaccount-admin' in the AWS account named 'myaccount'. User has write_aws_creds and resolve_aws_alias both set to True and cred_profile set to acc-role and runs gimme-aws-creds with no arguments.
Expected result: A credentials profile is created in the user's ~/.aws/credentials file named myaccount-myaccount-admin.
Current Behavior
Credentials profile is instead named with the account id as 123456789012-myaccount-admin
Possible Solution
Since a user with only one role is dropped straight into the AWS console, there is no list of account/role names to pull the alias from. Therefore, if resolve_aws_alias is True, try to use the credentials just obtained for the role to call list-account-aliases and get the alias that way.
Steps to Reproduce (for bugs)
- Arrange for a user to have only one role in Okta
- Set config as above, with write_aws_creds and resolve_aws_alias both set to True and cred_profile set to acc-role
- Run gimme-aws-creds and authenticate as the single-role user
- Observe name of written credentials profile
Context
We have a shared environment with a large number of AWS accounts, where users with different sets of role assignments often collaborate on projects. It's common for dev teams to include the role required to e.g. operate on a given Terraform deployment in the form of a credentials profile name coded into the AWS provider configuration. This may not be best practice, but it works as long as everyone's profile names for a given role agree. That agreement is broken when a few users who have the correct role get a different profile name just because it's the only role they have.
Your Environment
- App Version used: 2.3.5
- Environment name and version: Python 3.8.1
- Operating System and version: macOS Catalina 10.15.7
