cloudsploit
cloudsploit copied to clipboard
aquasecurity
Enable support for --profile option
Allow multiple profiles to be used using AWS's CLI option for profiles.
Adding some notes here based on our testing so far.
- This will likely be a bit more difficult than expected if we use the traditional, AWS-supported route of passing the
--profileflag. - The reason is that we pass a custom AWS config object (containing credentials) to the individual plugins which then modify them to change the region. This functionality is core to our caching mechanism.
- When using the profile flag, the object that is returned does not contain the credentials required for the plugins to work, but rather a reference to the config file.
- There may be a middle-ground solution where we can define a list of available credentials in a separate file (or even use the existing ~/.aws/config.json file and load that at runtime.
We'll continue to investigate and update.
Is this something expected to be supported? I have multiple accounts and would love to test against those with a solution like this.
Maybe you could use a simple wrapper script to get around the problem. This is assuming you have IAM role you can assume on account and then run Cloudsploit with that role. I've been using something like this for similar purposes. Change ROLE2ASSUME to match what your IAM role is called.
If --profile was specified, could you use STS:GetSessionToken to grab the three elements you populate into the AWSConfig object?
I do similar to @kallu but in case anyone needs a one-liner:
export CREDS="$(aws sts get-session-token)" && export AWS_ACCESS_KEY_ID="$(echo $CREDS | jq -r .Credentials.AccessKeyId)"; export AWS_SECRET_ACCESS_KEY="$(echo $CREDS | jq -r .Credentials.SecretAccessKey)"; export AWS_SESSION_TOKEN="$(echo $CREDS | jq -r .Credentials.SessionToken)"
Thanks @jchrisfarris for the idea :-)
