aws-nuke icon indicating copy to clipboard operation
aws-nuke copied to clipboard

Published 20 hours ago verified publisher icon rebuy-de

Include AWS CLI Profile in config file per account

Open leozhad opened this issue 7 years ago • 8 comments

Let's say I have 20 AWS accounts, each of which involve a different AWS CLI profile stored in ~/.aws/config -- it would be awesome if I could include which AWS CLI profile it should use in my config file -- per account, so I don't have to for loop through running aws-nuke with 20 different config files.

leozhad avatar May 03 '18 21:05 leozhad

I am not sure if I fully understand this. Do you mean something like this?

---
regions:
- "global"
- "eu-west-1"

account-blacklist:
- 1234567890

accounts:
  555133742:
    filters:
      IAMUser:
      - "admin"
      IAMUserPolicyAttachment:
      - "admin -> AdministratorAccess"
  426661337:
    filters:
      IAMUser:
      - "admin"
      IAMUserPolicyAttachment:
      - "admin -> AdministratorAccess"

svenwltr avatar May 04 '18 08:05 svenwltr

Leo wants to be able to set the aws credential profile per account in the config so he can have unique ones running concurrently

On Fri, May 4, 2018 at 4:24 AM Sven Walter [email protected] wrote:

I am not sure if I fully understand this. Do you mean something like this?

---regions:

  • "global"
  • "eu-west-1" account-blacklist:
  • 1234567890 accounts: 555133742: filters: IAMUser: - "admin" IAMUserPolicyAttachment: - "admin -> AdministratorAccess" 426661337: filters: IAMUser: - "admin" IAMUserPolicyAttachment: - "admin -> AdministratorAccess"

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/rebuy-de/aws-nuke/issues/187#issuecomment-386535473, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUQRV8ijS8UDbgp5iyUW8Ua5rGI-WJ-ks5tvBAxgaJpZM4Txydu .

tomvachon avatar May 04 '18 09:05 tomvachon

Does this mean to omit the profile completely and switch between account via the config file?

Currently it is intended to have a single config file for all accounts. From the README:

To ensure to not accidentally delete a random account, it is required to specify a config file. It is recommended to have only a single config file and add it to a central repository. This way the account blacklist is way easier to manage and keep up to date.

Otherwise the blacklist feature gets some sort of unreliable, because a company/organization-unit/user would have to update multiple config when adding new production accounts.

Since this is a precaution for production accounts, I dislike to change that. But if someone think this doesn't make sense we can talk about this.

svenwltr avatar May 10 '18 08:05 svenwltr

My use case is -- let's say I have 40 accounts I want to nuke -- each are associated with a different profile in my ~/.aws/config -- which is assuming a role in each account. How can I use one invocation of aws-nuke for this? Right now, I just have a config file for each account, and for loop through each one with one invocation of aws-nuke per account.

On Thu, May 10, 2018 at 1:55 AM, Sven Walter [email protected] wrote:

Does this mean to omit the profile completely and switch between account via the config file?

Currently it is intended to have a single config file for all accounts. From the README:

To ensure to not accidentally delete a random account, it is required to specify a config file. It is recommended to have only a single config file and add it to a central repository. This way the account blacklist is way easier to manage and keep up to date.

Otherwise the blacklist feature gets some sort of unreliable, because a company/organization-unit/user would have to update multiple config when adding new production accounts.

Since this is a precaution for production accounts, I dislike to change that. But if someone think this doesn't make sense we can talk about this.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/rebuy-de/aws-nuke/issues/187#issuecomment-387995230, or mute the thread https://github.com/notifications/unsubscribe-auth/AAwlouQ7PbuF8GymrO906kTn-10zcAZbks5txABmgaJpZM4Txydu .

leozhad avatar May 10 '18 18:05 leozhad

So I guess your script currently looks somehow like this:

aws-nuke --profile acc1 --config ./nuke-acc1.yaml
aws-nuke --profile acc2 --config ./nuke-acc2.yaml
aws-nuke --profile acc3 --config ./nuke-acc3.yaml
aws-nuke --profile acc4 --config ./nuke-acc4.yaml

I think it is more safe to use a single config file for all accounts, so there is only a single place to update filters and the account blacklist:

aws-nuke --profile acc1 --config ./nuke.yaml
aws-nuke --profile acc2 --config ./nuke.yaml
aws-nuke --profile acc3 --config ./nuke.yaml
aws-nuke --profile acc4 --config ./nuke.yaml

Anyway, would the ability to specify the profile multiple times solve your problem? Something like this:

aws-nuke --profile acc1 --profile acc2 --profile acc3 --profile acc4 --config ./nuke.yaml

svenwltr avatar May 14 '18 09:05 svenwltr

Yes -- that would be great. Would it then also know which role to assume out of .AWS/config -- assuming they had the same names as the profiles in the aws nuke config file?

Sent from my iPhone

On May 14, 2018, at 5:55 AM, Sven Walter [email protected] wrote:

So I guess your script currently looks somehow like this:

aws-nuke --profile acc1 --config ./nuke-acc1.yaml aws-nuke --profile acc2 --config ./nuke-acc2.yaml aws-nuke --profile acc3 --config ./nuke-acc3.yaml aws-nuke --profile acc4 --config ./nuke-acc4.yaml I think it is more safe to use a single config file for all accounts, so there is only a single place to update filters and the account blacklist:

aws-nuke --profile acc1 --config ./nuke.yaml aws-nuke --profile acc2 --config ./nuke.yaml aws-nuke --profile acc3 --config ./nuke.yaml aws-nuke --profile acc4 --config ./nuke.yaml Anyway, would the ability to specify the profile multiple times solve your problem? Something like this:

aws-nuke --profile acc1 --profile acc2 --profile acc3 --profile acc4 --config ./nuke.yaml — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

leozhad avatar May 14 '18 15:05 leozhad

Ok. I will take a look how we can implement this. This might take a while.

The configuration does not contain any profile names. The whole filtering is only based on the account ID.

svenwltr avatar May 17 '18 09:05 svenwltr

Hi folks, I've just discovered aws-nuke and really like it. I have the identical use case but I would have thought it would have made most sense to do something like the following?

---
regions:
- "global"
- "eu-west-1"

account-blacklist:
- 1234567890

accounts:
  555133742:
    role_arn: "arn:......"
    filters:....

I'd much rather have something like this rather than have to also configure the aws config/credential files. From a dynamic invocation point of view the less file mangling the better.

rhysjtevans avatar Dec 16 '21 01:12 rhysjtevans

hi there, I am also interested in this feature, and I like the proposal from @rhysjtevans . Looking at the code, it looks like a pretty big change though. Is this still something being considered?

optplx avatar Jan 05 '23 20:01 optplx