From 5d4bcb87c3429982524b8b92f03b887f23527a66 Mon Sep 17 00:00:00 2001 From: Stan Rosenberg Date: Mon, 16 Dec 2024 23:22:25 -0500 Subject: [PATCH] roachprod: update `haveCredentials` in AWS provider to prefer SSO Previously, `haveCredentials` (in `aws.go`) would check for existence of `~/.aws/credentials` or `AWS_ACCESS_KEY_ID`. When neither exists, the AWS provider is disabled. As of recently, non-CI uses of roachprod have been migrated over to SSO. Thus, we now check for existence of `~/.aws/config` or `AWS_PROFILE`. When neither exists, we fall back to the previous logic (see above). Further, a deprecation warning is displayed. Epic: none Release note: None --- pkg/roachprod/vm/aws/aws.go | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/pkg/roachprod/vm/aws/aws.go b/pkg/roachprod/vm/aws/aws.go index 1f0176e0d288..342a11378831 100644 --- a/pkg/roachprod/vm/aws/aws.go +++ b/pkg/roachprod/vm/aws/aws.go @@ -79,14 +79,32 @@ func Init() error { // NB: This is a bit hacky, but using something like `aws iam get-user` is // slow and not something we want to do at startup. haveCredentials := func() bool { + // We assume SSO is enabled if either AWS_PROFILE is set or ~/.aws/config exists. + // N.B. We can't check if the user explicitly passed `--aws-profile` because CLI parsing hasn't happened yet. + if os.Getenv("AWS_PROFILE") != "" { + return true + } + const configFile = "${HOME}/.aws/config" + if _, err := os.Stat(os.ExpandEnv(configFile)); err == nil { + return true + } + // Non-SSO authentication is deprecated and will be removed in the future. However, CI continues to use it. + hasAuth := false const credFile = "${HOME}/.aws/credentials" if _, err := os.Stat(os.ExpandEnv(credFile)); err == nil { - return true + hasAuth = true } if os.Getenv("AWS_ACCESS_KEY_ID") != "" { - return true + hasAuth = true + } + if !hasAuth { + // No known method of auth. was detected. + return false } - return false + // Non-SSO auth. is deprecated, so let's display a warning. + fmt.Fprintf(os.Stderr, "WARN: Non-SSO form of authentication is deprecated and will be removed in the future.\n") + fmt.Fprintf(os.Stderr, "WARN:\tPlease set `AWS_PROFILE` or pass `--aws-profile`.\n") + return true } if !haveCredentials() { vm.Providers[ProviderName] = flagstub.New(&Provider{}, noCredentials)