Skip to content

Commit

Permalink
Merge pull request #173 from okta/issue_169_credential_process_and_cr…
Browse files Browse the repository at this point in the history
…eds_file

Fix rocess credentials format bug when `--write-aws-credentials` flag is present.
  • Loading branch information
monde authored Feb 9, 2024
2 parents 34ac6f4 + 0994c4d commit 416a0f0
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 7 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ TBD

### BUG FIXES

* Open browser and open browser command behavior was fouled in v2 release [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)!
* Process credentials format was not emitting JSON correctly when `--write-aws-credentials` flag is present [#NNN](https://github.com/okta/okta-aws-cli/pull/NNN), thanks [@monde](https://github.com/monde)!
* Open browser and open browser command behavior was fouled in v2 release [#172](https://github.com/okta/okta-aws-cli/pull/172), thanks [@monde](https://github.com/monde)!

## 2.0.1 (January 31, 2024)

Expand Down
8 changes: 4 additions & 4 deletions internal/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -441,12 +441,12 @@ func readConfig() (Attributes, error) {
if !attrs.WriteAWSCredentials {
attrs.WriteAWSCredentials = viper.GetBool(downCase(WriteAWSCredentialsEnvVar))
}
if attrs.WriteAWSCredentials {
// writing aws creds option implies "aws-credentials" format
if attrs.WriteAWSCredentials && attrs.Format != ProcessCredentialsFormat {
// writing aws creds option implies "aws-credentials" format unless format has already been set as process credentials
attrs.Format = AWSCredentialsFormat
}
if attrs.AllProfiles {
// writing all aws profiles option implies "aws-credentials" format
if attrs.AllProfiles && attrs.Format != ProcessCredentialsFormat {
// writing all aws profiles option implies "aws-credentials" format unless format has already been set as process credentials
attrs.Format = AWSCredentialsFormat
}
if !attrs.OpenBrowser {
Expand Down
3 changes: 2 additions & 1 deletion internal/output/aws_credentials_file.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,12 +124,13 @@ func updateConfig(filename, profile string, cfc *oaws.CredsFileCredential, legac
}

// updateIni will comment out any keys that are not "aws_access_key_id",
// "aws_secret_access_key", or "aws_session_token"
// "aws_secret_access_key", "aws_session_token", "credential_process"
func updateINI(config *ini.File, profile string, legacyVars bool, expiryVars bool) (*ini.File, error) {
ignore := []string{
"aws_access_key_id",
"aws_secret_access_key",
"aws_session_token",
"credential_process",
}
if legacyVars {
ignore = append(ignore, "aws_security_token")
Expand Down
17 changes: 16 additions & 1 deletion internal/output/output.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,28 @@ type Outputter interface {

// RenderAWSCredential Renders the credentials in the prescribed format.
func RenderAWSCredential(cfg *config.Config, cc *oaws.CredentialContainer) error {
expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339)
var o Outputter
switch cfg.Format() {
case config.AWSCredentialsFormat:
expiry := time.Now().Add(time.Duration(cfg.AWSSessionDuration()) * time.Second).Format(time.RFC3339)
o = NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry)
case config.ProcessCredentialsFormat:
o = NewProcessCredentials()

// check special case where we are running in process credentials
// format but we also need to write to the credentials file e.g. in
// ~/.aws/credentials:
//
// [default]
// credential_process = okta-aws-cli web --format process-credentials --oidc-client-id abc123 --org-domain test.okta.com --aws-iam-idp arn:aws:iam::123:saml-provider/ForOkta --aws-iam-role arn:aws:iam::123:role/S3_Read --open-browser --write-aws-credentials
//
if cfg.WriteAWSCredentials() {
// attempt to write the creds first
credsOut := NewAWSCredentialsFile(cfg.LegacyAWSVariables(), cfg.ExpiryAWSVariables(), expiry)
if err := credsOut.Output(cfg, cc); err != nil {
return err
}
}
case config.NoopFormat:
o = NewNoopCredentials()
default:
Expand Down

0 comments on commit 416a0f0

Please sign in to comment.