Find account via STS GetCallerIdentity

[pda]

Problem

After some AWS account spring cleaning, IAMy stopped working:

$ iamy pull --delete
Error in init: Can't determine the AWS account id49 <nil>

GetAwsAccountId tries three strategies to discover the account ID:

1. IAM GetUser
2. IAM ListUsers
3. EC2 GetDefaultSecurityGroup

An AWS account following best-practices is unlikely to have any of things:

$ aws iam get-user
An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials

$ aws iam list-users --query Users
[]

$ aws ec2 describe-security-groups --group-names default
An error occurred (VPCIdNotSpecified) when calling the DescribeSecurityGroups operation: No default VPC for this user

Solution

This PR does two things:

• Adds debug logging to the account ID discovery process.
• Adds a new preferred strategy to use STS GetCallerIdentity to find the AWS account ID.

Before

$ iamy --debug pull --dry-run
DEBUG 2018/08/21 10:55:56 Finding AWS account ID via GetUser
DEBUG 2018/08/21 10:55:57 Finding AWS account ID via ListUsers
DEBUG 2018/08/21 10:55:58 Finding AWS account ID via DefaultSecurityGroup
Error in init: Can't determine the AWS account id49 <nil>

After

$ iamy --debug pull --dry-run
DEBUG 2018/08/21 10:56:37 Finding AWS account ID via GetCallerIdentity
DEBUG 2018/08/21 10:56:39 AWS account ID: 1234123412341234
DEBUG 2018/08/21 10:56:41 Fetching IAM data
…

[pda]

I also just confirmed that STS GetCallerIdentity works for plain IAM User credentials (e.g. aws-vault exec --no-session), not just STS session tokens (e.g. aws-vault exec), so it's likely to work for all use cases.

Perhaps later on the other strategies should be removed.

[mtibben]

Nice one