Update bastion user provisioning play to generate AWS credentials files

[rija]

User story

As a curator I want the tools on bastion to allow me to perform files operations on Wasabi with rclone So that I can manage the dataset files on Wasabi

Acceptance criteria

Given a new user needs a system account on bastion When we run the provisioning script for creating new user with username parameter "lily" Then a bastion user account is created for "lily" And SSH public keys are added to the authorised keys And an AWS credential file is created in the bastion user's home directory with placeholder values

Given an existing user has an account on bastion And there is no AWS credential file for the Wasabi sub-user in the bastion user's home directory When we run the provisioning script for creating new user with username parameter "lily" And an AWS credential file is created in the bastion user's home directory with placeholder values

Given an existing user has an account on bastion And there is AWS credential file for the Wasabi sub-user in the bastion user's home directory When we run the provisioning script for creating new user with username parameter "lily" Then nothing change

Additional Info

Default location for the AWS credential files: ~/.aws/credentials

Use:

* https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html * https://docs.aws.amazon.com/cli/latest/reference/iam/create-access-key.html

Nice to have:

* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#Using_ManagingPasswordsAPI * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_cliwpsapi

AWS Credentials template (as ops/configuration/aws/credentials.j2)

[default]
aws_access_key_id=\<Writte your Wasabi access keys Id here\>
aws_secret_access_key=\<Write your Wasabi secret access key here\>

We assume that API keys created manually for now using the Wasabi dashboard. The API keys will need to be save in the Gitlab Variables.

 ansible-playbook -i ../../inventories users_playbook.yml -e "newuser=lily" -e "wasabi_access_key_id=xxxxxxx" -e "wasabi_secret_access_key=yyyyyy"

or parse the API keys CSV directly from the play (use https://docs.ansible.com/ansible/latest/collections/community/general/read_csv_module.html)

Product Backlog Item Ready Checklist

• [ ] Business value is clearly articulated
• [ ] Item is understood enough by the IT team so it can make an informed decision as to whether it can complete this item
• [ ] Dependencies are identified and no external dependencies would block this item from being completed
• [ ] At the time of the scheduled sprint, the IT team has the appropriate composition to complete this item
• [ ] This item is estimated and small enough to comfortably be completed in one sprint
• [ ] Acceptance criteria are clear and testable
• [ ] Performance criteria, if any, are defined and testable
• [ ] The Scrum team understands how to demonstrate this item at the sprint review

Product Backlog Item Done Checklist

• [ ] Item(s) in increment pass all Acceptance Criteria
• [ ] Code is refactored to best practices and coding standards
• [ ] Documentation is updated as needed
• [ ] Data security has not been compromised (with particular reference to the personal information we hold in GigaDB)
• [ ] No deviation from the team technology stack and software architecture has been introduced
• [ ] The product is in a releasable state (i.e. the increment has not broken anything)

[rija]

• [x] Prepare sample Wasabi credential file
• [x] Parse new wasabi user credentials CSV and debug-output in bastion-users Ansible role from a creds_csv_path variable passed to execution of users_playbook.yml
• [x] Create AWS credentials file with Wasabi credentials filled in in the [default] profile from a j2 template

[rija]

implemented in PR #1781