If a user happens to be managing Layer0 instances across different AWS accounts with different credentials, l0-setup list will always return an AccessDenied error.
Given AWS accounts ACCT1 and ACCT2 and a separate set of credentials (access key and secret access key) for each account, l0-setup list will never return anything helpful to the user. If authenticated for ACCT1, l0-setup returns AccessDenied because CREDS1 can't authenticate against ACCT2, and vice versa. No matter which credentials the user supplies, the list command will never not fail.
Possible Solutions
Given this sample representation of the world:
AWS Account
Layer0 Instances
ACCT1
instance1a, instance1b
ACCT2
instance2a, instance2b
Silent failure?
# using credentials for ACCT1
# AccessDenied errors are generated when authenticating
# against ACCT2, but are ignored
$ l0-setup list
STATUS NAME
lr instance1a
r instance1b
Notification in output?
# using credentials for ACCT1
# AccessDenied errors are generated when authenticating
# against ACCT2, and the presence of any such errors just
# appends an explanatory note to the output
$ l0-setup list
STATUS NAME
lr instance1a
r instance1b
l0-setup found more Layer0 instances, but could not authenticate with the current credentials.
# l0-setup tries to authenticate against all known layer0 instances
# using each set of credentials in ~/.aws/credentials and compiles
# the results into the following output
$ l0-setup list
STATUS NAME
lr instance1a
r instance1b
r instance2a
lr instance2b
Troublesome Behavior
If a user happens to be managing Layer0 instances across different AWS accounts with different credentials,
l0-setup list
will always return anAccessDenied
error.Given AWS accounts ACCT1 and ACCT2 and a separate set of credentials (access key and secret access key) for each account,
l0-setup list
will never return anything helpful to the user. If authenticated for ACCT1,l0-setup
returnsAccessDenied
because CREDS1 can't authenticate against ACCT2, and vice versa. No matter which credentials the user supplies, thelist
command will never not fail.Possible Solutions
Given this sample representation of the world:
Silent failure?
Notification in output?
Integration with
~/.aws/credentials
?A solution like this one would benefit from #627.
See also #211.