search

wallix / awless

A Mighty CLI for AWS
http://awless.io/
Apache License 2.0
4.97k stars 263 forks source link

Validate access key and secret key before writing into the .aws/credentials file #219

Closed varunchandak closed 6 years ago

varunchandak commented 6 years ago

I don't know how or why, but I have started getting these errors while running awless:

goroutine 1 [running]:
github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/aws/session.Must(0x0, 0x2378fe0, 0xc42018ef20, 0x0)
    /private/tmp/awless-20180516-58126-6k4tue/src/github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/aws/session/session.go:276 +0x54
github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/awstesting/mock.glob..func1(0x1788f4d)
    /private/tmp/awless-20180516-58126-6k4tue/src/github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/awstesting/mock/mock.go:20 +0x128

vrnchndk:~ varun$ awless
panic: SharedConfigLoadError: failed to load config file, /Users/varun/.aws/credentials
caused by: key-value delimiter not found: (MISSING)

I then checked the /Users/varun/.aws/credentials file, and found this:

[...]
aws_access_key_id = ...
aws_secret_access_key = ...

[-i-00e692f182eef653f-disk-alarm]
aws_access_key_id = 90%!
(MISSING)aws_secret_access_key = 75%!
(MISSING)

The name -i-00e692f182eef653f-disk-alarm is a cloudwatch alarm name, which I was trying to delete like this (which used to work flawlessly before:

awless -p <PROFILE> list alarms --filter description=-i- --filter state=INSUFFICIENT_DATA --columns name,description,state --format csv | cut -d, -f1 | while read line; do awless -p <PROFILE> delete alarm name=\'"$line"\' -f --no-sync; done

I am still wondering how that profile got into the credentials file. Any insight would be really helpful.

fxaguessy commented 6 years ago

Hi @varunchandak ,

Thanks again for reporting. That's a strange one ! AFAIK, the only place whereawless edit the .aws/credentials file is in create accesskey save=true and when no credentials are found at launch, with a credentials prompter.

The only explanation I can find is in the latter: perhaps a profile had no credentials. Thus awless prompted the credentials and if this was occurring in a script, the injected values might be wrong:

For example:

$ awless create instance -p inexistant
Cannot resolve AWS credentials for profile 'inexistant' (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
Please enter access keys for profile 'inexistant' (stored at ~/.aws/credentials):
AWS Access Key ID? aaaaaa
AWS Secret Access Key? aaaaa
Change your profile name (or just press Enter to keep 'inexistant')? aaaa

✓ Credentials for profile 'aaaa' stored successfully in ~/.aws/credentials
...

$ cat ~/.aws/credentials
[aaaa]
aws_access_key_id = aaaaaa
aws_secret_access_key = aaaaa

Do you think this might be the problem ?

varunchandak commented 6 years ago

I think so.. sometimes I would get this prompt in the middle of a batch script execution despite have the credentials configured properly. I believe the prompt occurred and the values from the script output got entered in it.

Why do you think that the entries were done automatically ? Shouldn't there be some kind of validation for access key or secret key ?

fxaguessy commented 6 years ago

Yes, for now there is no validation for the access key and secret key, we should add that to prevent such a bug.

varunchandak commented 6 years ago

I think Access Key is 20 characters and secret key is 40 characters. I have 6 profiles and the count in each of them is same.