Use local aws config in cli to get account and regions #7758
Conversation
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7758 +/- ##
==========================================
- Coverage 61.05% 61.04% -0.02%
==========================================
Files 523 523
Lines 27361 27367 +6
==========================================
Hits 16706 16706
- Misses 9184 9187 +3
- Partials 1471 1474 +3 ☔ View full report in Codecov by Sentry. |
| func (c *client) GetCallerIdentity(ctx context.Context, region string) (*sts.GetCallerIdentityOutput, error) { | ||
| // Load the AWS SDK config and credentials | ||
| cfg, err := config.LoadDefaultConfig(ctx, config.WithSharedConfigProfile("default")) | ||
| if err != nil { |
There was a problem hiding this comment.
should "default" be a const?
There was a problem hiding this comment.
removed the config.WithSharedConfigProfile
| func (r *Runner) getAccountId(ctx context.Context, accessKeyID, secretAccessKey string) (string, error) { | ||
| callerIdentityOutput, err := r.awsClient.GetCallerIdentity(ctx, QueryRegion, accessKeyID, secretAccessKey) | ||
| func (r *Runner) getAccountId(ctx context.Context) (string, error) { | ||
| callerIdentityOutput, err := r.awsClient.GetCallerIdentity(ctx, QueryRegion) | ||
| if err != nil { | ||
| return "", clierrors.MessageWithCause(err, "AWS credential verification failed.") | ||
| } |
There was a problem hiding this comment.
here, would it help user if we add some detail, like "AWS credential verification failed. Please use aws configure to configure credentials and then try again " ? cc @Reshrahim
pkg/cli/aws/client.go
Outdated
| svc := ec2.NewFromConfig(cfg) | ||
|
|
||
| // Call DescribeRegions | ||
| input := &ec2.DescribeRegionsInput{} |
There was a problem hiding this comment.
What's the motivation for initializing empty input?
There was a problem hiding this comment.
the update doesn't seem to be reflected here
pkg/cli/aws/client.go
Outdated
| func (c *client) GetCallerIdentity(ctx context.Context, region string) (*sts.GetCallerIdentityOutput, error) { | ||
| // Load the AWS SDK config and credentials | ||
| cfg, err := config.LoadDefaultConfig(ctx, config.WithSharedConfigProfile("default")) | ||
| if err != nil { |
There was a problem hiding this comment.
Switching this to use local configuration is more nuanced than the call to list regions. The credentials registered with the environment do not necessarily need to belong to the same account as the account the user has setup locally, and it will certainly be different for all production scenarios. So I'd suggest making this a user input. Please bounce it by @Reshrahim @willtsai to confirm if there are any concerns with updating this user experience.
There was a problem hiding this comment.
Chatted offline with @vishwahiremat and @willtsai, agreed to go forward with the following approach -
- User provides irsa role to register
- Radius fetches aws account id for the credentials configured in users local aws config. This account could be different from the account id that the irsa role belongs to.
- Ask user if this account id should be configured with the environment, or do they want to provide another account id. - List region and selection experience stays the same, internally we will fetch it using locally configured aws credentials. It will fail if no local aws credentials are configured.
Here's a refresher on the current state:
- User provides aws access key and secret key
- Radius fetches corresponding account id using the provides access key and configures that on the environment
- Radius lists regions and asks the user to pick a region
vishwahiremat
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
pkg/cli/aws/client.go
Outdated
| result, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{}) | ||
| func (c *client) GetCallerIdentity(ctx context.Context, region string) (*sts.GetCallerIdentityOutput, error) { | ||
| // Load the AWS SDK config and credentials | ||
| cfg, err := config.LoadDefaultConfig(ctx, config.WithSharedConfigProfile("default")) |
There was a problem hiding this comment.
Can we ever use anything other than default?
There was a problem hiding this comment.
removed the config.WithSharedConfigProfile
pkg/cli/aws/client.go
Outdated
| return nil, err | ||
| } | ||
|
|
||
| // Create an STS client |
There was a problem hiding this comment.
Security Token Service Client and it is generally used when short-term access is needed to privileged AWS resources
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
pkg/cli/cmd/radinit/aws.go
Outdated
| enterAWSAccountIDPrompt = "Enter the account ID you want to use:" | ||
| enterAWSAccountIDPlaceholder = "Enter the account ID you want to use.." |
There was a problem hiding this comment.
Could you please check that the format/phrasing is consistent with rest of the prompts?
| enterAWSAccountIDPrompt = "Enter the account ID you want to use:" | |
| enterAWSAccountIDPlaceholder = "Enter the account ID you want to use.." | |
| enterAWSAccountIDPrompt = "Enter the account ID:" | |
| enterAWSAccountIDPlaceholder = "Enter the account ID you want to use..." |
pkg/cli/cmd/radinit/aws.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| region, err := r.selectAWSRegion(ctx, QueryRegion, accessKeyID, secretAccessKey) | ||
| addingCloudProvider, err := prompt.YesOrNoPrompt(fmt.Sprintf(confirmAWSAccountIDPromptFmt, accountId), prompt.ConfirmYes, r.Prompter) |
There was a problem hiding this comment.
this code is a bit difficult to understand, what is the intended usage of addingCloudProvider? Isn't this decided based on the inputs for confirmCloudProviderPrompt and selectCloudProviderPrompt prompts?
There was a problem hiding this comment.
i missed to change the variable name here, updated it. changed it from addingCloudProvider -> addingAccountID
pkg/cli/cmd/radinit/aws.go
Outdated
| region, err := r.selectAWSRegion(ctx, QueryRegion, accessKeyID, secretAccessKey) | ||
| addingCloudProvider, err := prompt.YesOrNoPrompt(fmt.Sprintf(confirmAWSAccountIDPromptFmt, accountId), prompt.ConfirmYes, r.Prompter) | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
what would cause this to error out?
There was a problem hiding this comment.
error could be caused when creating a new Program in GetListInput function.
radius/pkg/cli/prompt/prompt.go
Lines 74 to 77 in c62434f
pkg/cli/cmd/radinit/aws.go
Outdated
| } | ||
|
|
||
| if !addingCloudProvider { | ||
| accountId, err = r.Prompter.GetTextInput("Enter the account ID you want to use: ", prompt.TextInputOptions{Placeholder: enterAWSAccountIDPlaceholder}) |
There was a problem hiding this comment.
use the constant defined above for the prompt text
| @@ -84,8 +97,8 @@ func (r *Runner) getAccountId(ctx context.Context, accessKeyID, secretAccessKey | |||
| return *callerIdentityOutput.Account, nil | |||
| } | |||
|
|
|||
| func (r *Runner) selectAWSRegion(ctx context.Context, region, accessKeyID, secretAccessKey string) (string, error) { | |||
| listRegionsOutput, err := r.awsClient.ListRegions(ctx, region, accessKeyID, secretAccessKey) | |||
| func (r *Runner) selectAWSRegion(ctx context.Context) (string, error) { | |||
There was a problem hiding this comment.
just for easier context, can you please add a comment here that it uses local aws config to list regions?
pkg/cli/cmd/radinit/aws.go
Outdated
| } | ||
|
|
||
| if !addingCloudProvider { | ||
| accountId, err = r.Prompter.GetTextInput("Enter the account ID you want to use: ", prompt.TextInputOptions{Placeholder: enterAWSAccountIDPlaceholder}) |
There was a problem hiding this comment.
can all of the accountID related code be abstracted out into getAccountId?
There was a problem hiding this comment.
moved accoutID related code into getAccountID
vishwahiremat
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
pkg/cli/aws/client.go
Outdated
| return nil, err | ||
| } | ||
|
|
||
| // Create an EC2 client |
There was a problem hiding this comment.
Not sure if we need these comments.
pkg/cli/cmd/radinit/aws.go
Outdated
| // addAccountID, err := prompt.YesOrNoPrompt(fmt.Sprintf(confirmAWSAccountIDPromptFmt, accountId), prompt.ConfirmYes, r.Prompter) | ||
| // if err != nil { | ||
| // return nil, err | ||
| // } | ||
|
|
||
| // if !addAccountID { | ||
| // accountId, err = r.Prompter.GetTextInput(enterAWSAccountIDPrompt, prompt.TextInputOptions{Placeholder: enterAWSAccountIDPlaceholder}) | ||
| // if err != nil { | ||
| // return nil, err | ||
| // } | ||
| // } |
There was a problem hiding this comment.
Is this supposed to be uncommented?
There was a problem hiding this comment.
missed to removed thess, updated in the pr
pkg/cli/cmd/radinit/aws.go
Outdated
| return "", err | ||
| } | ||
|
|
||
| if !addAccountID { |
There was a problem hiding this comment.
Shouldn't this be true so that the user can enter account id? Like the logic here is that if addAccountID is false then ask the user to enter AWS account id? Am I missing something here?
There was a problem hiding this comment.
we retrieve the account id using the local config , and in the yes or no prompt ask the user if they want to use the account id from local config, if user selects no then we propmpt to provide the account id.
There was a problem hiding this comment.
We can have a more meaningful name instead of addAccountID then I guess.
pkg/cli/cmd/radinit/aws.go
Outdated
| func (r *Runner) selectAWSRegion(ctx context.Context, region, accessKeyID, secretAccessKey string) (string, error) { | ||
| listRegionsOutput, err := r.awsClient.ListRegions(ctx, region, accessKeyID, secretAccessKey) | ||
| // selectAWSRegion prompts the user to select an AWS region from a list of available regions. | ||
| // regions list is retrieved using the locally configured AWS account. |
There was a problem hiding this comment.
| // regions list is retrieved using the locally configured AWS account. | |
| // Region list is retrieved using the locally configured AWS account. |
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
pkg/cli/cmd/radinit/aws.go
Outdated
| return "", err | ||
| } | ||
|
|
||
| if !addAccountID { |
There was a problem hiding this comment.
We can have a more meaningful name instead of addAccountID then I guess.
vishwahiremat
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com>
vishwahiremat
temporarily deployed
to
functional-tests
GitHub Actions
Inactive
Radius functional test overview
Click here to see the list of tools in the current test run
Test Status⌛ Building Radius and pushing container images for functional tests... |
…t#7758) # Description Today for `rad init --full` command while configuring `aws` provider, we are using `accesskey` and `secretkey` provided by user to get accountid and regions, but for `irsa` we cannot get the account id and region information. So instead of using `accesskey` and `secretkey` to authenticate , updated it to use the local aws config to authenticate and get account id and regions informaton. ## Type of change <!-- Please select **one** of the following options that describes your change and delete the others. Clearly identifying the type of change you are making will help us review your PR faster, and is used in authoring release notes. If you are making a bug fix or functionality change to Radius and do not have an associated issue link please create one now. --> - This pull request fixes a bug in Radius and has an approved issue (issue link required). - This pull request adds or changes features of Radius and has an approved issue (issue link required). - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). <!-- Please update the following to link the associated issue. This is required for some kinds of changes (see above). --> Fixes: #issue_number --------- Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com> Co-authored-by: Karishma Chawla <kachawla@microsoft.com>
…t#7758) # Description Today for `rad init --full` command while configuring `aws` provider, we are using `accesskey` and `secretkey` provided by user to get accountid and regions, but for `irsa` we cannot get the account id and region information. So instead of using `accesskey` and `secretkey` to authenticate , updated it to use the local aws config to authenticate and get account id and regions informaton. ## Type of change <!-- Please select **one** of the following options that describes your change and delete the others. Clearly identifying the type of change you are making will help us review your PR faster, and is used in authoring release notes. If you are making a bug fix or functionality change to Radius and do not have an associated issue link please create one now. --> - This pull request fixes a bug in Radius and has an approved issue (issue link required). - This pull request adds or changes features of Radius and has an approved issue (issue link required). - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). <!-- Please update the following to link the associated issue. This is required for some kinds of changes (see above). --> Fixes: #issue_number --------- Signed-off-by: Vishwanath Hiremath <vhiremath@microsoft.com> Co-authored-by: Karishma Chawla <kachawla@microsoft.com> Signed-off-by: Reshma Abdul Rahim <reshmarahim.abdul@microsoft.com>
Description
Today for
rad init --fullcommand while configuringawsprovider, we are usingaccesskeyandsecretkeyprovided by user to get accountid and regions, but forirsawe cannot get the account id and region information.So instead of using
accesskeyandsecretkeyto authenticate , updated it to use the local aws config to authenticate and get account id and regions informaton.Type of change
Fixes: #issue_number