Improve credentials transparency for cluster commands(#1378)

Author: vishalbollu

cli/cmd/cluster.go

@@ -47,36 +47,46 @@ import (
 )
 
 var (
-	_flagClusterEnv            string
-	_flagClusterConfig         string
-	_flagClusterInfoDebug      bool
-	_flagClusterDisallowPrompt bool
+	_flagClusterEnv                string
+	_flagClusterConfig             string
+	_flagClusterInfoDebug          bool
+	_flagClusterDisallowPrompt     bool
+	_flagAWSAccessKeyID            string
+	_flagAWSSecretAccessKey        string
+	_flagClusterAWSAccessKeyID     string
+	_flagClusterAWSSecretAccessKey string
 )
 
 func clusterInit() {
 	defaultEnv := getDefaultEnv(_clusterCommandType)
 
 	_upCmd.Flags().SortFlags = false
 	addClusterConfigFlag(_upCmd)
-	_upCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to configure")
+	addAWSCredentials(_upCmd)
+	_upCmd.Flags().StringVar(&_flagClusterAWSAccessKeyID, "cluster-aws-key", "", "aws access key id to be used by the cluster")
+	_upCmd.Flags().StringVar(&_flagClusterAWSSecretAccessKey, "cluster-aws-secret", "", "aws secret access key to be used by the cluster")
+	_upCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to create")
 	_upCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
 	_clusterCmd.AddCommand(_upCmd)
 
 	_infoCmd.Flags().SortFlags = false
 	addClusterConfigFlag(_infoCmd)
-	_infoCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to configure")
+	addAWSCredentials(_infoCmd)
+	_infoCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to update")
 	_infoCmd.Flags().BoolVarP(&_flagClusterInfoDebug, "debug", "d", false, "save the current cluster state to a file")
 	_infoCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
 	_clusterCmd.AddCommand(_infoCmd)
 
 	_configureCmd.Flags().SortFlags = false
 	addClusterConfigFlag(_configureCmd)
-	_configureCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to configure")
+	addAWSCredentials(_configureCmd)
+	_configureCmd.Flags().StringVarP(&_flagClusterEnv, "env", "e", defaultEnv, "environment to update")
 	_configureCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
 	_clusterCmd.AddCommand(_configureCmd)
 
 	_downCmd.Flags().SortFlags = false
 	addClusterConfigFlag(_downCmd)
+	addAWSCredentials(_downCmd)
 	_downCmd.Flags().BoolVarP(&_flagClusterDisallowPrompt, "yes", "y", false, "skip prompts")
 	_clusterCmd.AddCommand(_downCmd)
 }
@@ -86,6 +96,11 @@ func addClusterConfigFlag(cmd *cobra.Command) {
 	cmd.Flags().SetAnnotation("config", cobra.BashCompFilenameExt, _configFileExts)
 }
 
+func addAWSCredentials(cmd *cobra.Command) {
+	cmd.Flags().StringVar(&_flagAWSAccessKeyID, "aws-key", "", "aws access key id")
+	cmd.Flags().StringVar(&_flagAWSSecretAccessKey, "aws-secret", "", "aws secret access key")
+}
+
 var _clusterCmd = &cobra.Command{
 	Use:   "cluster",
 	Short: "manage a cluster",
@@ -110,7 +125,14 @@ var _upCmd = &cobra.Command{
 			promptForEmail()
 		}
 
-		awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
+		if _flagClusterConfig != "" {
+			// Deprecation: specifying aws creds in cluster configuration is no longer supported
+			if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
+				exit.Error(err)
+			}
+		}
+
+		awsCreds, err := awsCredentialsForCreatingCluster(_flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)
 		}
@@ -254,15 +276,17 @@ var _upCmd = &cobra.Command{
 			Name:               _flagClusterEnv,
 			Provider:           types.AWSProviderType,
 			OperatorEndpoint:   pointer.String("https://" + *loadBalancer.DNSName),
-			AWSAccessKeyID:     pointer.String(awsCreds.CortexAWSAccessKeyID),
-			AWSSecretAccessKey: pointer.String(awsCreds.CortexAWSSecretAccessKey),
+			AWSAccessKeyID:     pointer.String(awsCreds.ClusterAWSAccessKeyID),
+			AWSSecretAccessKey: pointer.String(awsCreds.ClusterAWSSecretAccessKey),
 		}
 
 		err = addEnvToCLIConfig(newEnvironment)
 		if err != nil {
 			exit.Error(errors.Append(err, fmt.Sprintf("unable to configure cli environment; you can attempt to resolve this issue and configure your CLI environment by running `cortex cluster info --env %s`", _flagClusterEnv)))
 		}
 
+		cacheAWSCredentials(awsCreds, accessConfig)
+
 		fmt.Printf(console.Bold("\nan environment named \"%s\" has been configured for this cluster; append `--env %s` to cortex commands to connect to it (e.g. `cortex deploy --env %s`), or set it as your default with `cortex env default %s`\n"), _flagClusterEnv, _flagClusterEnv, _flagClusterEnv, _flagClusterEnv)
 	},
 }
@@ -282,12 +306,19 @@ var _configureCmd = &cobra.Command{
 			exit.Error(err)
 		}
 
-		awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
+		if _flagClusterConfig != "" {
+			// Deprecation: specifying aws creds in cluster configuration is no longer supported
+			if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
+				exit.Error(err)
+			}
+		}
+
+		accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)
 		}
 
-		accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
+		awsCreds, err := awsCredentialsForManagingCluster(*accessConfig, _flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)
 		}
@@ -324,6 +355,8 @@ var _configureCmd = &cobra.Command{
 			fmt.Println(helpStr)
 			exit.Error(ErrorClusterConfigure(out + helpStr))
 		}
+
+		cacheAWSCredentials(awsCreds, *accessConfig)
 	},
 }
 
@@ -341,12 +374,19 @@ var _infoCmd = &cobra.Command{
 			exit.Error(err)
 		}
 
-		awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
+		if _flagClusterConfig != "" {
+			// Deprecation: specifying aws creds in cluster configuration is no longer supported
+			if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
+				exit.Error(err)
+			}
+		}
+
+		accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)
 		}
 
-		accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
+		awsCreds, err := awsCredentialsForManagingCluster(*accessConfig, _flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)
 		}
@@ -356,6 +396,8 @@ var _infoCmd = &cobra.Command{
 		} else {
 			cmdInfo(awsCreds, accessConfig, _flagClusterDisallowPrompt)
 		}
+
+		cacheAWSCredentials(awsCreds, *accessConfig)
 	},
 }
 
@@ -370,12 +412,19 @@ var _downCmd = &cobra.Command{
 			exit.Error(err)
 		}
 
-		awsCreds, err := getAWSCredentials(_flagClusterConfig, _flagClusterEnv, _flagClusterDisallowPrompt)
+		if _flagClusterConfig != "" {
+			// Deprecation: specifying aws creds in cluster configuration is no longer supported
+			if err := detectAWSCredsInConfigFile(cmd.Use, _flagClusterConfig); err != nil {
+				exit.Error(err)
+			}
+		}
+
+		accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)
 		}
 
-		accessConfig, err := getClusterAccessConfig(_flagClusterDisallowPrompt)
+		awsCreds, err := awsCredentialsForManagingCluster(*accessConfig, _flagClusterDisallowPrompt)
 		if err != nil {
 			exit.Error(err)
 		}
@@ -480,6 +529,7 @@ var _downCmd = &cobra.Command{
 
 		cachedClusterConfigPath := cachedClusterConfigPath(*accessConfig.ClusterName, *accessConfig.Region)
 		os.Remove(cachedClusterConfigPath)
+		uncacheAWSCredentials(*accessConfig)
 	},
 }
 

cli/cmd/errors.go

@@ -58,14 +58,16 @@ const (
 	ErrAPINotReady                          = "cli.api_not_ready"
 	ErrOneAWSEnvVarSet                      = "cli.one_aws_env_var_set"
 	ErrOneAWSConfigFieldSet                 = "cli.one_aws_config_field_set"
+	ErrOneAWSConfigFlagSet                  = "cli.one_aws_config_flag_set"
+	ErrMissingAWSCredentials                = "cli.missing_aws_credentials"
+	ErrCredentialsInClusterConfig           = "cli.credentials_in_cluster_config"
 	ErrClusterUp                            = "cli.cluster_up"
 	ErrClusterConfigure                     = "cli.cluster_configure"
 	ErrClusterInfo                          = "cli.cluster_info"
 	ErrClusterDebug                         = "cli.cluster_debug"
 	ErrClusterRefresh                       = "cli.cluster_refresh"
 	ErrClusterDown                          = "cli.cluster_down"
 	ErrDuplicateCLIEnvNames                 = "cli.duplicate_cli_env_names"
-	ErrAWSCredentialsRequired               = "cli.aws_credentials_required"
 	ErrClusterConfigOrPromptsRequired       = "cli.cluster_config_or_prompts_required"
 	ErrClusterAccessConfigOrPromptsRequired = "cli.cluster_access_config_or_prompts_required"
 	ErrShellCompletionNotSupported          = "cli.shell_completion_not_supported"
@@ -213,6 +215,28 @@ func ErrorOneAWSConfigFieldSet(setConfigField string, missingConfigField string,
 	})
 }
 
+func ErrorOneAWSFlagSet(setFlag string, missingFlag string) error {
+	return errors.WithStack(&errors.Error{
+		Kind:    ErrOneAWSConfigFlagSet,
+		Message: fmt.Sprintf("only flag %s was provided; please provide %s as well", setFlag, missingFlag),
+	})
+}
+
+func ErrorMissingAWSCredentials() error {
+	return errors.WithStack(&errors.Error{
+		Kind:    ErrMissingAWSCredentials,
+		Message: "unable to find aws credentials; please specify aws credentials using the flags --aws-key and --aws-secret",
+	})
+}
+
+// Deprecation: specifying aws creds in cluster configuration is no longer supported
+func ErrorCredentialsInClusterConfig(cmd string, path string) error {
+	return errors.WithStack(&errors.Error{
+		Kind:    ErrCredentialsInClusterConfig,
+		Message: fmt.Sprintf("specifying credentials in the cluster configuration is no longer supported, please specify aws credentials using flags (e.g. cortex cluster %s --config %s --aws-key <AWS_ACCESS_KEY_ID> --aws-secret <AWS_SECRET_ACCESS_KEY>) or set environment variables; see https://docs.cortex.dev/v/%s/miscellaneous/security#iam-permissions for more information", cmd, path, consts.CortexVersionMinor),
+	})
+}
+
 func ErrorClusterUp(out string) error {
 	return errors.WithStack(&errors.Error{
 		Kind:    ErrClusterUp,
@@ -261,13 +285,6 @@ func ErrorClusterDown(out string) error {
 	})
 }
 
-func ErrorAWSCredentialsRequired() error {
-	return errors.WithStack(&errors.Error{
-		Kind:    ErrAWSCredentialsRequired,
-		Message: "AWS credentials are required; please set them in your cluster configuration file (if you're using one), your environment variables (i.e. AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), or your AWS CLI (i.e. via `aws configure`)",
-	})
-}
-
 func ErrorClusterConfigOrPromptsRequired() error {
 	return errors.WithStack(&errors.Error{
 		Kind:    ErrClusterConfigOrPromptsRequired,