Inability to define the same profile for multiple users about puppet-awscli HOT 11 CLOSED

I'm not sure I understand the use case here. Why would the same users on a host use the same AWS credentials (or other parameter in the .aws/credentials file)?

from puppet-awscli.

if, on a single system, multiple users need an AWS cli profile called "default" (since most tools / libraries make it difficult to use named profiles), this isn't possible to achieve given your use of $title. I agree that the solution should be to make an aws_profile param if you want something other than "default", and the actual $title can be ignored other than puppet's internal use.

from puppet-awscli.

@justindowning
The use case isn't the same users on the same system, it is different users on the same system, using the same profile name within their credentials/config files (i.e., 'default'). This is very useful when you deploy different IAM creds for different users on the same system, depending on the AWS perms you want to authorize for each user (super-users vs S3 bucket manager). The way it is handled currently, you need to define a different resource title for each user, which would translate to different profile names. This would require unpleasant adjustments on the cli/sdk. Example:

User A creds file:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

User B creds file:
[default2] <==== necessary to use "default2" in the resource declaration to avoid dup declaration
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

User B must then do:
aws ec2 describe-instances --profile default2

Parameterizing the profile name allows both users to use default, requiring no adjustments on the CLI or within an SDK (boto, etc).

jgnagy's commit looks good; in fact he simplified my approach by retaining the use of $title within the concat::fragment statements (which will always be unique).

from puppet-awscli.

FYI implementing the code changes per @jgnagy or my advice will certainly be a backwards compatibility breaking release.

from puppet-awscli.

My PR includes an update to the README that briefly describes the change as breaking. It wouldn't hurt to accentuate that a bit more if the PR is accepted, perhaps with a minor (or even major) version bump.

from puppet-awscli.

I created #24, but realised the issue probably makes more sense to be fixed as part of this. Please note the naming format of a named profile is different between ~/.aws/credentials and ~/.aws/config.

from puppet-awscli.

@jccl I modified the .erb template to incorporate your changes. Good catch, thanks. Tested as working in my env.

from puppet-awscli.

@jccl and @mvolhontseff, agreed, this is a good catch, and I'm happy to integrate a check (and appropriate logic) for this here if we all agree it makes sense to do so.

from puppet-awscli.

@jgnagy - updated config_concat.erb and submitted a pull request

from puppet-awscli.

Merged, and I updated the README. We'll see if all the tests still pass, then maybe @justindowning can merge this in for us.

from puppet-awscli.

Merged #23 🎉

from puppet-awscli.