🗓 Jan 31, 2023 5:47:14 PM

🔧 fix bug where save-output was not set correctly
🚀 set envar as default value for flags
🐛 cli args passed for aws is still prompting for creds
🔧 secret for aws when passed as a flag to static credentials
🎨 minor logging updates

TODO

@@ -46,26 +46,6 @@ Resources:
   - https://docs.oracle.com/en-us/iaas/api/#/
 
 Archive:
-  ✔ improve aws ASIA token credentials parsing @project(Todo)
-  ✔ @bug env based session token is not working @project(Todo)
-  ✔ for gcp service account, try to read project id from file @project(Todo)
-  ✔ add cognito @project(Todo)
-  ✔ enumerate ebs snapshots across various regions @project(Helpers)
-  ✔ curl builder for requests @project(AWS)
-  ✔ curl builder for requests @project(Azure)
-  ✔ replicate success and failure count for aws and gcp @project(Todo)
-  ✔ update readme with azure and firebase  @project(Todo)
-  ✔ default auth (from currently logged in user) @project(Azure)
-  ✔ group resources under their respective top level resource. ie. mariadb, postgres and mysql under db @project(Azure)
-  ✔ cert based auth @project(Azure)
-  ✔ enumerate with access token @project(GCP)
-  ✔ ability to provide custom query params or body for complicated calls @project(Todo)
-  ✔ gcp region completer @project(Cli)
-  ✔ aws region completer @project(Cli)
-  ✔ refactor gcp resourcemanager to use token and use rest api instead @project(Todo)
-  ✔ refactor various aws resource groups as DRY @project(Todo)
-  ✔ read specific aws profile @project(Cli)
-  ✔ refactor aws subcommands to use single. helper function to get all policies for an array of services @project(AWS)
-  ✔ context with timeout for requests @project(Todo)
-  ✔ function that can take array of services and check permissions @project(Todo)
-  ✔ aws serverless permissions subcommand @project(AWS)
+  ✔ 🚀 set envar as default value for flags
+  ✔ 🐛 cli args passed for aws is still prompting for creds
+  ✔ 🐛 looks like secret for aws when passed as a flag is wrong for static credentials

aws/signer/request.go

@@ -3,7 +3,7 @@ package signer
 import (
 	"context"
 	"encoding/json"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -77,7 +77,7 @@ func MakeScannerRequest(
 	if err != nil {
 		return nil, nil, nil, err
 	}
-	b, err := ioutil.ReadAll(res.Body)
+	b, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, nil, nil, err
 	}

aws/signer/signer.go

@@ -10,20 +10,32 @@ import (
 // SetCredentials sets the credentials for the signer. If profile is passed,
 // all other credentials are ignored.
 func SetCredentials(accessKeyID, secretAccessKey, sessionToken, profile string) *credentials.Credentials {
-	if logger.DEBUG {
-		logger.LoggerStdErr.Debug().
-			Str("profile", profile).
-			Str("key-id", accessKeyID).
-			Str("secret", secretAccessKey).
-			Str("session-token", sessionToken).Send()
-	}
+	var creds *credentials.Credentials
+	// when using service creds which starts with ASIA, a session token is required
 	if strings.HasPrefix(accessKeyID, "ASIA") && sessionToken == "" {
 		logger.LoggerStdErr.Fatal().Msg("Session tokens missing for ASIA credentials")
 	}
+
 	if profile != "" {
-		return credentials.NewSharedCredentials("", profile)
+		creds = credentials.NewSharedCredentials("", profile)
+	} else {
+		creds = credentials.NewStaticCredentials(accessKeyID, secretAccessKey, sessionToken)
+	}
+
+	gc, err := creds.Get()
+	if err != nil {
+		logger.Logger.Fatal().Err(err).Send()
 	}
-	return credentials.NewStaticCredentials(accessKeyID, secretAccessKey, sessionToken)
+
+	if logger.DEBUG {
+		logger.LoggerStdErr.Debug().
+			Str("profile", profile).
+			Str("key-id", gc.AccessKeyID).
+			Str("secret", gc.SecretAccessKey).
+			Str("session-token", gc.SessionToken).Send()
+	}
+
+	return creds
 	// return credentials.NewCredentials(&credentials.StaticProvider{
 	// 	Value: credentials.Value{
 	// 		AccessKeyID:     accessKeyID,

cli/cmd/aws.go

@@ -22,7 +22,7 @@ var awsCmd = &cobra.Command{
 			cmd.Help()
 			os.Exit(1)
 		}
-		awsLoadEnvVarsFirst(cmd, args)
+		// awsLoadEnvVarsFirst(cmd, args)
 	},
 }
 
@@ -40,9 +40,9 @@ var (
 
 func init() {
 	RootCmd.AddCommand(awsCmd)
-	awsCmd.PersistentFlags().StringVar(&awsAccessKeyID, "access-key-id", "", "AWS Access Key ID")
-	awsCmd.PersistentFlags().StringVar(&awsSecretAccessKey, "secret-access-key", "", "AWS Secret Access Key")
-	awsCmd.PersistentFlags().StringVar(&awsSessionToken, "session-token", "", "AWS Session Token")
+	awsCmd.PersistentFlags().StringVar(&awsAccessKeyID, "access-key-id", os.Getenv("AWS_ACCESS_KEY_ID"), "AWS Access Key ID")
+	awsCmd.PersistentFlags().StringVar(&awsSecretAccessKey, "secret-access-key", os.Getenv("AWS_SECRET_ACCESS_KEY"), "AWS Secret Access Key")
+	awsCmd.PersistentFlags().StringVar(&awsSessionToken, "session-token", os.Getenv("AWS_SESSION_TOKEN"), "AWS Session Token")
 	awsCmd.PersistentFlags().StringVar(&awsRegion, "region", "us-east-1", "AWS Region")
 	awsCmd.PersistentFlags().StringVar(&awsProfile, "profile", "", "AWS Profile. When profile is set, access-key-id, secret-access-key, and session-token are ignored.")
 	awsCmd.PersistentFlags().StringVar(&awsSessionJson, "session-json", "", "AWS Session JSON file. This flag attempts to read session information from the specified file. Helpful with temporary credentials.")
@@ -86,9 +86,12 @@ func awsGetEnvarOrPrompt(envar, message string) string {
 		// profile is set so we will use the profile
 		return ""
 	}
-	if awsAccessKeyID != "" {
+	if envar == "AWS_ACCESS_KEY_ID" && awsAccessKeyID != "" {
 		return awsAccessKeyID
 	}
+	if envar == "AWS_SECRET_ACCESS_KEY" && awsSecretAccessKey != "" {
+		return awsSecretAccessKey
+	}
 	if k, ok := os.LookupEnv(envar); ok {
 		return k
 	}
@@ -148,8 +151,8 @@ func awsModifyExtraMap(m map[string]string) map[string]string {
 	return h
 }
 
-func awsLoadEnvVarsFirst(_ *cobra.Command, _ []string) {
-	awsSessionToken = os.Getenv("AWS_SESSION_TOKEN")
-	awsAccessKeyID = os.Getenv("AWS_ACCESS_KEY_ID")
-	awsSecretAccessKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
-}
+// func awsLoadEnvVarsFirst(_ *cobra.Command, _ []string) {
+// 	awsSessionToken = os.Getenv("AWS_SESSION_TOKEN")
+// 	awsAccessKeyID = os.Getenv("AWS_ACCESS_KEY_ID")
+// 	awsSecretAccessKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
+// }

cli/cmd/aws_common.go

@@ -12,8 +12,8 @@ var awsCommonCmd = &cobra.Command{
 	Run:       awsCommonCmdFunc,
 	Args:      cobra.ExactValidArgs(1),
 	ValidArgs: getAwsServiceGroups(),
-	PreRun:    awsLoadEnvVarsFirst,
-	PostRun:   PostRunStatsFunc,
+	// PreRun:    awsLoadEnvVarsFirst,
+	PostRun: PostRunStatsFunc,
 }
 
 func init() {

cli/cmd/aws_enumerate.go

@@ -22,7 +22,7 @@ var awsEnumerateCmd = &cobra.Command{
 	ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return aws.GetAWSResources(), cobra.ShellCompDirectiveNoFileComp
 	},
-	PreRun:  awsLoadEnvVarsFirst,
+	// PreRun:  awsLoadEnvVarsFirst,
 	PostRun: PostRunStatsFunc,
 }
 

cli/cmd/aws_utils_sts_caller_identity.go

@@ -12,10 +12,10 @@ import (
 )
 
 var awsUtilsStsCallerIdentityCmd = &cobra.Command{
-	Use:    "sts-get-caller-identity",
-	Short:  "Enumerate AWS EC2 snapshots across specified regions",
-	Run:    awsUtilsStsCallerIdentityCmdFunc,
-	PreRun: awsLoadEnvVarsFirst,
+	Use:   "sts-get-caller-identity",
+	Short: "Enumerate AWS EC2 snapshots across specified regions",
+	Run:   awsUtilsStsCallerIdentityCmdFunc,
+	// PreRun: awsLoadEnvVarsFirst,
 }
 
 func init() {

cli/cmd/azure.go

@@ -48,13 +48,13 @@ and use the first one. The following environment variables can also be used:
 func init() {
 	RootCmd.AddCommand(azureCmd)
 
-	azureCmd.PersistentFlags().StringVarP(&azureSubscriptionID, "subscription-id", "s", "", "Azure Subscription ID")
-	azureCmd.PersistentFlags().StringVarP(&azureTenantID, "tenant-id", "t", "", "Azure Tenant ID")
-	azureCmd.PersistentFlags().StringVar(&azureClientID, "client-id", "", "Azure Client ID / Username")
-	azureCmd.PersistentFlags().StringVar(&azureClientSecret, "client-secret", "", "Azure Client Secret / Password")
+	azureCmd.PersistentFlags().StringVarP(&azureSubscriptionID, "subscription-id", "s", os.Getenv("AZURE_SUBSCRIPTION_ID"), "Azure Subscription ID. Env AZURE_SUBSCRIPTION_ID")
+	azureCmd.PersistentFlags().StringVarP(&azureTenantID, "tenant-id", "t", os.Getenv("AZURE_TENANT_ID"), "Azure Tenant ID. Env AZURE_TENANT_ID")
+	azureCmd.PersistentFlags().StringVar(&azureClientID, "client-id", os.Getenv("AZURE_CLIENT_ID"), "Azure Client ID / Username. Env AZURE_CLIENT_ID")
+	azureCmd.PersistentFlags().StringVar(&azureClientSecret, "client-secret", os.Getenv("AZURE_CLIENT_SECRET"), "Azure Client Secret / Password. Env AZURE_CLIENT_SECRET")
 	azureCmd.PersistentFlags().StringVarP(&azureResourceGroupName, "resource-group-name", "r", "", "Azure Resource Group")
-	azureCmd.PersistentFlags().StringVar(&azureOauthToken, "oauth-token", "", "Optionall use a valid Azure OAuth Token. Can also use CLIAM_AZURE_OAUTH_TOKEN envvar")
-	azureCmd.PersistentFlags().StringVar(&azureCertificatePath, "certificate-path", "", "Path to Certificate for certificate based authentication")
+	azureCmd.PersistentFlags().StringVar(&azureOauthToken, "oauth-token", os.Getenv("CLIAM_AZURE_OAUTH_TOKEN"), "Optionall use a valid Azure OAuth Token. Can also use CLIAM_AZURE_OAUTH_TOKEN envvar")
+	azureCmd.PersistentFlags().StringVar(&azureCertificatePath, "certificate-path", os.Getenv("AZURE_CLIENT_CERTIFICATE_PATH"), "Path to Certificate for certificate based authentication. Env AZURE_CLIENT_CERTIFICATE_PATH")
 	azureCmd.PersistentFlags().BoolVar(&azureDefaultCreds, "default-creds", false, "Use currently logged in default credentials for Azure.")
 
 	azureCmd.PersistentFlags().StringSliceVarP(&azureKnownResourceMap, "known-value", "k", []string{}, "Azure cli flags. When known-value is set, additional permissions are enumerated. Format: -k <key>=<value>... Can be used multiple times")

cli/cmd/gcp.go

@@ -32,8 +32,8 @@ var (
 
 func init() {
 	RootCmd.AddCommand(gcpCmd)
-	gcpCmd.PersistentFlags().StringVar(&gcpServiceAccountPath, "service-account", "", "GCP service account path")
-	gcpCmd.PersistentFlags().StringVar(&gcpProjectId, "project-id", "", "GCP project id")
+	gcpCmd.PersistentFlags().StringVar(&gcpServiceAccountPath, "service-account", os.Getenv("GOOGLE_APPLICATION_CREDENTIALS"), "GCP service account path. Env GOOGLE_APPLICATION_CREDENTIALS")
+	gcpCmd.PersistentFlags().StringVar(&gcpProjectId, "project-id", os.Getenv("CLOUDSDK_CORE_PROJECT"), "GCP project id. Env CLOUDSDK_CORE_PROJECT")
 	gcpCmd.PersistentFlags().StringVar(&gcpRegion, "region", "us-central1", "GCP Region")
 	gcpCmd.PersistentFlags().StringVar(&gcpZone, "zone", "us-central1-a", "GCP Zone")
 	gcpCmd.PersistentFlags().StringVar(&gcpAccessToken, "access-token", "", "GCP token")

cli/cmd/root.go

@@ -36,7 +36,7 @@ func init() {
 	RootCmd.PersistentFlags().IntVar(&MaxThreads, "max-threads", 5, "Maximum number of threads to use.")
 	RootCmd.PersistentFlags().IntVar(&RequestTimeout, "request-timeout", 5, "Timeout for each request in seconds.")
 	RootCmd.PersistentFlags().BoolVarP(&CLIVerbose, "verbose", "v", false, "Enable verbose output.")
-	RootCmd.Flags().BoolVar(&SaveOutput, "save-output", false, "Save output to file on success")
+	RootCmd.PersistentFlags().BoolVar(&SaveOutput, "save-output", false, "Save output to file on success")
 }
 
 func Execute() {