continue ecs cleanup

synfinatic · Jul 9, 2024 · c7bd998 · c7bd998
1 parent a7cd2fe
commit c7bd998
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 38 deletions.
diff --git a/cmd/aws-sso/ecs_client_cmd.go b/cmd/aws-sso/ecs_client_cmd.go
@@ -32,31 +32,18 @@ import (
 	"github.com/synfinatic/gotable"
 )
 
-type EcsListCmd struct {
-	Server string `kong:"help='Endpoint of aws-sso ECS Server',env='AWS_SSO_ECS_SERVER',default='localhost:4144'"`
-}
-
 type EcsLoadCmd struct {
 	// AWS Params
-	Arn       string `kong:"short='a',help='ARN of role to assume',env='AWS_SSO_ROLE_ARN',predictor='arn'"`
-	AccountId int64  `kong:"name='account',short='A',help='AWS AccountID of role to assume',env='AWS_SSO_ACCOUNT_ID',predictor='accountId',xor='account'"`
-	Role      string `kong:"short='R',help='Name of AWS Role to assume',env='AWS_SSO_ROLE_NAME',predictor='role',xor='role'"`
-	Profile   string `kong:"short='p',help='Name of AWS Profile to assume',predictor='profile',xor='account,role'"`
+	Arn       string `kong:"short='a',help='ARN of role to load',env='AWS_SSO_ROLE_ARN',predictor='arn'"`
+	AccountId int64  `kong:"name='account',short='A',help='AWS AccountID of role to load',env='AWS_SSO_ACCOUNT_ID',predictor='accountId',xor='account'"`
+	Role      string `kong:"short='R',help='Name of AWS Role to load',env='AWS_SSO_ROLE_NAME',predictor='role',xor='role'"`
+	Profile   string `kong:"short='p',help='Name of AWS Profile to load',predictor='profile',xor='account,role'"`
 
 	// Other params
 	Server  string `kong:"help='Endpoint of aws-sso ECS Server',env='AWS_SSO_ECS_SERVER',default='localhost:4144'"`
 	Slotted bool   `kong:"short='s',help='Load credentials in a unique slot using the ProfileName as the key'"`
 }
 
-type EcsProfileCmd struct {
-	Server string `kong:"help='URL endpoint of aws-sso ECS Server',env='AWS_SSO_ECS_SERVER',default='localhost:4144'"`
-}
-
-type EcsUnloadCmd struct {
-	Profile string `kong:"short='p',help='Name of AWS Profile to unload',predictor='profile'"`
-	Server  string `kong:"help='Endpoint of aws-sso ECS Server',env='AWS_SSO_ECS_SERVER',default='localhost:4144'"`
-}
-
 func (cc *EcsLoadCmd) Run(ctx *RunContext) error {
 	sci := NewSelectCliArgs(ctx.Cli.Ecs.Load.Arn, ctx.Cli.Ecs.Load.AccountId, ctx.Cli.Ecs.Load.Role, ctx.Cli.Ecs.Load.Profile)
 	if awssso, err := sci.Update(ctx); err == nil {
@@ -70,6 +57,10 @@ func (cc *EcsLoadCmd) Run(ctx *RunContext) error {
 	return ctx.PromptExec(ecsLoadCmd)
 }
 
+type EcsProfileCmd struct {
+	Server string `kong:"help='URL endpoint of aws-sso ECS Server',env='AWS_SSO_ECS_SERVER',default='localhost:4144'"`
+}
+
 func (cc *EcsProfileCmd) Run(ctx *RunContext) error {
 	c := newClient(ctx.Cli.Ecs.Profile.Server, ctx)
 
@@ -88,12 +79,6 @@ func (cc *EcsProfileCmd) Run(ctx *RunContext) error {
 	return listProfiles(profiles)
 }
 
-func (cc *EcsUnloadCmd) Run(ctx *RunContext) error {
-	c := newClient(ctx.Cli.Ecs.Unload.Server, ctx)
-
-	return c.Delete(ctx.Cli.Ecs.Unload.Profile)
-}
-
 // Loads our AWS API creds into the ECS Server
 func ecsLoadCmd(ctx *RunContext, awssso *sso.AWSSSO, accountId int64, role string) error {
 	c := newClient(ctx.Cli.Ecs.Load.Server, ctx)
@@ -122,6 +107,10 @@ func ecsLoadCmd(ctx *RunContext, awssso *sso.AWSSSO, accountId int64, role strin
 	return c.SubmitCreds(creds, rFlat.Profile, ctx.Cli.Ecs.Load.Slotted)
 }
 
+type EcsListCmd struct {
+	Server string `kong:"help='Endpoint of aws-sso ECS Server',env='AWS_SSO_ECS_SERVER',default='localhost:4144'"`
+}
+
 func (cc *EcsListCmd) Run(ctx *RunContext) error {
 	c := newClient(ctx.Cli.Ecs.Profile.Server, ctx)
 
@@ -137,6 +126,17 @@ func (cc *EcsListCmd) Run(ctx *RunContext) error {
 	return listProfiles(profiles)
 }
 
+type EcsUnloadCmd struct {
+	Profile string `kong:"short='p',help='Slot of AWS Profile to unload',predictor='profile'"`
+	Server  string `kong:"help='Endpoint of aws-sso ECS Server',env='AWS_SSO_ECS_SERVER',default='localhost:4144'"`
+}
+
+func (cc *EcsUnloadCmd) Run(ctx *RunContext) error {
+	c := newClient(ctx.Cli.Ecs.Unload.Server, ctx)
+
+	return c.Delete(ctx.Cli.Ecs.Unload.Profile)
+}
+
 func listProfiles(profiles []ecs.ListProfilesResponse) error {
 	// sort our results
 	sort.Slice(profiles, func(i, j int) bool {

diff --git a/cmd/aws-sso/ecs_cmd.go b/cmd/aws-sso/ecs_cmd.go
@@ -62,9 +62,9 @@ func (cc *EcsAuthCmd) Run(ctx *RunContext) error {
 }
 
 type EcsSSLCmd struct {
-	Save   EcsSSLSaveCmd   `kong:"cmd,help='Save a new SSL certificate/private key'"`
 	Delete EcsSSLDeleteCmd `kong:"cmd,help='Delete the current SSL certificate/private key'"`
 	Print  EcsSSLPrintCmd  `kong:"cmd,help='Print the current SSL certificate'"`
+	Save   EcsSSLSaveCmd   `kong:"cmd,help='Save a new SSL certificate/private key'"`
 }
 
 type EcsSSLSaveCmd struct {

diff --git a/docs/commands-ecs.md b/docs/commands-ecs.md
@@ -44,7 +44,7 @@ SSL/TLS for the ECS Server.
 
 ### ecs ssl print
 
-Prints the SSL certificate stored in the SecureStore.
+Prints the SSL public certificate stored in the SecureStore.
 
 ---
 
@@ -97,10 +97,14 @@ Flags:
  * `--account <account>`, `-A` -- AWS AccountID of role to assume (`$AWS_SSO_ACCOUNT_ID`)
  * `--role <role>`, `-R` -- Name of AWS Role to assume (requires `--account`) (`$AWS_SSO_ROLE_NAME`)
  * `--profile <profile>`, `-p` -- Name of AWS Profile to assume
- * `--account` -- AWS AccountID of the IAM Role to load.
  * `--server` -- host:port of the ECS Server (default `localhost:4144`)
  * `--slotted` -- Load the IAM credentials into a unique slot using the ProfileName as the key
 
+You can provide `--profile` or `--arn` or (`--account` and `--role`) to specify the IAM role to load.
+
+If you do not specify `--slotted`, the role will be loaded into the default URL path at `/`.  If you
+would like to load multiple roles, specify `--slotted` and the role will be loaded into `/slot/<profile name>`
+
 ---
 
 ### ecs unload
@@ -109,13 +113,11 @@ Removes the AWS IAM Role credentials from the ECS Server and makes them unavaila
 
 Flags:
 
- * `--arn <arn>`, `-a` -- ARN of role to assume (`$AWS_SSO_ROLE_ARN`)
- * `--account <account>`, `-A` -- AWS AccountID of role to assume (`$AWS_SSO_ACCOUNT_ID`)
- * `--role <role>`, `-R` -- Name of AWS Role to assume (requires `--account`) (`$AWS_SSO_ROLE_NAME`)
- * `--profile <profile>`, `-p` -- Name of AWS Profile to assume
- * `--account` -- AWS AccountID of the IAM Role to load.
+ * `--profile <profile>`, `-p` -- Slot of AWS Profile to unload
  * `--server` -- host:port of the ECS Server (default `localhost:4144`)
- * `--slotted` -- Load the IAM credentials into a unique slot using the ProfileName as the key
+
+By default, this will unload the IAM credentials for the default role.  Passing in
+`--profile <profile name>` will unload the credentials in the named slot.
 
 ---
 

diff --git a/docs/remote-ssh.md b/docs/remote-ssh.md
@@ -29,7 +29,7 @@ and/or any IAM Credentials stored in the ECS Server if you have not [enabled SSL
 or [tmux](https://hamvocke.com/blog/a-quick-and-easy-guide-to-tmux/) session:
 `aws-sso ecs run`
 1. Load your selected IAM credentials into the ECS Server:<br>
-`aws-sso ecs load --profile=<aws profile name>`
+`aws-sso ecs load --profile=<profile name>`
 1. SSH to the remote system using the [-R flag to forward tcp/4144](https://man.openbsd.org/ssh#R):<br>
 `ssh -R 4144:localhost:4144 <remotehost>`
 
@@ -38,11 +38,22 @@ or [tmux](https://hamvocke.com/blog/a-quick-and-easy-guide-to-tmux/) session:
 **Note:** The following commands assume you are using `bash`.  You may have to tweak for other shells.
 
 1. Tell the AWS SDK how to talk to the ECS Server over SSH:<br>
-`export AWS_CONTAINER_CREDENTIALS_FULL_URI=https://localhost:4144/` (or `http` if you did not enable SSL)
+    `export AWS_CONTAINER_CREDENTIALS_FULL_URI=https://localhost:4144/` (or `http` if you did not enable SSL)
 1. Tell the AWS SDK the bearer token secret from the first step on your local system:<br>
-`export AWS_CONTAINER_AUTHORIZATION_TOKEN='Bearer <secret>'`
-1. Verify everything works:
-`aws sts get-caller-identity`
+    `export AWS_CONTAINER_AUTHORIZATION_TOKEN='Bearer <secret>'`
+1. Verify everything works: `aws sts get-caller-identity`
 
 See the [ECS Server documentation](ecs-server.md) for more information about the ECS server and
-how to use multiple IAM role credentials simultaneously.
+how to use multiple IAM role credentials simultaneously.
+
+## Advanced Usage
+
+The above instructions grant any host you ssh to, access to the same AWS IAM Role.  But what if
+you want to access multiple roles?
+
+For each role you'd like to access you will need to do two things:
+
+ 1. On your local host, load that role into an individual slot in the ECS Server:<br>
+    `aws-sso ecs load --slotted --profile <profile name>`
+ 2. On the remote host, specify the correct URL:<br>
+    `export AWS_CONTAINER_CREDENTIALS_FULL=https://localhost:4144/slot/<profile name>`