feat(aws-install): add credential_profile flag (#1274)

nschmeller · web-flow · commit c027b0f3a463 · 2023-05-15T13:51:53.000-04:00
This commit adds a new CLI flag to the
`lacework agent aws-install &lt;method&gt;` command called
`credential_profile`. This flag allows the user to specify an AWS
credential profile for `aws-install` to use if the `default` profile is
not appropriate.

This flag applies for:

* `aws-install ec2ic`
* `aws-install ec2ssh`
* `aws-install ec2ssm`

Fixes RAIN-58289

Signed-off-by: Nick Schmeller &lt;nick.schmeller@lacework.net&gt;
diff --git a/cli/cmd/agent.go b/cli/cmd/agent.go
@@ -51,6 +51,7 @@ var (
 		InstallSkipCreatInfra bool
 		InstallForceReinstall bool
 		InstallServerURL      string
+		InstallAWSProfile     string
 	}{}
 
 	defaultSshIdentityKey = "~/.ssh/id_rsa"
diff --git a/cli/cmd/agent_aws-install_ec2ic.go b/cli/cmd/agent_aws-install_ec2ic.go
@@ -19,9 +19,11 @@
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"sync"
 
+	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/gammazero/workerpool"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -61,6 +63,10 @@ To explicitly specify the server URL that the agent will connect to:
 
     lacework agent aws-install ec2ic --server_url https://your.server.url.lacework.net
 
+To specify an AWS credential profile other than 'default':
+
+    lacework agent aws-install ec2ic --credential_profile aws-profile-name
+
 AWS credentials are read from the following environment variables:
 - AWS_ACCESS_KEY_ID
 - AWS_SECRET_ACCESS_KEY
@@ -106,6 +112,9 @@ func init() {
 	agentInstallAWSEC2ICCmd.Flags().StringVar(&agentCmdState.InstallServerURL,
 		"server_url", "https://api.lacework.net", "server URL that agents will talk to, prefixed with `https://`",
 	)
+	agentInstallAWSEC2ICCmd.Flags().StringVar(&agentCmdState.InstallAWSProfile,
+		"credential_profile", "default", "AWS credential profile to use",
+	)
 }
 
 func installAWSEC2IC(_ *cobra.Command, _ []string) error {
@@ -129,6 +138,11 @@ func installAWSEC2IC(_ *cobra.Command, _ []string) error {
 		return err
 	}
 
+	cfg, err := config.LoadDefaultConfig(context.Background(), config.WithSharedConfigProfile(agentCmdState.InstallAWSProfile))
+	if err != nil {
+		return err
+	}
+
 	wg := new(sync.WaitGroup)
 	wp := workerpool.New(agentCmdState.InstallMaxParallelism)
 	for _, runner := range runners {
@@ -153,7 +167,7 @@ func installAWSEC2IC(_ *cobra.Command, _ []string) error {
 				"hostname", threadRunner.Runner.Hostname,
 				"image name", threadRunner.ImageName,
 			)
-			err := threadRunner.SendAndUseIdentityFile()
+			err := threadRunner.SendAndUseIdentityFile(cfg)
 			if err != nil {
 				cli.Log.Debugw("ec2ic key send failed", "err", err, "runner", threadRunner.InstanceID)
 				return
diff --git a/cli/cmd/agent_aws-install_ec2ssh.go b/cli/cmd/agent_aws-install_ec2ssh.go
@@ -69,6 +69,10 @@ To authenticate using an identity file:
 
     lacework agent aws-install ec2ssh -i /path/to/your/key
 
+To specify an AWS credential profile other than 'default':
+
+    lacework agent aws-install ec2ssh --credential_profile aws-profile-name
+
 The environment should contain AWS credentials in the following variables:
 - AWS_ACCESS_KEY_ID
 - AWS_SECRET_ACCESS_KEY
@@ -121,6 +125,9 @@ func init() {
 	agentInstallAWSSSHCmd.Flags().StringVar(&agentCmdState.InstallServerURL,
 		"server_url", "https://api.lacework.net", "server URL that agents will talk to, prefixed with `https://`",
 	)
+	agentInstallAWSSSHCmd.Flags().StringVar(&agentCmdState.InstallAWSProfile,
+		"credential_profile", "default", "AWS credential profile to use",
+	)
 }
 
 func installAWSSSH(_ *cobra.Command, args []string) error {
diff --git a/cli/cmd/agent_aws-install_ec2ssm.go b/cli/cmd/agent_aws-install_ec2ssm.go
@@ -86,6 +86,10 @@ To explicitly specify the server URL that the agent will connect to:
 
     lacework agent aws-install ec2ssm --server_url https://your.server.url.lacework.net
 
+To specify an AWS credential profile other than 'default':
+
+    lacework agent aws-install ec2ssm --credential_profile aws-profile-name
+
 AWS credentials are read from the following environment variables:
 - AWS_ACCESS_KEY_ID
 - AWS_SECRET_ACCESS_KEY
@@ -144,6 +148,9 @@ func init() {
 	agentInstallAWSSSMCmd.Flags().StringVar(&agentCmdState.InstallServerURL,
 		"server_url", "https://api.lacework.net", "server URL that agents will talk to, prefixed with `https://`",
 	)
+	agentInstallAWSSSMCmd.Flags().StringVar(&agentCmdState.InstallAWSProfile,
+		"credential_profile", "default", "AWS credential profile to use",
+	)
 }
 
 func installAWSSSM(_ *cobra.Command, _ []string) error {
@@ -176,7 +183,7 @@ func installAWSSSM(_ *cobra.Command, _ []string) error {
 		return nil
 	}
 
-	cfg, err := config.LoadDefaultConfig(context.Background())
+	cfg, err := config.LoadDefaultConfig(context.Background(), config.WithSharedConfigProfile(agentCmdState.InstallAWSProfile))
 	if err != nil {
 		return err
 	}
diff --git a/cli/cmd/aws.go b/cli/cmd/aws.go
@@ -69,7 +69,7 @@ func awsDescribeRegions() ([]types.Region, error) {
 		Filters: filters,
 	}
 
-	cfg, err := config.LoadDefaultConfig(context.Background())
+	cfg, err := config.LoadDefaultConfig(context.Background(), config.WithSharedConfigProfile(agentCmdState.InstallAWSProfile))
 	if err != nil {
 		return nil, err
 	}
@@ -90,7 +90,7 @@ func awsRegionDescribeInstances(region string, filterSSH bool) ([]*lwrunner.AWSR
 		tagKey = agentCmdState.InstallTagKey
 		tag    = agentCmdState.InstallTag
 	)
-	cfg, err := config.LoadDefaultConfig(context.Background())
+	cfg, err := config.LoadDefaultConfig(context.Background(), config.WithSharedConfigProfile(agentCmdState.InstallAWSProfile))
 	if err != nil {
 		return nil, err
 	}
@@ -196,6 +196,7 @@ func awsRegionDescribeInstances(region string, filterSSH bool) ([]*lwrunner.AWSR
 						*threadInstance.InstanceId,
 						filterSSH,
 						verifyHostCallback,
+						cfg,
 					)
 					if err != nil {
 						cli.Log.Debugw("error identifying runner", "error", err, "instance_id", *threadInstance.InstanceId)
diff --git a/integration/test_resources/help/agent_aws-install_ec2ic b/integration/test_resources/help/agent_aws-install_ec2ic
@@ -26,6 +26,10 @@ To explicitly specify the server URL that the agent will connect to:
 
     lacework agent aws-install ec2ic --server_url https://your.server.url.lacework.net
 
+To specify an AWS credential profile other than 'default':
+
+    lacework agent aws-install ec2ic --credential_profile aws-profile-name
+
 AWS credentials are read from the following environment variables:
 - AWS_ACCESS_KEY_ID
 - AWS_SECRET_ACCESS_KEY
@@ -43,15 +47,16 @@ Usage:
   lacework agent aws-install ec2ic [flags]
 
 Flags:
-  -h, --help                      help for ec2ic
-  -r, --include_regions strings   list of regions to filter on
-  -n, --max_parallelism int       maximum number of workers executing AWS API calls, set if rate limits are lower or higher than normal (default 50)
-      --server_url https://       server URL that agents will talk to, prefixed with https:// (default "https://api.lacework.net")
-      --ssh_username string       username to login with
-      --tag strings               only install agents on infra with this tag
-      --tag_key string            only install agents on infra with this tag key set
-      --token string              agent access token
-      --trust_host_key            automatically add host keys to the ~/.ssh/known_hosts file (default true)
+      --credential_profile string   AWS credential profile to use (default "default")
+  -h, --help                        help for ec2ic
+  -r, --include_regions strings     list of regions to filter on
+  -n, --max_parallelism int         maximum number of workers executing AWS API calls, set if rate limits are lower or higher than normal (default 50)
+      --server_url https://         server URL that agents will talk to, prefixed with https:// (default "https://api.lacework.net")
+      --ssh_username string         username to login with
+      --tag strings                 only install agents on infra with this tag
+      --tag_key string              only install agents on infra with this tag key set
+      --token string                agent access token
+      --trust_host_key              automatically add host keys to the ~/.ssh/known_hosts file (default true)
 
 Global Flags:
   -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
diff --git a/integration/test_resources/help/agent_aws-install_ec2ssh b/integration/test_resources/help/agent_aws-install_ec2ssh
@@ -35,6 +35,10 @@ To authenticate using an identity file:
 
     lacework agent aws-install ec2ssh -i /path/to/your/key
 
+To specify an AWS credential profile other than 'default':
+
+    lacework agent aws-install ec2ssh --credential_profile aws-profile-name
+
 The environment should contain AWS credentials in the following variables:
 - AWS_ACCESS_KEY_ID
 - AWS_SECRET_ACCESS_KEY
@@ -48,18 +52,19 @@ Usage:
   lacework agent aws-install ec2ssh [flags]
 
 Flags:
-  -h, --help                      help for ec2ssh
-  -i, --identity_file string      identity (private key) for public key authentication (default "~/.ssh/id_rsa")
-  -r, --include_regions strings   list of regions to filter on
-  -n, --max_parallelism int       maximum number of workers executing AWS API calls, set if rate limits are lower or higher than normal (default 50)
-      --server_url https://       server URL that agents will talk to, prefixed with https:// (default "https://api.lacework.net")
-      --ssh_password string       password for authentication
-      --ssh_port int              port to connect to on the remote host (default 22)
-      --ssh_username string       username to login with
-      --tag strings               only select instances with this tag
-      --tag_key string            only install agents on infra with this tag key
-      --token string              agent access token
-      --trust_host_key            automatically add host keys to the ~/.ssh/known_hosts file (default true)
+      --credential_profile string   AWS credential profile to use (default "default")
+  -h, --help                        help for ec2ssh
+  -i, --identity_file string        identity (private key) for public key authentication (default "~/.ssh/id_rsa")
+  -r, --include_regions strings     list of regions to filter on
+  -n, --max_parallelism int         maximum number of workers executing AWS API calls, set if rate limits are lower or higher than normal (default 50)
+      --server_url https://         server URL that agents will talk to, prefixed with https:// (default "https://api.lacework.net")
+      --ssh_password string         password for authentication
+      --ssh_port int                port to connect to on the remote host (default 22)
+      --ssh_username string         username to login with
+      --tag strings                 only select instances with this tag
+      --tag_key string              only install agents on infra with this tag key
+      --token string                agent access token
+      --trust_host_key              automatically add host keys to the ~/.ssh/known_hosts file (default true)
 
 Global Flags:
   -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
diff --git a/integration/test_resources/help/agent_aws-install_ec2ssm b/integration/test_resources/help/agent_aws-install_ec2ssm
@@ -42,6 +42,10 @@ To explicitly specify the server URL that the agent will connect to:
 
     lacework agent aws-install ec2ssm --server_url https://your.server.url.lacework.net
 
+To specify an AWS credential profile other than 'default':
+
+    lacework agent aws-install ec2ssm --credential_profile aws-profile-name
+
 AWS credentials are read from the following environment variables:
 - AWS_ACCESS_KEY_ID
 - AWS_SECRET_ACCESS_KEY
@@ -52,17 +56,18 @@ Usage:
   lacework agent aws-install ec2ssm [flags]
 
 Flags:
-  -d, --dry_run                   set this flag to print out the target instances and exit
-  -f, --force_reinstall           set this flag to force-reinstall the agent, even if already running on the target instance
-  -h, --help                      help for ec2ssm
-      --iam_role_name string      IAM role name (not ARN) with SSM policy, if not provided then an ephemeral role will be created
-  -r, --include_regions strings   list of regions to filter on
-  -n, --max_parallelism int       maximum number of workers executing AWS API calls, set if rate limits are lower or higher than normal (default 50)
-      --server_url https://       server URL that agents will talk to, prefixed with https:// (default "https://api.lacework.net")
-      --skip_iam_role_creation    set this flag to skip creating an IAM role and instance profile and associating the instance profile. Assumes all instances are already setup for SSM
-      --tag strings               only install agents on infra with this tag
-      --tag_key string            only install agents on infra with this tag key set
-      --token string              agent access token
+      --credential_profile string   AWS credential profile to use (default "default")
+  -d, --dry_run                     set this flag to print out the target instances and exit
+  -f, --force_reinstall             set this flag to force-reinstall the agent, even if already running on the target instance
+  -h, --help                        help for ec2ssm
+      --iam_role_name string        IAM role name (not ARN) with SSM policy, if not provided then an ephemeral role will be created
+  -r, --include_regions strings     list of regions to filter on
+  -n, --max_parallelism int         maximum number of workers executing AWS API calls, set if rate limits are lower or higher than normal (default 50)
+      --server_url https://         server URL that agents will talk to, prefixed with https:// (default "https://api.lacework.net")
+      --skip_iam_role_creation      set this flag to skip creating an IAM role and instance profile and associating the instance profile. Assumes all instances are already setup for SSM
+      --tag strings                 only install agents on infra with this tag
+      --tag_key string              only install agents on infra with this tag key set
+      --token string                agent access token
 
 Global Flags:
   -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
diff --git a/lwrunner/awsrunner.go b/lwrunner/awsrunner.go
@@ -26,7 +26,6 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect"
@@ -45,9 +44,9 @@ type AWSRunner struct {
 	ImageName        string
 }
 
-func NewAWSRunner(amiImageId, userFromCLIArg, host, region, availabilityZone, instanceID string, filterSSH bool, callback ssh.HostKeyCallback) (*AWSRunner, error) {
+func NewAWSRunner(amiImageId, userFromCLIArg, host, region, availabilityZone, instanceID string, filterSSH bool, callback ssh.HostKeyCallback, cfg aws.Config) (*AWSRunner, error) {
 	// Look up the AMI name of the runner
-	imageName, err := getAMIName(amiImageId, region)
+	imageName, err := getAMIName(amiImageId, region, cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -79,13 +78,13 @@ func NewAWSRunner(amiImageId, userFromCLIArg, host, region, availabilityZone, in
 	}, nil
 }
 
-func (run AWSRunner) SendAndUseIdentityFile() error {
+func (run AWSRunner) SendAndUseIdentityFile(cfg aws.Config) error {
 	pubBytes, privBytes, err := GetKeyBytes()
 	if err != nil {
 		return err
 	}
 
-	err = run.SendPublicKey(pubBytes)
+	err = run.SendPublicKey(pubBytes, cfg)
 	if err != nil {
 		return err
 	}
@@ -103,12 +102,8 @@ func (run AWSRunner) SendAndUseIdentityFile() error {
 // EC2InstanceConnect. The AWS account used to run the tests must
 // have EC2InstanceConnect permissions attached to its IAM role.
 // First checks to make sure the instance is still running.
-func (run AWSRunner) SendPublicKey(pubBytes []byte) error {
+func (run AWSRunner) SendPublicKey(pubBytes []byte, cfg aws.Config) error {
 	// Send public key
-	cfg, err := config.LoadDefaultConfig(context.Background())
-	if err != nil {
-		return err
-	}
 	cfg.Region = run.Region
 	svc := ec2instanceconnect.NewFromConfig(cfg)
 
@@ -119,7 +114,7 @@ func (run AWSRunner) SendPublicKey(pubBytes []byte) error {
 		SSHPublicKey:     aws.String(string(pubBytes)),
 	}
 
-	_, err = svc.SendSSHPublicKey(context.Background(), input)
+	_, err := svc.SendSSHPublicKey(context.Background(), input)
 	if err != nil {
 		return err
 	}
@@ -329,14 +324,10 @@ func (run AWSRunner) RunSSMCommandOnRemoteHost(cfg aws.Config, operation string)
 	)
 }
 
-// getAMIName takes an AMI image ID and an AWS region name as input
-// and calls the AWS API to get the name of the AMI. Returns the AMI
-// name or an error if unsuccessful.
-func getAMIName(amiImageId, region string) (string, error) {
-	cfg, err := config.LoadDefaultConfig(context.Background())
-	if err != nil {
-		return "", err
-	}
+// getAMIName takes an AMI image ID, an AWS region name, and an AWS
+// credential config as input and calls the AWS API to get the name
+// of the AMI. Returns the AMI name or an error if unsuccessful.
+func getAMIName(amiImageId, region string, cfg aws.Config) (string, error) {
 	cfg.Region = region
 	svc := ec2.NewFromConfig(cfg)
 	input := ec2.DescribeImagesInput{

Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,10 @@ To explicitly specify the server URL that the agent will connect to:`
`86`	`86`
`87`	`87`	`lacework agent aws-install ec2ssm --server_url https://your.server.url.lacework.net`
`88`	`88`
	`89`	`+To specify an AWS credential profile other than 'default':`
	`90`	`+`
	`91`	`+ lacework agent aws-install ec2ssm --credential_profile aws-profile-name`
	`92`	`+`
`89`	`93`	`AWS credentials are read from the following environment variables:`
`90`	`94`	`- AWS_ACCESS_KEY_ID`
`91`	`95`	`- AWS_SECRET_ACCESS_KEY`
`@@ -144,6 +148,9 @@ func init() {`
`144`	`148`	`agentInstallAWSSSMCmd.Flags().StringVar(&agentCmdState.InstallServerURL,`
`145`	`149`	"server_url", "https://api.lacework.net", "server URL that agents will talk to, prefixed with `https://`",
`146`	`150`	`)`
	`151`	`+ agentInstallAWSSSMCmd.Flags().StringVar(&agentCmdState.InstallAWSProfile,`
	`152`	`+ "credential_profile", "default", "AWS credential profile to use",`
	`153`	`+ )`
`147`	`154`	`}`
`148`	`155`
`149`	`156`	`func installAWSSSM(_ *cobra.Command, _ []string) error {`
`@@ -176,7 +183,7 @@ func installAWSSSM(_ *cobra.Command, _ []string) error {`
`176`	`183`	`return nil`
`177`	`184`	`}`
`178`	`185`
`179`		`- cfg, err := config.LoadDefaultConfig(context.Background())`
	`186`	`+ cfg, err := config.LoadDefaultConfig(context.Background(), config.WithSharedConfigProfile(agentCmdState.InstallAWSProfile))`
`180`	`187`	`if err != nil {`
`181`	`188`	`return err`
`182`	`189`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ func awsDescribeRegions() ([]types.Region, error) {`
`69`	`69`	`Filters: filters,`
`70`	`70`	`}`
`71`	`71`
`72`		`- cfg, err := config.LoadDefaultConfig(context.Background())`
	`72`	`+ cfg, err := config.LoadDefaultConfig(context.Background(), config.WithSharedConfigProfile(agentCmdState.InstallAWSProfile))`
`73`	`73`	`if err != nil {`
`74`	`74`	`return nil, err`
`75`	`75`	`}`
`@@ -90,7 +90,7 @@ func awsRegionDescribeInstances(region string, filterSSH bool) ([]*lwrunner.AWSR`
`90`	`90`	`tagKey = agentCmdState.InstallTagKey`
`91`	`91`	`tag = agentCmdState.InstallTag`
`92`	`92`	`)`
`93`		`- cfg, err := config.LoadDefaultConfig(context.Background())`
	`93`	`+ cfg, err := config.LoadDefaultConfig(context.Background(), config.WithSharedConfigProfile(agentCmdState.InstallAWSProfile))`
`94`	`94`	`if err != nil {`
`95`	`95`	`return nil, err`
`96`	`96`	`}`
`@@ -196,6 +196,7 @@ func awsRegionDescribeInstances(region string, filterSSH bool) ([]*lwrunner.AWSR`
`196`	`196`	`*threadInstance.InstanceId,`
`197`	`197`	`filterSSH,`
`198`	`198`	`verifyHostCallback,`
	`199`	`+ cfg,`
`199`	`200`	`)`
`200`	`201`	`if err != nil {`
`201`	`202`	`cli.Log.Debugw("error identifying runner", "error", err, "instance_id", *threadInstance.InstanceId)`