Can AWS Credentials in Vagrantfile be programmatically grabbed?

[timvisher]

I'm trying to use vagrant for an open source project but I want to keep the people who can launch ec2 instances at a minimum. Is there any way to do this with vagrant aws?

[tralamazza]

Just use different AWS keypairs.
vagrant-aws itself has no user access control

[timvisher]

How can I check the Vagrantfile in to a public repository, though? That's the real question. My use case is that I'd like people to be able to provision a local VirtualBox VM using the same Vagrantfile but then have anyone with ec2 creds be able to set them in their environment or something and launch an ec2 instance using vagrant-aws.

[tralamazza]

hmm, I think you can have a conditional statement inside your unified Vagrantfile that would search for an env var, and use the proper provider accordingly. People with those env vars would launch on EC2, else plain local vbox. I will try this later and post my findings here.

[rajivr]

@tralamazza You might want to check out the approach taken by aws-sdk

https://github.com/aws/aws-sdk-ruby/blob/master/lib/aws/core/credential_providers.rb#L89

[erran]

@timvisher You could probably use multiple Vagrantfiles and make the conditionals based on AWS environment variables.

[zelig]

see also #182

[rtyler]

I think this is a good thing to allow to be stuck into a file in .vagrant/, I'll pull it in to the next milestone

[msgilligan]

+1 on creating a file inside ~/.vagrant -- I use that approach with build.gradle files and it works reasonably well.

[sursh]

Someone made a little plugin that handles this problem https://github.com/maoueh/nugrant

[yoshiwaan]

I'd just like to chip in and say this would be a useful feature for us. I'd also like to note that default location for amazon credentials files is ~/.aws/credentials these days (which is where Amazon tools read from) and other tools are starting to use that too. It would be good to keep it consistent.

The format of that file is:
[default]
aws_access_key_id =
aws_secret_access_key =
[cred1]
aws_access_key_id =
aws_secret_access_key =
[cred2]
aws_access_key_id =
aws_secret_access_key =

where the non-default credentials are other credential sets that can be specified.

[lukosan]

As an interim solution, I got this working by externalizing the key and secret in their own files which can then be referenced in my .gitignore so as to not expose them to "teh interwebs".

io_aws_access_key_id = IO.read("../../../aws.accessKey").gsub(/[^0-9a-z\+=\/]/i, '')
io_aws_secret_access_key = IO.read("../../../aws.accessSecret").gsub(/[^0-9a-z\+=\/]/i, '')

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = "dummy"
  config.vm.define :tomcat_server do |t|
  end
  config.vm.provider :aws do |aws, override|
    aws.access_key_id = io_aws_access_key_id
    aws.secret_access_key = io_aws_secret_access_key

(The regex is necessary to remove any new lines or file termination characters that might be in the file - this had me flummoxed for a while. I think it'll remove anything that's not likely to appear in an AWS secret on the assumption that they use vanilla base64, which could be incorrect so the usual caveats apply.)

Then I realised that I can do what tralamazza suggested because I've already loaded my credentials as environment variables (because I'm using the ec2.py script with ansible) so all I actually have to do is this:

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = "dummy"
  config.vm.define :tomcat_server do |t|
  end
  config.vm.provider :aws do |aws, override|
    aws.access_key_id = ENV['AWS_ACCESS_KEY_ID']
    aws.secret_access_key = ENV['AWS_SECRET_ACCESS_KEY']

Hope someone finds that helpful.

[damnhandy]

+1 on the suggestion made by @yoshiwaan on using the ~/.aws/credentials file. This file is standard for any AWS SDK (Go, Node, Java, etc.) and anything that uses the SDK like the Eclipse AWS Plugins. It'd be super convenient to have the have the credentials in a single location as opposed to being copied in multiple files/locations for different tools.

I created an internal tool that gets a SAML assertion from our ADFS endpoint and gets a session token and writes it back to ~/.aws/credentials using the Java SDK. The entire purpose of this is to avoid have us keep track of every access key every developer in the company is using. Each access key is temporary and usable only by the AD user that requested the STS token. So, if the vagrant-aws plugin could support credentials in ~/.aws/credentials, it would be super handy.

[timvisher]

This is not a super big deal. If you're willing to install the AWS gem, you can get at the credentials using:

  aws_creds = Aws::SharedCredentials.new().credentials
  $my_kname = aws_creds.access_key_id
  $my_khash = aws_creds.secret_access_key

I'm all for native vagrant support for the above so I'll leave this issue open but that's how I've solved things at this point.

[jbussdieker]

+1 for ~/.aws/credentials

[stisti]

+1 for this plugin obtaining credentials the same way as AWS SDKs do.

[kenorb]

It seems it's fixed in PR #441.
However it's not yet released.

If you want to patch the existing version, try:

cd ~/.vagrant.d/gems/gems/vagrant-aws-0.7.0/
patch -p1 < <(curl https://patch-diff.githubusercontent.com/raw/mitchellh/vagrant-aws/pull/441.patch)

Then install iniparse plugin if missing:

vagrant plugin install iniparse

If won't work, revert the changes by:

vagrant plugin uninstall vagrant-aws && vagrant plugin install vagrant-aws

[ranman]

It would also be useful to support SAML Auth for enterprise users:

aws_access_key_id
aws_secret_access_key
aws_session_token

[murarisumit]

This works, but PR #441 doesn't read AWS_PROFILE environment variable set. Ref: https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html#using-profiles

I did a small change in PR #533, can you please review it.

[timvisher]

AFAICT this has been fixed for years. Sorry I left it open for so long. :)