Validate access key and secret key before writing into the .aws/credentials file

[varunchandak]

I don't know how or why, but I have started getting these errors while running awless:

goroutine 1 [running]:
github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/aws/session.Must(0x0, 0x2378fe0, 0xc42018ef20, 0x0)
	/private/tmp/awless-20180516-58126-6k4tue/src/github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/aws/session/session.go:276 +0x54
github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/awstesting/mock.glob..func1(0x1788f4d)
	/private/tmp/awless-20180516-58126-6k4tue/src/github.com/wallix/awless/vendor/github.com/aws/aws-sdk-go/awstesting/mock/mock.go:20 +0x128

vrnchndk:~ varun$ awless
panic: SharedConfigLoadError: failed to load config file, /Users/varun/.aws/credentials
caused by: key-value delimiter not found: (MISSING)

I then checked the /Users/varun/.aws/credentials file, and found this:

[...]
aws_access_key_id = ...
aws_secret_access_key = ...

[-i-00e692f182eef653f-disk-alarm]
aws_access_key_id = 90%!
(MISSING)aws_secret_access_key = 75%!
(MISSING)

The name -i-00e692f182eef653f-disk-alarm is a cloudwatch alarm name, which I was trying to delete like this (which used to work flawlessly before:

awless -p <PROFILE> list alarms --filter description=-i- --filter state=INSUFFICIENT_DATA --columns name,description,state --format csv | cut -d, -f1 | while read line; do awless -p <PROFILE> delete alarm name=\'"$line"\' -f --no-sync; done

I am still wondering how that profile got into the credentials file. Any insight would be really helpful.

[fxaguessy]

Hi @varunchandak ,

Thanks again for reporting. That's a strange one ! AFAIK, the only place whereawless edit the .aws/credentials file is in create accesskey save=true and when no credentials are found at launch, with a credentials prompter.

The only explanation I can find is in the latter: perhaps a profile had no credentials. Thus awless prompted the credentials and if this was occurring in a script, the injected values might be wrong:

For example:

$ awless create instance -p inexistant
Cannot resolve AWS credentials for profile 'inexistant' (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
Please enter access keys for profile 'inexistant' (stored at ~/.aws/credentials):
AWS Access Key ID? aaaaaa
AWS Secret Access Key? aaaaa
Change your profile name (or just press Enter to keep 'inexistant')? aaaa

✓ Credentials for profile 'aaaa' stored successfully in ~/.aws/credentials
...

$ cat ~/.aws/credentials
[aaaa]
aws_access_key_id = aaaaaa
aws_secret_access_key = aaaaa

Do you think this might be the problem ?

[varunchandak]

I think so.. sometimes I would get this prompt in the middle of a batch script execution despite have the credentials configured properly. I believe the prompt occurred and the values from the script output got entered in it.

Why do you think that the entries were done automatically ? Shouldn't there be some kind of validation for access key or secret key ?

[fxaguessy]

Yes, for now there is no validation for the access key and secret key, we should add that to prevent such a bug.

[varunchandak]

I think Access Key is 20 characters and secret key is 40 characters. I have 6 profiles and the count in each of them is same.