Support account ID / names as profile names (#4)

Co-authored-by: nimrodkor <nimrodkor@gmail.com>
druchoo · Jan 25, 2024 · 00f0607 · 00f0607
1 parent 2ee0ff4
commit 00f0607
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -208,10 +208,10 @@ A configuration wizard will prompt you to enter the necessary configuration para
 - write_aws_creds - True or False - If True, the AWS credentials will be written to `~/.aws/credentials` otherwise it will be written to stdout.
 - cred_profile - If writing to the AWS cred file, this sets the name of the AWS credential profile.
   - The reserved word `role` will use the name component of the role arn as the profile name. i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [okta-1234-role] in the aws credentials file
-  - The reserved word `acc` will use the account number (or alias if `resolve_aws_alias` is set to y) as the profile name. i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [arn:aws:iam::123456789012] or if `resolve_aws_alias` [okta-1234-role] in the aws credentials file.
-  - The reserved word `acc-role` will use the name component of the role arn prepended with account number (or alias if `resolve_aws_alias` is set to y) to avoid collisions, i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [123456789012-okta-1234-role], or if `resolve_aws_alias` [okta-1234-role] in the aws credentials file
+  - The reserved word `acc-role` will use the name component of the role arn prepended with account number (or alias if `resolve_aws_alias` is set to y) to avoid collisions, i.e. arn:aws:iam::123456789012:role/okta-1234-role becomes section [123456789012-okta-1234-role], or if `resolve_aws_alias` [<my alias>-okta-1234-role] in the aws credentials file
+  - The reserved word `acc` will use the account number (or alias if `resolve_aws_alias` is set to y).
   - If set to `default` then the temp creds will be stored in the default profile
-  - Note: if there are multiple roles, and `default` is selected it will be overwritten multiple times and last role wins. The same happens when `role` is selected and you have many accounts with the same role names. Consider using `acc-role` if this happens.
+  - Note: if there are multiple roles, and `default` is selected it will be overwritten multiple times and last role wins. The same happens when `role` or `acc` is selected and you have many accounts with the same role names. Consider using `acc-role` if this happens.
 - aws_appname - This is optional. The Okta AWS App name, which has the role you want to assume.
 - aws_rolename - This is optional. The ARN of the role you want temporary AWS credentials for.  The reserved word 'all' can be used to get and store credentials for every role the user is permissioned for.
 - aws_default_duration = This is optional. Lifetime for temporary credentials, in seconds. Defaults to 1 hour (3600)

diff --git a/gimme_aws_creds/config.py b/gimme_aws_creds/config.py
@@ -403,7 +403,7 @@ def _get_auth_server_entry(self, default_entry):
         self._okta_auth_server = okta_auth_server
 
         return okta_auth_server
-    
+
     def _get_enable_keychain(self, default_entry):
         """ enable the use of the system keychain to store the user's password """
 
@@ -523,7 +523,7 @@ def _get_cred_profile(self, default_entry):
         cred_profile = self._get_user_input(
             "AWS Credential Profile", default_entry)
 
-        if cred_profile.lower() in ['default', 'role', 'acc', 'acc-role']:
+        if cred_profile.lower() in ['default', 'role', 'acc-role', 'acc']:
             cred_profile = cred_profile.lower()
 
         return cred_profile

diff --git a/gimme_aws_creds/main.py b/gimme_aws_creds/main.py
@@ -817,6 +817,12 @@ def get_profile_name(self, cred_profile, include_path, naming_data, resolve_alia
                 role_name = ''.join([path, role_name])
             profile_name = '-'.join([account,
                                      role_name])
+        elif cred_profile.lower() == 'acc':
+            profile_name = naming_data['account']
+            if resolve_alias == 'True':
+                account_alias = self._get_alias_from_friendly_name(role.friendly_account_name)
+                if account_alias:
+                    profile_name = account_alias
         else:
             profile_name = cred_profile
         return profile_name

diff --git a/tests/test_main.py b/tests/test_main.py
@@ -243,33 +243,31 @@ def test_get_profile_name_role(self):
         self.assertEqual(creds.get_profile_name(cred_profile, include_path, naming_data, resolve_alias, role),
                          'administrator')
 
-    def test_get_profile_name_account_resolve_alias(self):
-        "Testing the account with alias resolution"
+    def test_get_profile_name_acc_resolve_alias(self):
+        "Testing the acc, with alias resolution, and not including full role path"
         creds = GimmeAWSCreds()
         naming_data = {'account': '123456789012', 'role': 'administrator', 'path': '/administrator/'}
         role = RoleSet(idp='arn:aws:iam::123456789012:saml-provider/my-okta-provider',
                        role='arn:aws:iam::123456789012:role/administrator/administrator',
                        friendly_account_name='Account: my-org-master (123456789012)',
                        friendly_role_name='administrator/administrator')
         cred_profile = 'acc'
-        resolve_alias = 'True'
-        include_path = 'True'
-        self.assertEqual(creds.get_profile_name(cred_profile, include_path, naming_data, resolve_alias, role),
-                         'my-org-master')
+        resolve_alias = 'False'
+        include_path = 'False'
+        self.assertEqual(creds.get_profile_name(cred_profile, include_path, naming_data, resolve_alias, role), "123456789012")
 
-    def test_get_profile_name_account_do_not_resolve_alias(self):
-        "Testing the account without alias resolution"
+    def test_get_profile_name_acc_do_not_resolve_alias(self):
+        "Testing the acc, with alias resolution, and not including full role path"
         creds = GimmeAWSCreds()
         naming_data = {'account': '123456789012', 'role': 'administrator', 'path': '/administrator/'}
         role = RoleSet(idp='arn:aws:iam::123456789012:saml-provider/my-okta-provider',
                        role='arn:aws:iam::123456789012:role/administrator/administrator',
                        friendly_account_name='Account: my-org-master (123456789012)',
                        friendly_role_name='administrator/administrator')
         cred_profile = 'acc'
-        resolve_alias = 'False'
-        include_path = 'True'
-        self.assertEqual(creds.get_profile_name(cred_profile, include_path, naming_data, resolve_alias, role),
-                         '123456789012')
+        resolve_alias = 'True'
+        include_path = 'False'
+        self.assertEqual(creds.get_profile_name(cred_profile, include_path, naming_data, resolve_alias, role), "my-org-master")
 
     def test_get_profile_name_default(self):
         "Testing the default"