binbashar/leverage

Feature | Enhance Leverage CLI for Improved Role Management and Token Handling

Closed this issue · 4 comments

Feature Request:

Enhance Leverage CLI for Improved Role Management and Token Handling

Is your feature request related to a problem? Please describe.

Currently, when working with different variants in the Leverage CLI, users face challenges in switching between accounts and roles. The existing mechanism requires manual switching, which can be error-prone and inefficient.

Describe the feature you'd like

Enhance the Leverage CLI to support automated role management and token handling. The CLI should be able to recognize the user's permissions and roles, and automatically switch between them as needed. This would involve:

  1. Recognizing the main role in both management and non-management contexts.
  2. Automatically assuming the appropriate role based on the token provided.
  3. Generating temporary credentials based on the token, which would be valid for all roles.
  4. Displaying a clear message if the user does not have the necessary permissions for a specific role.

Use Case

This feature would be particularly beneficial for users who frequently switch between different roles and accounts in the Leverage CLI. It would streamline the process, reduce the risk of errors, and improve overall user experience.

Describe Ideal Solution

  1. Integrate a mechanism in the Leverage CLI that can recognize the user's roles and permissions.
  2. Allow the CLI to automatically switch between roles based on the context and the token provided.
  3. Generate temporary credentials for the user based on the token.
  4. Provide clear feedback to the user regarding their permissions and roles.

Alternatives Considered

  1. Manual switching between roles and accounts.
  2. Using third-party tools or plugins to manage roles and tokens.

Additional Context

  • The Leverage CLI is a tool designed to manage and interact with any Leverage project. It handles complex tasks associated with state-of-the-art infrastructure definitions like the Leverage Reference Architecture.
  • The CLI uses a dockerized approach to encapsulate the necessary tools, freeing users from dealing with tool configuration and management.
  • The proposed enhancement would further improve the CLI's usability and efficiency, especially for users who work with multiple roles and accounts.
Franr commented

Right now, if you are on a layer that requires a different role than the one set at the account.tfvars file (like the management layer trying to use the devops role), the CLI will fail:

management/global/sso >> leverage tf plan                                                  
[20:28:38]    INFO	Attempting to get temporary credentials for datascience-devstg account.
[20:28:42]    ERROR	Unable to get valid credentials for role Administrator in account datascience-devstg.
Please check SSO configuration.
[20:28:42]    ERROR	Check the following link for possible solutions: https://leverage.binbash.co/user-guide/troubleshooting/credentials/

So basically, to fix this, the idea is to:

  • generate aws profiles without the role name at the end
  • assume the role to be used, by listing the possibles roles per account, and picking the first one
  • there must be always 1 role per account, if there is more than one, it is safe to pick the first one that appears
  • remove the role references from the account.tfvars file (sso_role variable)
  • the profiles will point to the proper role internally on the aws config file by using the role_name property

In a second iteration, we could provide an input so you could force the usage of a particular role, in case you need it.

@Franr Could you provide a brief update on this issue? Are you still needing help from the team to test this out?

@diego-ojeda-binbash yes, I would like someone on a MFA project to give it a try, and a review over the PR of course... main thing!

@Franr I think I can help with that -- that is, if I still have my MFA creds setup for Leverage AWS account. I'll give it a try if I can and I'll let you know afterwards.