Fix loading config from default section

99designs · Jan 8, 2020 · 955600c · 955600c
1 parent 1c0b58a
commit 955600c
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -80,16 +80,16 @@ The default is to use environment variables, but you can opt-in to the local ins
 First you'll need to create the users and roles in IAM. Next, edit your `~/.aws/config` to add profiles with a `role_arn`. For example:
 
 ```ini
-[profile jonsmith]
+[default]
 region = us-east-1
 
+[profile jonsmith]
+
 [profile prod-readonly]
-region=us-east-1
 role_arn = arn:aws:iam::111111111111:role/ReadOnly
 source_profile = jonsmith
 
 [profile prod-admin]
-region=us-east-1
 role_arn = arn:aws:iam::111111111111:role/Administrator
 source_profile = jonsmith
 ```

diff --git a/USAGE.md b/USAGE.md
@@ -42,16 +42,22 @@ $ aws-vault exec --help
 
 aws-vault uses your `~/.aws/config` to load AWS config. This should work identically to the config specified by the [aws-cli docs](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html).
 
-aws-vault also recognises an extra config variable, `parent_profile`, which is not recognised by the aws-cli. This variable allows a profile to inherit configuration from another profile. In the following example, the `work-admin` profile inherits `region` and `mfa_serial` from the `work` profile.
+aws-vault also recognises an extra config variable, `parent_profile`, which is not recognised by the aws-cli. This variable allows a profile to load configuration horizontally from another profile. In the following example, the `account1` profile inherits `region` from the `default` section, `mfa_serial` and `duration_seconds` from the `parent` profile and uses the source credentials in `master`.
 
 ```ini
-[profile work]
-region = eu-west-1
-mfa_serial = arn:aws:iam::111111111111:mfa/work-account
+[default]
+region = us-west-1
 
-[profile work-admin]
-role_arn = arn:aws:iam::111111111111:role/Administrator
-parent_profile = work
+[profile master]
+
+[profile parent]
+mfa_serial = arn:aws:iam::111111111111:mfa/user.name
+duration_seconds = 120
+
+[profile account1]
+parent_profile = parent
+source_profile = master
+role_arn = arn:aws:iam::22222222222:role/Administrator
 ```
 
 
@@ -117,17 +123,17 @@ Here is an example ~/.aws/config file, to help show the configuration. It define
 become either profile.
 
 ```ini
-[profile home]
+[default]
 region = us-east-1
+
+[profile home]
 mfa_serial = arn:aws:iam::111111111111:mfa/home-account
 
 [profile work]
-region = eu-west-1
 mfa_serial = arn:aws:iam::111111111111:mfa/work-account
 role_arn = arn:aws:iam::111111111111:role/ReadOnly
 
 [profile work-admin]
-region = us-east-1
 role_arn = arn:aws:iam::111111111111:role/Administrator
 source_profile = work
 ```

diff --git a/vault/config.go b/vault/config.go
@@ -34,6 +34,8 @@ const (
 
 	// DefaultChainedSessionDuration is the default duration for GetSessionToken sessions when chaining
 	DefaultChainedSessionDuration = time.Hour * 8
+
+	defaultSectionName = "default"
 )
 
 func init() {
@@ -161,15 +163,15 @@ func (c *ConfigFile) ProfileSections() []ProfileSection {
 	}
 
 	for _, section := range c.iniFile.SectionStrings() {
-		if strings.ToLower(section) != "default" && !strings.HasPrefix(section, "profile ") {
+		if strings.ToLower(section) != defaultSectionName && !strings.HasPrefix(section, "profile ") {
 			log.Printf("Unrecognised ini file section: %s", section)
 			continue
 		}
 
 		profile, _ := c.ProfileSection(strings.TrimPrefix(section, "profile "))
 
 		// ignore the default profile if it's empty
-		if section == "default" && profile.IsEmpty() {
+		if section == defaultSectionName && profile.IsEmpty() {
 			continue
 		}
 
@@ -190,8 +192,8 @@ func (c *ConfigFile) ProfileSection(name string) (ProfileSection, bool) {
 	}
 	// default profile name has a slightly different section format
 	sectionName := "profile " + name
-	if name == "default" {
-		sectionName = "default"
+	if name == defaultSectionName {
+		sectionName = defaultSectionName
 	}
 	section, err := c.iniFile.GetSection(sectionName)
 	if err != nil {
@@ -214,8 +216,8 @@ func (c *ConfigFile) Add(profile ProfileSection) error {
 	}
 	// default profile name has a slightly different section format
 	sectionName := "profile " + profile.Name
-	if profile.Name == "default" {
-		sectionName = "default"
+	if profile.Name == defaultSectionName {
+		sectionName = defaultSectionName
 	}
 	section, err := c.iniFile.NewSection(sectionName)
 	if err != nil {
@@ -316,6 +318,13 @@ func (cl *ConfigLoader) populateFromConfigFile(config *Config, profileName strin
 		}
 	}
 
+	if profileName != defaultSectionName {
+		err := cl.populateFromConfigFile(config, defaultSectionName)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }