Update the order of resolution for aws region and credentials.

[uttarasridhar]

• Add support for reading regions from aws profile
• Add support for assume role from aws profile

closes #53.
closes #55.
closes #77.
closes #92.
closes #189

$ make test

coverage: 76.6% of statements
ok github.com/aws/amazon-ecs-cli/ecs-cli/modules/config 5.031s coverage: 76.6% of statements

---

SETUP

Did a compose up: so that the task definition would print the region and account id in the ARN (so we can extract which region and aws account it talked to)
2 AWS profiles:

• default: AccountA (region us-west-2)
• test-cli: AccountA (region eu-west-1)
• another-test-cli: AccountB (region us-east-1)

---

NO PROFILE/REGION/CREDENTIALS

$ ./bin/local/ecs-cli configure --cluster uttara
$ ./bin/local/ecs-cli compose up
FATA[0000] Unable to create an instance of ECSParams given the cli context  error="Set a region using ecs-cli configure command with the --region flag or AWS_REGION environment variable or --profile flag"
$ aws configure --profile default --region us-west-2
$ ./bin/local/ecs-cli compose up
FATA[0005] NoCredentialProviders: no valid providers in chain. Deprecated. 
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors 

3a) Using AWS_PROFILE in ECS Config

$ ./bin/local/ecs-cli configure --cluster uttara --profile another-test-cli
$ ./bin/local/ecs-cli compose up
...task definition="arn:aws:ecs:us-east-1:AccountB:task-definition/ecscompose-amazon-ecs-cli:1"

Picked from aws-profile "another-test-cli"

• Region: us-east-1
• Account: AccountB

3b) AWS_PROFILE env var

$ export AWS_PROFILE="default"
$ ./bin/local/ecs-cli configure --cluster uttara
$ ./bin/local/ecs-cli compose up
.....task definition="arn:aws:ecs:us-west-2:AccountA:task-definition/ecscompose-amazon-ecs-cli:50"

Picked from aws-profile "default"

• Region: us-west-2
• Account: AccountA

3c) AWS_DEFAULT_PROFILE env var

$ export AWS_DEFAULT_PROFILE="test-cli"
$ ./bin/local/ecs-cli compose up
......task definition="arn:aws:ecs:eu-west-1:AccountA:task-definition/ecscompose-amazon-ecs-cli:1"

Picked from aws-profile "test-cli"

• Region: eu-west-1
• Account: AccountA

2) Use ECS Config

$ ./bin/local/ecs-cli configure --cluster uttara --region us-east-1 --access-key "XXXX" --secret-key "XXXX"
$ ./bin/local/ecs-cli compose up
....task definition="arn:aws:ecs:us-east-1:AccountB:task-definition/ecscompose-amazon-ecs-cli:1"

Picked from ecs config, overrode the AWS_PROFILE env var

• Region: us-east-1
• Account: AccountB

1) Use env variables

$ export AWS_DEFAULT_REGION="us-west-2"
$ export AWS_ACCESS_KEY="YYYY"
$ export AWS_SECRET_KEY="YYYY"
$ ./bin/local/ecs-cli compose up
....task definition="arn:aws:ecs:us-west-2:AccountA:task-definition/ecscompose-amazon-ecs-cli:50"

Picked from env var, overrode the ECS Config

• Region: us-west-2
• Account: AccountA

$ export AWS_REGION="eu-west-1"
$ export AWS_ACCESS_KEY_ID="XXXX"
$ export AWS_SECRET_ACCESS_KEY="XXXX"
$ ./bin/local/ecs-cli compose up
....task definition="arn:aws:ecs:eu-west-1:AccountA:task-definition/ecscompose-amazon-ecs-cli:1"

Picked from env var, overrode the above env var

• Region: eu-west-1
• Account: AccountA

4) EC2 Instance Role

$ ./ecs-cli configure --cluster uttara --region us-west-2
$ ./bin/local/ecs-cli compose up
FATA[0000] NoCredentialProviders: no valid providers in chain. Deprecated. 
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors 

// Upon debugging found out that the error was:
EC2RoleRequestError: no EC2 instance role found
caused by: EC2MetadataError: failed to make EC2Metadata request

Next step: launched an instance with ec2 instance role

$ ./bin/local/ecs-cli compose up
FATA[0000] AccessDeniedException: User: arn:aws:sts::AccountA:assumed-role/ecsInstanceRole/i-08c578ddaf872bc4f is not authorized to perform: ecs:ListTasks on resource: *

Next step: attached the policy AmazonEC2ContainerServiceFullAccess to the role

$ ./bin/local/ecs-cli compose up
...task definition="arn:aws:ecs:us-west-2:AccountA:task-definition/ecscompose-tmp:1"

Picked

• Region: us-west-2 // from ecs-cli configure command
• Account: AccountA // credentials from EC2

5) Assume_role

From ~/.aws/config

[profile some-role]
role_arn = arn:aws:iam::AccountA:role/test-cli-role
source_profile = default

$ ./bin/local/ecs-cli configure --cluster uttara --profile some-role --region us-west-2
$ ./bin/local/ecs-cli compose ps
$ FATA[0000] AccessDeniedException: User: arn:aws:sts::AccountA:assumed-role/test-cli-role/xxxx is not authorized to perform: ecs:ListTasks on resource: *

Next step: added the trust relationship

$ ./bin/local/ecs-cli compose up
.....task definition="arn:aws:ecs:us-west-2:AccountA:task-definition/ecscompose-amazon-ecs-cli:50"

Picked

• Region: us-west-2 // from ecs-cli configure command
• Account: AccountA // credentials from assume_role

[rvangundy]

I'm not able to get the CLI to prompt for my MFA when using a profile that requires it. I don't believe #92 is completely resolved by this merge? Using 0.4.6

[brgaulin]

I am also not seeing a prompt for MFA when assuming the role, we should probably re-open #92

[KoeSystems]

We have the same problem yet, so we opened a new issue #284 .

[PettitWesley]

@KoeSystems, @brgaulin, @rvangundy - please see my response in #284, and let us know if we still have not covered your use cases.

[PettitWesley]

@KoeSystems, @brgaulin, @rvangundy
Update: I realized that my response in #284 had not laid out how to use MFA with the ECS CLI to assume a role. I have added a new comment that very explicitly lays out the steps that must be performed. In addition, we have added improving the user experience with MFA as a feature request!