Allow getting credentials from environment variables

[kamalmarhubi]

Amazon's EC2 tools use the environment variables AWS_ACCESS_KEY and
AWS_SECRET_KEY to store credentials. This commit allows vagrant-aws to
get credentials in the same way, reducing the risk of leaking them by
removing the need to store them in the Vagrantfile.

NB This is the first time I ever write any Ruby, so some style or organisation changes might be needed on the tests.

[johntdyer]

@kmrhb You can just put them in your VagrantFile in your ~/.vagrant.d directory. That way you dont have to commit them in your projects VagrantFile.

More info: #1

[kamalmarhubi]

@johntdyer good to know. Just found out about the config merging in vagrant. I thought I'd been through all the docs in the past, but I guess not.

I know vagrant-aws is pretty new, so things like documentation aren't final yet. I think it would be good to highlight this in the README, as putting your AWS keys in a file in your project directory is just asking for trouble at some point. The better alternative should be mentioned right away.

I still think there is value in getting the credentials from the environment. In my setup, my secret key is stored encrypted in my keychain on OS X. I run a bash command to load the keys into my environment for when I want to use EC2 commands. This way my credentials are never stored unencrypted on my filesystem, and I can control which processes I run can see them.

[englishm]

For what it's worth, I do both: I load keys from ENV in ~/.vagrant.d/Vagrantfile.

This is what I use currently:

# -*- mode: ruby -*-
# vi: set ft=ruby :

if ENV['PERSONAL'] 
  aws_access_key_id = ENV['AWS_ACCESS_KEY_ID']
  aws_secret_access_key = ENV['AWS_SECRET_ACCESS_KEY']
  aws_keypair_name = "vagrant"
  aws_ssh_private_key_path = "~/.ssh/aws/vagrant.pem"
else
  # Use 'Vagrant' IAM user on AO's AWS Account
  aws_access_key_id = ENV['AO_AWS_ACCESS_KEY_ID']
  aws_secret_access_key = ENV['AO_AWS_SECRET_ACCESS_KEY']
  aws_keypair_name = "ao_vagrant"
  aws_ssh_private_key_path = "~/.ssh/aws/ao_vagrant.pem"
end


Vagrant.configure("2") do |config|
  config.vm.provider :aws do |aws|
    aws.access_key_id = aws_access_key_id
    aws.secret_access_key = aws_secret_access_key
    aws.keypair_name = aws_keypair_name
    aws.ssh_private_key_path = aws_ssh_private_key_path
    aws.security_groups = ["vagrant"]
    aws.ssh_username = "ubuntu"
  end
end

By setting or unsetting $PERSONAL I switch whether Vagrant will launch instances on my personal AWS account or @atomicobject's AWS account. I also set aws.ssh_username to "ubuntu" because that's what the AMIs I use most frequently require. If I'm using something else, I can override aws.ssh_username in the local project Vagrantfile. It's also worth noting that both sets of keys are for IAM users I created specifically for use with Vagrant - I'm not using the keys for the main admin account.

[mitchellh]

Although you can do this in the Vagrantfile, I'm okay with merging this in since it is the normal expected EC2 behavior. Merging! Thanks.

[optimuspaul]

This is cool, but isn't the standard AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY?

[markrebec]

This may or may not be relevant for what you're trying to do, but I like to use the dotenv gem as a vagrant plugin (vagrant plugin install dotenv) along with .env files for setting environment variables, particularly since I'm generally already using dotenv in most of my ruby projects to begin with. I commit the env file(s) with some safe/sane defaults, excluding any sensitive keys or credentials of course, and then you just make sure your env vars/file(s) are filled in as part of your initial checkout of the project.