Add support for STS users

aws-throwaway/Cargo.toml

@@ -9,12 +9,13 @@ description = "An aws-sdk wrapper to spin up temporary resources."
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
-use_sdk = ["aws-sdk-ec2", "aws-sdk-iam", "aws-config"]
+use_sdk = ["aws-sdk-ec2", "aws-sdk-iam", "aws-sdk-sts", "aws-config"]
 default = ["use_sdk"]
 
 [dependencies]
 aws-sdk-ec2 = { version = "1.1.0", optional = true }
 aws-sdk-iam = { version = "1.1.0", optional = true }
+aws-sdk-sts = { version = "1.1.0", optional = true }
 aws-config = { version = "1.0.0", optional = true }
 russh = "0.40.0"
 russh-keys = "0.40.0"

aws-throwaway/src/backend/cli/mod.rs

@@ -226,7 +226,8 @@ impl Aws {
                 let result: SecurityGroup = run_command(&command).await.unwrap();
                 tracing::info!("created security group");
 
-                let mut futures = FuturesUnordered::<Pin<Box<dyn Future<Output = ()>>>>::new();
+                let mut futures =
+                    FuturesUnordered::<Pin<Box<dyn Future<Output = ()> + Send>>>::new();
                 futures.push(Box::pin(Aws::create_ingress_rule_internal(tags, name)));
                 if !ports.contains(&22) {
                     // SSH
@@ -612,7 +613,7 @@ sudo systemctl start ssh
             "--block-device-mappings",
             &block_device_mappings,
         ];
-        let value;
+        let mut value = vec![];
         if definition.network_interface_count == 1 {
             command.push("--subnet-id");
             command.push(&self.subnet_id);
@@ -621,18 +622,18 @@ sudo systemctl start ssh
             command.push("--security-group-ids");
             command.push(&self.security_group_id);
         } else {
-            command.push("--networking-interfaces");
-            value = (0..definition.network_interface_count)
-                .map(|i| {
-                    format!(
-                        "DeleteOnTermination=true,AssociatePublicIpAddress=false,DeviceIndex={i},Groups={},SubnetId={},Description={i}",
-                        &self.security_group_id,
-                        &self.subnet_id
-                    )
-                })
-                .collect::<Vec<_>>()
-                .join(",");
-            command.push(&value);
+            command.push("--network-interfaces");
+            for i in 0..definition.network_interface_count {
+                value.push(format!(
+                    "DeleteOnTermination=true,AssociatePublicIpAddress=false,DeviceIndex={i},Groups={},SubnetId={},Description={i}",
+                    &self.security_group_id,
+                    &self.subnet_id
+                ));
+            }
+            // lifetimes workaround
+            for value in &value {
+                command.push(value)
+            }
         }
 
         let result: RunInstancesResponse = run_command(&command).await.unwrap();
@@ -750,8 +751,24 @@ sudo systemctl start ssh
 }
 
 async fn user_name() -> String {
-    let GetUser::User { user_name } = run_command(&["iam", "get-user"]).await.unwrap();
-    user_name
+    match iam_user_name().await {
+        Ok(name) => name,
+        Err(err) => {
+            tracing::debug!("Failed to run iam get-user, falling back to STS, error was: {err:?}");
+            sts_user_id().await
+        }
+    }
+}
+
+async fn iam_user_name() -> Result<String> {
+    let IamGetUser::User { user_name } = run_command(&["iam", "get-user"]).await?;
+    Ok(user_name)
+}
+
+async fn sts_user_id() -> String {
+    let StsGetCallerIdentity { user_id } =
+        run_command(&["sts", "get-caller-identity"]).await.unwrap();
+    user_id
 }
 
 async fn run_command_empty_response(args: &[&str]) -> Result<()> {
@@ -790,9 +807,15 @@ async fn run_command_string(args: &[&str]) -> Result<String> {
 }
 
 #[derive(serde::Deserialize)]
-enum GetUser {
+enum IamGetUser {
     User {
         #[serde(alias = "UserName")]
         user_name: String,
     },
 }
+
+#[derive(serde::Deserialize)]
+struct StsGetCallerIdentity {
+    #[serde(alias = "UserId")]
+    user_id: String,
+}

aws-throwaway/src/backend/sdk/aws.rs

@@ -160,7 +160,8 @@ impl Aws {
                     .unwrap();
                 tracing::info!("created security group");
 
-                let mut futures = FuturesUnordered::<Pin<Box<dyn Future<Output = ()>>>>::new();
+                let mut futures =
+                    FuturesUnordered::<Pin<Box<dyn Future<Output = ()> + Send>>>::new();
                 futures.push(Box::pin(Aws::create_ingress_rule_internal(
                     client, tags, name,
                 )));

aws-throwaway/src/backend/sdk/iam.rs

@@ -1,15 +1,38 @@
+use anyhow::Result;
 use aws_config::SdkConfig;
 
 pub async fn user_name(config: &SdkConfig) -> String {
+    match iam_user_name(config).await {
+        Ok(name) => name,
+        Err(err) => {
+            tracing::debug!("Failed to run iam get-user, falling back to STS, error was: {err:?}");
+            sts_user_id(config).await
+        }
+    }
+}
+
+pub async fn iam_user_name(config: &SdkConfig) -> Result<String> {
     let client = aws_sdk_iam::Client::new(config);
-    client
+    Ok(client
         .get_user()
         .send()
         .await
-        .map_err(|e| e.into_service_error())
-        .unwrap()
+        .map_err(|e| e.into_service_error())?
         .user()
         .unwrap()
         .user_name()
+        .to_string())
+}
+
+pub async fn sts_user_id(config: &SdkConfig) -> String {
+    let client = aws_sdk_sts::Client::new(config);
+    client
+        .get_caller_identity()
+        .send()
+        .await
+        .map_err(|e| e.into_service_error())
+        .unwrap()
+        .user_id()
+        .unwrap()
         .to_string()
 }