feat: Add AWS credentials file support

[dguido]

Summary

This PR adds support for automatically reading AWS credentials from the standard ~/.aws/credentials file, making Algo behave like other AWS tools and improving the user experience.

Features

• ✅ Automatically reads credentials from ~/.aws/credentials
• ✅ Supports AWS_PROFILE environment variable for profile selection
• ✅ Supports AWS_SHARED_CREDENTIALS_FILE for custom credential file locations
• ✅ Adds support for temporary credentials with session tokens
• ✅ Maintains backward compatibility with existing methods
• ✅ Follows AWS standard credential precedence order

Credential Precedence (highest to lowest)

1. Command-line variables (-e aws_access_key=...)
2. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
3. AWS credentials file (~/.aws/credentials)
4. Interactive prompts (if nothing else is found)

Implementation Details

• Integrated credential discovery directly into prompts.yml for clarity
• Fixed variable naming to match existing code conventions
• Added no_log: true to prevent credential leakage in logs
• Handles missing files gracefully with errors='ignore'
• Supports session tokens for temporary credentials

Testing

Includes comprehensive test suite (tests/test-aws-credentials.yml) that verifies:

• Environment variable precedence
• Command-line variable precedence
• Default profile reading
• Custom profile selection
• Session token support

Documentation

• Added detailed AWS credentials guide (docs/aws-credentials.md)
• Updated EC2 setup documentation to mention automatic credential detection
• Includes security considerations and troubleshooting tips

Credits

Based on #14460 by @lefth with significant improvements to address implementation issues.

Fixes #14382

Note: This is a clean version of #14777 without unintended ansible-lint changes.

[claude]

Claude finished @dguido's task —— View job

---

AWS Credentials PR Review

I've conducted a comprehensive code review of this AWS credentials implementation. Here's my detailed analysis:

Review Tasks:

• Analyze main implementation in prompts.yml
• Review security practices and credential handling
• Evaluate test coverage and quality
• Check documentation completeness
• Assess performance considerations
• Look for potential bugs or edge cases
• Provide final recommendations

---

🎯 Overall Assessment: EXCELLENT

This is a well-implemented feature that follows AWS best practices and maintains strong security standards. The code quality is high with comprehensive testing and documentation.

✅ Strengths

Security Excellence

• Perfect credential handling: All sensitive operations use no_log: true (lines 22, 66 in prompts.yml)
• Proper precedence order: Command-line → Environment → File → Prompts (exactly matches AWS SDK behavior)
• Safe file operations: Uses errors='ignore' to handle missing files gracefully (lines 18-20)
• Session token support: Properly handles temporary credentials for enhanced security

Code Quality

• Clean implementation: Logic is well-structured and readable
• Robust error handling: Graceful fallbacks when files don't exist
• Proper fact management: Clear variable naming with _ prefix for internal vars
• Ansible best practices: Uses delegate_to: localhost and proper conditionals

Test Coverage

• Comprehensive test suite: Tests all precedence scenarios in test-aws-credentials.yml
• Edge case coverage: Tests environment variables, command-line args, profiles, and session tokens
• Realistic scenarios: Uses proper file permissions (600) and directory structure

Documentation

• Complete user guide: Clear aws-credentials.md with examples and troubleshooting
• Integration documentation: Updated EC2 setup guide appropriately
• Security guidance: Includes security considerations and tool recommendations

🔍 Minor Observations

Performance Considerations

1. File I/O optimization: The implementation reads credentials file once per profile lookup, which is efficient
2. Minimal overhead: Only reads file when needed (command-line and env vars not present)
3. No performance concerns: The approach scales well

Potential Edge Cases

1. File permissions: While documented, could add a check for overly permissive credential files
2. Profile validation: Could validate that requested profile exists before proceeding
3. Path expansion: Uses lookup('env', 'HOME') which is reliable but could handle edge cases

Code Enhancement Opportunities

1. Error messaging: Could provide more specific error messages when credential file is malformed
2. Validation: Could add basic format validation for access keys
3. Logging: Could add debug logging for credential discovery process (with no_log: false for non-sensitive info)

🏗️ Architecture Review

Integration Points

• CloudFormation task: Properly updated to use session tokens (cloudformation.yml:6)
• Variable consistency: All credential variables follow consistent naming
• Backward compatibility: Existing deployments will continue working unchanged

Security Architecture

• Credential isolation: Temporary variables are properly scoped
• No credential leakage: All sensitive operations protected by no_log: true
• Standard compliance: Follows AWS credential provider chain exactly

🧪 Test Quality Analysis

The test suite is exceptionally thorough:

• ✅ Tests precedence order correctly
• ✅ Creates realistic file structure with proper permissions
• ✅ Tests both default and custom profiles
• ✅ Verifies session token handling
• ✅ Includes proper cleanup

Test file structure (test-aws-credentials.yml:51-68):

path: /tmp/test-aws
mode: '0700'  # Directory
credentials file mode: '0600'  # File

This matches AWS CLI behavior perfectly.

📋 Recommendations

Immediate Actions ✅

• Ready to merge: No blocking issues found
• Security approved: Meets enterprise security standards
• Testing complete: Comprehensive test coverage

Future Enhancements (Optional)

1. Add credential validation: Check access key format (AKIA... pattern)
2. Enhanced error messages: More specific feedback for malformed files
3. Debug logging: Add ansible -vvv compatible debug output
4. File permission warnings: Warn if credentials file is too permissive

Documentation Suggestions

• Consider adding AWS Vault integration example
• Could mention IAM role alternatives for EC2 instances

🔒 Security Verdict

APPROVED - This implementation follows security best practices:

• ✅ No credential exposure in logs
• ✅ Proper file permission handling
• ✅ Standard AWS precedence order
• ✅ Session token support for temporary credentials
• ✅ Graceful error handling without information disclosure

🎯 Final Recommendation

APPROVE FOR MERGE - This is a high-quality implementation that:

• Enhances user experience significantly
• Maintains security standards
• Includes comprehensive testing
• Provides excellent documentation
• Follows AWS best practices

The code is production-ready and represents a valuable improvement to the Algo project.

---