Merge pull request #327 from iamkirkbater/sts-fail-fast

fail fast on STS accounts attempting to rotate credentials
openshift · Feb 13, 2023 · 092594e · 092594e
2 parents 241ae25 + b8238f4
commit 092594e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/cmd/account/generate-secret.go b/cmd/account/generate-secret.go
@@ -28,7 +28,8 @@ func newCmdGenerateSecret(streams genericclioptions.IOStreams, flags *genericcli
 	ops := newGenerateSecretOptions(streams, flags, client)
 	generateSecretCmd := &cobra.Command{
 		Use:               "generate-secret <IAM User name>",
-		Short:             "Generate IAM credentials secret",
+		Short:             "Generates IAM credentials secret",
+		Long:              "When logged into a hive shard, this generates a new IAM credential secret for a given IAM user",
 		DisableAutoGenTag: true,
 		Run: func(cmd *cobra.Command, args []string) {
 			cmdutil.CheckErr(ops.complete(cmd, args))
@@ -139,6 +140,10 @@ func (o *generateSecretOptions) run() error {
 		} else {
 			return fmt.Errorf("account CR is missing AWS Account ID")
 		}
+
+		if account.Spec.ManualSTSMode {
+			return fmt.Errorf("Account %s is STS - No IAM User Credentials to Rotate", o.accountName)
+		}
 	} else {
 		accountID = o.accountID
 	}

diff --git a/cmd/account/rotate-secret.go b/cmd/account/rotate-secret.go
@@ -30,8 +30,9 @@ import (
 func newCmdRotateSecret(streams genericclioptions.IOStreams, flags *genericclioptions.ConfigFlags, client client.Client) *cobra.Command {
 	ops := newRotateSecretOptions(streams, flags, client)
 	rotateSecretCmd := &cobra.Command{
-		Use:               "rotate-secret <IAM User name>",
+		Use:               "rotate-secret <aws-account-cr-name>",
 		Short:             "Rotate IAM credentials secret",
+		Long:              "When logged into a hive shard, this rotates IAM credential secrets for a given `account` CR.",
 		DisableAutoGenTag: true,
 		Run: func(cmd *cobra.Command, args []string) {
 			cmdutil.CheckErr(ops.complete(cmd, args))
@@ -95,6 +96,9 @@ func (o *rotateSecretOptions) run() error {
 	if err != nil {
 		return err
 	}
+	if account.Spec.ManualSTSMode {
+		return fmt.Errorf("Account %s is STS - No IAM User Credentials to Rotate", o.accountCRName)
+	}
 
 	// Set the account ID
 	accountID = account.Spec.AwsAccountID