Read AWS credentials from disk (#14382)

Other programs can read the AWS key and secret from ~/.aws/credentials
(or other configuration file), and with this change Algo can as well.

Optional environment variables: AWS_PROFILE, AWS_SHARED_CREDENTIALS_FILE

The file is not read if the credentials are already set as an Ansible
variable or an environment variable.

roles/cloud-ec2/tasks/discover-credentials.yml

@@ -0,0 +1,35 @@
+---
+- name: "Find AWS profile and credentials file"
+  block:
+  - set_fact:
+      aws_credentials_path: "{{ lookup('env', 'HOME') }}/.aws/credentials"
+
+  - set_fact:
+      aws_credentials_path: "{{ lookup('env', 'AWS_SHARED_CREDENTIALS_FILE') }}"
+    when:
+      - lookup('env', 'AWS_SHARED_CREDENTIALS_FILE')|length > 0
+  - debug: var=aws_credentials_path
+
+  - set_fact:
+      aws_profile_id: "default"
+
+  - set_fact:
+      aws_profile_id: "{{ lookup('env', 'AWS_PROFILE') }}"
+    when:
+      - lookup('env', 'AWS_PROFILE')|length > 0
+
+- name: "Look up AWS credentials"
+  block:
+  - set_fact:
+      aws_access_key: "{{ lookup('ini', 'aws_access_key_id', section=aws_profile_id, file=aws_credentials_path) }}"
+    ignore_errors: true
+    when:
+      - aws_access_key is undefined
+      - lookup('env', 'AWS_ACCESS_KEY_ID')|length <= 0
+
+  - set_fact:
+      aws_secret_key: "{{ lookup('ini', 'aws_secret_access_key', section=aws_profile_id, file=aws_credentials_path) }}"
+    ignore_errors: true
+    when:
+      - aws_secret_key is undefined
+      - lookup('env', 'AWS_SECRET_ACCESS_KEY')|length <= 0

roles/cloud-ec2/tasks/main.yml

@@ -2,6 +2,9 @@
 - name: Build python virtual environment
   import_tasks: venv.yml
 
+- name: Include credential discovery
+  import_tasks: discover-credentials.yml
+
 - name: Include prompts
   import_tasks: prompts.yml
 

tests/.aws/credentials

@@ -0,0 +1,3 @@
+[default]
+aws_access_key_id=example_key
+aws_secret_access_key=example_secret

tests/.aws/credentials2

@@ -0,0 +1,7 @@
+[default]
+aws_access_key_id=WRONG
+aws_secret_access_key=WRONG
+
+[profile1]
+aws_access_key_id=example_key
+aws_secret_access_key=example_secret

tests/aws-credentials.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# command line credentials should still work:
+ansible-playbook tests/validate-aws-credentials.yml \
+	-e aws_access_key=example_key \
+	-e aws_secret_key=example_secret
+
+# command line credentials should override config files:
+ansible-playbook tests/validate-aws-credentials.yml \
+	-e aws_access_key=example_key \
+	-e aws_secret_key=example_secret
+
+# In this case the config file is bad but the command line should win:
+AWS_SHARED_CREDENTIALS_FILE="$PWD/tests/.aws/credentials2" \
+	ansible-playbook tests/validate-aws-credentials.yml \
+	-e aws_access_key=example_key \
+	-e aws_secret_key=example_secret
+
+# should read from the config file in tests/.aws:
+HOME="$PWD/tests" \
+	ansible-playbook tests/validate-aws-credentials.yml
+
+AWS_SHARED_CREDENTIALS_FILE="$PWD/tests/.aws/credentials2" AWS_PROFILE=profile1 \
+	ansible-playbook tests/validate-aws-credentials.yml

tests/validate-aws-credentials.yml

@@ -0,0 +1,7 @@
+- name: test
+  hosts: localhost
+  tasks:
+    - include_tasks: ../roles/cloud-ec2/tasks/discover-credentials.yml
+    - assert: { that: "aws_access_key == 'example_key'" }
+    - assert: { that: "aws_secret_key == 'example_secret'" }
+