Use "default" profile for file credentials by default (#20)

README.md

@@ -143,7 +143,8 @@ Then run `aws sts get-caller-identity` to confirm that your credentials work pro
 
 ### Credentials file
 
-Write retrieved credentials to an AWS credentials file (`~/.aws/credentials` by default with the profile name `consoleme`).
+Write retrieved credentials to an AWS credentials file (`~/.aws/credentials` by default).
+Weep will prompt for confirmation before overwriting existing credentials in the file.
 
 ```bash
 weep file exampleRole
@@ -152,11 +153,13 @@ weep file exampleRole
 weep file stagingRole --profile staging
 weep file prodRole --profile prod
 
+# don't prompt before overwriting existing creds
+weep file prodRole --profile prod -f
+
 # or you can save it to a different place
 weep file exampleRole -o /tmp/credentials
 ```
 
-Weep will do its best to preserve existing credentials in the file (but it will overwrite a conflicting profile name, so be careful!).
 
 ### Credentials Process
 The AWS CLI can source credentials from weep using the `credential_process` configuration which can be defined for a

cmd/file.go

@@ -32,7 +32,8 @@ import (
 func init() {
 	fileCmd.PersistentFlags().BoolVarP(&noIpRestrict, "no-ip", "n", false, "remove IP restrictions")
 	fileCmd.PersistentFlags().StringVarP(&destination, "output", "o", getDefaultCredentialsFile(), "output file for credentials")
-	fileCmd.PersistentFlags().StringVarP(&profileName, "profile", "p", "consoleme", "profile name")
+	fileCmd.PersistentFlags().StringVarP(&profileName, "profile", "p", "default", "profile name")
+	fileCmd.PersistentFlags().BoolVarP(&force, "force", "f", false, "overwrite existing profile without prompting")
 	rootCmd.AddCommand(fileCmd)
 }
 
@@ -78,6 +79,17 @@ func getDefaultAwsConfigFile() string {
 	return path.Join(home, ".aws", "config")
 }
 
+func shouldOverwriteCredentials() bool {
+	if force {
+		return true
+	}
+	userForce, err := util.PromptBool(fmt.Sprintf("Overwrite %s profile?", profileName))
+	if err != nil {
+		return false
+	}
+	return userForce
+}
+
 func writeCredentialsFile(credentials consoleme.AwsCredentials) error {
 	var credentialsINI *ini.File
 	var err error
@@ -95,6 +107,14 @@ func writeCredentialsFile(credentials consoleme.AwsCredentials) error {
 		credentialsINI = ini.Empty()
 	}
 
+	if _, err := credentialsINI.GetSection(profileName); err == nil {
+		// section already exists, should we overwrite?
+		if !shouldOverwriteCredentials() {
+			// user says no, so we'll just bail out
+			return fmt.Errorf("not overwriting %s profile", profileName)
+		}
+	}
+
 	credentialsINI.Section(profileName).Key("aws_access_key_id").SetValue(credentials.AccessKeyId)
 	credentialsINI.Section(profileName).Key("aws_secret_access_key").SetValue(credentials.SecretAccessKey)
 	credentialsINI.Section(profileName).Key("aws_session_token").SetValue(credentials.SessionToken)

cmd/root.go

@@ -23,6 +23,8 @@ import (
 	"runtime"
 	"strings"
 
+	"github.com/netflix/weep/util"
+
 	"github.com/mattn/go-isatty"
 
 	"github.com/mitchellh/go-homedir"
@@ -82,7 +84,7 @@ func initConfig() {
 		if _, ok := err.(viper.ConfigFileNotFoundError); ok && config.EmbeddedConfigFile != "" {
 			log.Debugf("no config file found, trying to use embedded config")
 		} else if isatty.IsTerminal(os.Stdout.Fd()) {
-			err = config.FirstRunPrompt()
+			err = util.FirstRunPrompt()
 			if err != nil {
 				log.Fatalf("config bootstrap failed: %v", err)
 			}

cmd/vars.go

@@ -21,6 +21,7 @@ var (
 	profileName        string
 	destination        string
 	destinationConfig  string
+	force              bool
 	noIpRestrict       bool
 	metadataRegion     string
 	metadataListenAddr string

config/config.go

@@ -16,6 +16,16 @@
 
 package config
 
+import "github.com/spf13/viper"
+
+func init() {
+	// Set default configuration values here
+	viper.SetDefault("mtls_settings.old_cert_message", "mTLS certificate is too old, please refresh mtls certificate")
+	viper.SetDefault("server.http_timeout", 20)
+	viper.SetDefault("server.metadata_port", 9090)
+	viper.SetDefault("server.ecs_credential_provider_port", 9091)
+}
+
 var (
 	Config WeepConfig
 )

config/bootstrap.go → util/prompt.go

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package config
+package util
 
 import (
 	"errors"
@@ -24,18 +24,9 @@ import (
 
 	"github.com/manifoldco/promptui"
 	"github.com/mitchellh/go-homedir"
-	"github.com/netflix/weep/util"
 	"github.com/spf13/viper"
 )
 
-func init() {
-	// Set default configuration values here
-	viper.SetDefault("mtls_settings.old_cert_message", "mTLS certificate is too old, please refresh mtls certificate")
-	viper.SetDefault("server.http_timeout", 20)
-	viper.SetDefault("server.metadata_port", 9090)
-	viper.SetDefault("server.ecs_credential_provider_port", 9091)
-}
-
 // FirstRunPrompt gets user input to bootstrap a bare-minimum configuration.
 func FirstRunPrompt() error {
 	fmt.Println("Welcome to weep, the ConsoleMe CLI!")
@@ -55,31 +46,31 @@ func FirstRunPrompt() error {
 	viper.Set("authentication_method", authMethod)
 
 	if authMethod == "mtls" {
-		cert, err := promptFilePath("mTLS certificate path", "")
+		cert, err := PromptFilePath("mTLS certificate path", "")
 		if err != nil {
 			return err
 		}
 		viper.Set("mtls_settings.cert", cert)
 
-		key, err := promptFilePath("mTLS key path", "")
+		key, err := PromptFilePath("mTLS key path", "")
 		if err != nil {
 			return err
 		}
 		viper.Set("mtls_settings.key", key)
 
-		ca, err := promptFilePath("mTLS CA bundle path", "")
+		ca, err := PromptFilePath("mTLS CA bundle path", "")
 		if err != nil {
 			return err
 		}
 		viper.Set("mtls_settings.cafile", ca)
 
-		insecure, err := promptBool("Skip validation of mTLS hostname?")
+		insecure, err := PromptBool("Skip validation of mTLS hostname?")
 		if err != nil {
 			return err
 		}
 		viper.Set("mtls_settings.insecure", insecure)
 	} else if authMethod == "challenge" {
-		challengeUser, err := promptString("ConsoleMe username")
+		challengeUser, err := PromptString("ConsoleMe username")
 		if err != nil {
 			return err
 		}
@@ -91,7 +82,7 @@ func FirstRunPrompt() error {
 		return err
 	}
 	defaultConfig := path.Join(home, ".weep.yaml")
-	saveLocation, err := promptFilePathNoValidate("Config destination", defaultConfig)
+	saveLocation, err := PromptFilePathNoValidate("Config destination", defaultConfig)
 	if err != nil {
 		return err
 	}
@@ -140,9 +131,9 @@ func promptAuthMethod() (string, error) {
 	return result, nil
 }
 
-func promptFilePath(label, defaultValue string) (string, error) {
+func PromptFilePath(label, defaultValue string) (string, error) {
 	validateFile := func(input string) error {
-		if util.FileExists(input) {
+		if FileExists(input) {
 			return nil
 		} else {
 			return fmt.Errorf("file not found: %s", input)
@@ -163,7 +154,7 @@ func promptFilePath(label, defaultValue string) (string, error) {
 	return result, nil
 }
 
-func promptFilePathNoValidate(label, defaultValue string) (string, error) {
+func PromptFilePathNoValidate(label, defaultValue string) (string, error) {
 	prompt := promptui.Prompt{
 		Label:   label,
 		Default: defaultValue,
@@ -178,7 +169,7 @@ func promptFilePathNoValidate(label, defaultValue string) (string, error) {
 	return result, nil
 }
 
-func promptBool(label string) (bool, error) {
+func PromptBool(label string) (bool, error) {
 	prompt := promptui.Select{
 		Label: label,
 		Items: []string{"true", "false"},
@@ -193,7 +184,7 @@ func promptBool(label string) (bool, error) {
 	return index == 0, nil
 }
 
-func promptString(label string) (string, error) {
+func PromptString(label string) (string, error) {
 	prompt := promptui.Prompt{
 		Label: label,
 	}