Goland IDE build and run with aws-vault

Question

Trying to google something for Goland vs Golang is proving to be quite hard. Everything I am searching seems to come back for code or switching profiles. That is all already handled.

I had a project that was taking in json and processing the data. I was able to use the run and debug button to build and debug my go code with the default configuration.

That changed I am pulling data files from S3 and that requires authentication to aws which we use aws-vault for.

The issue I am running into is in this configuration there is no additional settings. There is a checkbox to Run after build but no way for me to say Run with aws-vault

Now I have to uncheck Run after build and add the flag

-gcflags="-N -l" -o app

and then attach to that process with Shift + Option + fn + F5.

What I am looking for is being able to run aws-vault exec user -- go ... within the IDE so I do not have a build step, a run step and then manually attaching to the process.

@s0xzwasd I saw that one and was gonna go back to it if there was not a more direct way to achieve this. — nerdlyist, Oct 19 '22 at 12:12

score 0 · Answer 1 · answered Oct 25 '22 at 13:55

Figured out at least what I feel is a better solution that allows you to run any code (including cli) that is using an AWS SDK.

I am on a mac so osascript works for me but the prompt can be whatever your os supports. Or if you have a Yubikey you can use prompt=ykman.

In ~/.aws there are 2 files config and credentials these tell the SDK how to auth.

To start in ~/.aws/config there is a profile for each role that is needed. Default is a role that you assume all the others are ones that the code would escalate to.

[default]
output=json
region=<your region>
mfa_serial=arn:aws:iam::<you>

[profile dev-base]
source_profile=default
role_arn=arn:aws:iam::<account to escalate to>

[profile staging-base]
source_profile = default
role_arn = arn:aws:iam::<account to escalate to>

[dev]
region = <your region>

[staging]
region = <your region>

Note: one oddity is that I had to put the role in this file with the region so that the role exists.

This may not be needed if you are not using java. You could put the full role in the previous file (but I also use java so this is my setup) in ~/.aws/credentials

[dev]
ca_bundle = /Users/<username>/.aws/cert.pem
credential_process=aws-vault exec dev-base -j --prompt=osascript

[staging]
ca_bundle = /Users/<username>/.aws/cert.pem
credential_process=aws-vault exec master-base -j --prompt=osascript

Note: An oddity here is that ca_bundle is specified. Something in golang was not happy with using the AWS_CA_BUNDLE and this appears to work.

Now when the code is ran a pop-up displays asking for an MFA token.

Also, when running any aws cli command you can use the --profile ie aws s3 ls --profile dev that you want to use and the pop-up will appear.

Editing these file manually when using aws-vault might not be the best way to do it but at the moment this is how we manage them and this seems to give the best workflow.

Goland IDE build and run with aws-vault

1 Answers1