When Weep is started in IMDS emulation mode, perform a reachability test on 169.254.169.254:80 to verify routing is configured properly. If the self-test fails, print a warning/error message with information on how to configure routing correctly.

There's some plumbing that needs to be done to let Weep run as a Windows service. More info can be found in this StackOverflow answer.

Each time the ECS container credential provider starts, print out the exact value that the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable should be set to. Optionally, implement a flag to set this environment variable when the local webserver starts up, and unset it when the server stops.

This may be an artifact of how netflix packages weep for debian, but:

$ weep serve &
time="2021-10-02T14:09:04-07:00" level=info msg="starting weep on 127.0.0.1:9091"

$ ps axf | grep weep
 708631 pts/0    Sl     0:00      |   \_ /home/[username]/.weep-cache/weep-binaries/current serve

leads to this less than informative output:

$ sudo netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:9091          0.0.0.0:*               LISTEN      708631/current      

It would be nice if it set a more descriptive name.

We use pre-commit to run unit tests and Go linting. We want instructions to help new users with getting pre-commit configured locally.

Weep includes plist files that are meant to create persistent configurations to route 169.254.169.254:80 (the EC2 IMDS address) to 127.0.0.1:9091. The manual commands for these configurations seem to work correctly, but the plists do not make the configurations persist after a reboot.

(Theoretical) reproduction steps:

1. Follow the documentation steps (i.e. place the plist files in /Library/LaunchDaemons and reboot)
2. Attempt to curl http://169.254.169.254/latest/meta-data/iam/security-credentials

The output of weep list is sent to stderr but should be sent to stdout.

Print the account name as part of the weep list output to help users pick the right account. This will require API changes in ConsoleMe.

Add a command to let users call a command using the credentials provided by weep.

Example usage:

# this command would get credentials for test_role then call `aws sts get-caller-identity` 
# with the credentials set as environment variables
weep cmd test_role aws sts get-caller-identity

# this command would get credentials for test_role, get assume role credentials for other_role,
# then call `aws sts get-caller-identity` with the credentials set as environment variables
weep cmd test_role --assume-role arn:aws:iam::123456789012:role/other_role aws sts get-caller-identity

Weep should cache credentials to a database file so we can make fewer calls to ConsoleMe for new creds.

When running weep file role_name, or weep credential_process, Weep should create the ~/.aws directory if it doesn't already exist

ec2-user@Mac-mini ~ % weep file role_name Error: open /Users/ec2-user/.aws/credentials: no such file or directory Usage:...

There is no -g option for the set command in Bash 5.1 on mac:

This is what worked for me when executing from the bash script:

cmd=$(weep export arn:aws:iam::123:/aaa/sss)
cmd=${cmd//"set -gx"/"export"}
cmd=${cmd//" \""/=\"}
eval $cmd

As you see, I changed the output to:

export NAME=VALUE

format. It would be great if we could get such output as well.

When running a weep command with challenge mode configured, weep will not honor SIGINT while it is polling for the challenge status.

I also noticed that when I compiled Weep for a special domain, I provided an embedded configuration with my username. If I take out the username, compile, and use it, Weep asks me what username I want to use. However it doesn't seem to persist this in a local configuration

We don't know how Powershell completion is supposed to work, so anyone with a Windows machine and a bit of patience can help us out by fixing the Powershell help text in cmd/completion.go.

Add a weep whoami command that runs aws sts get-caller-identity as a convenience for folks who don't want to type all that nonsense. Potentially include additional information about the current principal.

Look at the following example:

aws --profile foo sts get-caller-identity
eval $(weep export arn:aws:iam::123:role/PowerUser)

It would be great if we could use the profile name for weep instead of the ARN. This information is stored in ~/.aws/config, it is easy to parse (configparser style).

The usage could look like:

weep export foo

or, better

weep export --profile foo

Certain current and future weep commands could be useful apart from retrieving credentials from ConsoleMe. For example:

• the ecs_credential_provider could accept a profile name and serve credentials from the AWS Shared Credentials file, e.g. AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:9091/ecs/profile/test_profile
• the assume role functionality could be used with credentials in environment variables/shared credentials file, e.g. weep export --from-env -a arn:aws:iam::123456789012:role/other_role or weep export --from-profile test_profile -a arn:aws:iam::123456789012:role/other_role

The UX will need some ironing out to make it more intuitive, but hopefully this captures the spirit well enough.