Fugue User Credentials

Overview

The credentials file contains user credentials necessary to operate Fugue. The file is created during the install process.

Initially, the credentials file contains:

  • A default profile (named default-<AWS account ID>-<region>)
  • A secret
  • A root user

It might look like this:

[default-123456789012-us-east-1]
secret = E6a5iZ9jbxoWgGIid65i6zEXAMPLEEXAMPLEEXAMPLE=
user = root

The root user is enabled by default. The paid version of Fugue allows multiple users; see Fugue Features for details.

You may create a new profile with the fugue user set command. Using fugue user set --profile <profile> <user> <secret> switches to a new user profile, creating it if it does not exist.

Depending on your version of Fugue, your credentials file may be located in one of three directories. When you execute a command, Fugue first searches for credentials in a project-level directory, then in a user-level directory, and finally in a system-level directory.

In Mac and Linux systems, these directories are:

  1. The current working directory
  2. ~/.fugue/
  3. /etc/fugue/

In Windows (PowerShell), these directories are:

  1. The current working directory
  2. $env:LocalAppData\Fugue\
  3. $env:ProgramData\Fugue\

Fugue will use the first file it finds in the search path described above.

The same search path applies to fugue.yaml. fugue.yaml and credentials may be located in the same directory or in separate directories.

Note: In earlier versions of Fugue the fields userId and userSecret were stored in the fugue.yaml file. Those fields are now stored in your current working directory in the credentials file as user and secret but correspond to the same values, they just vary based on your version of Fugue. Otherwise, Fugue will still check for these values in both the fugue.yaml file and the credentials file to maintain backwards compatibility.

For more information on configuring Fugue users, see Adding Users (RBAC).

Credentials and Environment Variables

Fugue supports supplying user credentials through environment variables:

  • FUGUE_USER_NAME
  • FUGUE_USER_SECRET

And a credential profile may be specified through the following environment variable:

  • FUGUE_USER_PROFILE

Fugue User Credentials vs. AWS Credentials

Fugue user credentials are not the same as AWS credentials.

Your AWS credentials authorize access to your Amazon Web Services account. Fugue searches for your AWS credentials in several places in order to install and communicate with the Fugue Conductor. When you’re setting up Fugue with the init command, the -p or --profile option instructs Fugue to use a given AWS credential profile.

Your Fugue user credentials enable use of Fugue. Fugue stores your user credentials in the credentials file and uses them to authorize Fugue CLI commands. When you’re switching Fugue users with fugue user set, the -p or --profile option instructs Fugue to switch to the user in the given profile.

Best Practices For Multiple Users

Keep Each User in a Separate Profile

For ease of switching users, it’s a best practice to keep each user in a separate profile. Since fugue user set overwrites a profile with that user’s credentials, keeping only one set of credentials in each profile prevents non-active credentials from being overwritten.

To create a profile, use fugue user set -p <profile> <user> <secret>. This sets the active user to <user> and saves it under the specified profile <profile>, creating the profile if it doesn’t exist.

For example, the following command creates an alice profile and switches to the alice user:

fugue user set --profile alice alice oSedQchb1aXaibzLdW7xOJEXAMPLEEXAMPLEEXAMPLE=

The credentials file might then look like this:

[default-123456789012-us-east-1]
secret = E6a5iZ9jbxoWgGIid65i6zEXAMPLEEXAMPLEEXAMPLE=
user = root

[alice]
secret = oSedQchb1aXaibzLdW7xOJEXAMPLEEXAMPLEEXAMPLE=
user = alice

Here, root credentials are saved under the default-<AWS account>-<region> profile, and alice credentials are saved under the alice profile.

Switching from alice to root would look like this, following the fugue user set --profile <profile> <user> <secret> format:

fugue user set --profile default-123456789012-us-east-1 root E6a5iZ9jbxoWgGIid65i6zEXAMPLEEXAMPLEEXAMPLE=

The root user is enabled by default. The paid version of Fugue allows multiple users; see Fugue Features for details.

Checking Which User is Active

If you’ve forgotten which Fugue user is active, you can look at fugue.yaml to see if there’s an entry under profile:

conductor:
  ami: ami-4e7fb134
  region: us-east-1
  secretsKeyId: alias/fugue/rbac/secrets
user:
  profile: alice

If no profile line exists, this means the user in the default profile is active.

Another way to check the active user is to issue any command with the -v verbose option set (e.g., fugue -v status). The CLI will print configuration info, including which user and profile is active, prior to executing the command.

-------------------------------Configuration Info-------------------------------
Fugue CLI Version: 1.18.5-4208-e4502ee6f4a2621078818528dfbd4a581fce2a69
Conductor AMI: ami-4e7fb134
Configuration File Path (symbolic links followed): /Users/main-user/projects/fugue.yaml
Conductor Region: us-east-1
Compositions Bucket: fugue-xxxxxxxxxxxx-us-east-1
Request Queue: fugue-demarc-requests
Response Table: fugue-cli-responses
Fugue User-Id: alice
Fugue Profile: alice
Fugue Credentials file: /Users/main-user/projects/credentials
--------------------------------------------------------------------------------

Replacing Lost Credentials

If you’ve lost the secret for a non-root user, you can execute the fugue policy generate-secret command to create a new secret. See example here.

If you’ve lost the root user credentials, you can execute the fugue support reset-secret command to generate a new secret. See example here.