Fugue User Credentials

Overview

The credentials file contains user credentials necessary to operate Fugue. The file is created during the install process. However it’s worth mentioning that you can also configure Fugue credentials using environment variables.

Initially, the credentials file contains:

  • A default profile (named default-<AWS account ID>-<region>)
  • A secret
  • A root user

It might look like this:

[default-123456789012-us-east-1]
secret = E6a5iZ9jbxoWgGIid65i6zEXAMPLEEXAMPLEEXAMPLE=
user = root

The root user is enabled by default. The paid version of Fugue allows multiple users; see Fugue Features for details.

You may create a new profile with the fugue user set command. Using fugue user set --profile <profile> <user> <secret> switches to a new user profile, creating it if it does not exist.

Depending on your version of Fugue, your credentials file may be located in one of three directories. When you execute a command, Fugue first searches for credentials in a project-level directory, then in a user-level directory, and finally in a system-level directory.

In Mac and Linux systems, these directories are:

  1. The current working directory
  2. ~/.fugue/
  3. /etc/fugue/

In Windows (PowerShell), these directories are:

  1. The current working directory
  2. $env:LocalAppData\Fugue\
  3. $env:ProgramData\Fugue\

Fugue will use the first file it finds in the search path described above.

The same search path applies to fugue.yaml, if you configured Fugue with the init command. fugue.yaml and credentials may be located in the same directory or in separate directories.

Note: In earlier versions of Fugue the fields userId and userSecret were stored in the fugue.yaml file. Those fields are now stored in your current working directory in the credentials file as user and secret but correspond to the same values, they just vary based on your version of Fugue. The values can also be stored in environment variables. Fugue checks for these values in the fugue.yaml file, the credentials file, and environment variables to maintain backwards compatibility.

For more information on configuring Fugue users, see Adding Users (RBAC).

Important Note on Permissions from Previous Versions of Fugue

For users who installed an earlier version of Fugue (version 2017.11.28-3 and older), your credentials file includes an outdated permissions setting.

Any commands issued through the updated Fugue CLI will include the following warning:

Important Note: These warnings will only appear if you update the Fugue CLI, however your crendentials are still using outdated settings.

$ fugue status
[ WARN ] Permissions set to 0610 for credentials file found at /Users/testuser/.fugue/credentials. Recommended settings are: 0600


Fugue Status Report for testuser/123456789 - Thu Mar 15 2018 2:35pm

State    Updated    Created    Account    FID/Alias    Flags    Last Message    Next Command
-------  ---------  ---------  ---------  -----------  -------  --------------  --------------
Nothing to see here. Go create something! :-)

Note: Due to formatting, commands issued using the --json flag will not include this message.

We recommend editing your credentials to the permissions as specified, or 0600. You can update your credentials by issuing the following command chmod 0600 credentials Failure to update your credentials will enable users with access to your computer to view your credentials.

Credentials and Environment Variables

Fugue supports supplying user credentials through environment variables:

  • FUGUE_USER_NAME or FUGUE_USER_USERID
  • FUGUE_USER_SECRET or FUGUE_USER_USERSECRET

And a credential profile may be specified through the following environment variable:

  • FUGUE_USER_PROFILE

Note: If you configure Fugue using environment variables, the fugue user set command cannot be used, as there is no credentials file for the command to modify. Any changes to the designated user must be made through the environment variables.

Fugue User Credentials vs. AWS Credentials

Fugue user credentials are not the same as AWS credentials.

Your AWS credentials authorize access to your Amazon Web Services account. Fugue searches for your AWS credentials in several places in order to install and communicate with the Fugue Conductor. If you’re setting up Fugue with the init command, the -p or --profile option instructs Fugue to use a given AWS credential profile. If you’re setting up Fugue with environment variables, the FUGUE_AWS_CREDENTIALPROFILE environment variable does the same thing.

Your Fugue user credentials enable use of Fugue. Fugue stores your user credentials in the credentials file and uses them to authorize Fugue CLI commands. When you’re switching Fugue users with fugue user set, the -p or --profile option instructs Fugue to switch to the user in the given profile.

Best Practices For Multiple Users

Keep Each User in a Separate Profile

For ease of switching users, it’s a best practice to keep each user in a separate profile. Since fugue user set overwrites a profile with that user’s credentials, keeping only one set of credentials in each profile prevents non-active credentials from being overwritten.

To create a profile, use fugue user set -p <profile> <user> <secret>. This sets the active user to <user> and saves it under the specified profile <profile>, creating the profile if it doesn’t exist.

For example, the following command creates an alice profile and switches to the alice user:

fugue user set --profile alice alice oSedQchb1aXaibzLdW7xOJEXAMPLEEXAMPLEEXAMPLE=

The credentials file might then look like this:

[default-123456789012-us-east-1]
secret = E6a5iZ9jbxoWgGIid65i6zEXAMPLEEXAMPLEEXAMPLE=
user = root

[alice]
secret = oSedQchb1aXaibzLdW7xOJEXAMPLEEXAMPLEEXAMPLE=
user = alice

Here, root credentials are saved under the default-<AWS account>-<region> profile, and alice credentials are saved under the alice profile.

Switching from alice to root would look like this, following the fugue user set --profile <profile> <user> <secret> format:

fugue user set --profile default-123456789012-us-east-1 root E6a5iZ9jbxoWgGIid65i6zEXAMPLEEXAMPLEEXAMPLE=

The root user is enabled by default. The paid version of Fugue allows multiple users; see Fugue Features for details.

Checking Which User is Active

If you’ve forgotten which Fugue user is active, there are a few ways you can look it up.

If you have a fugue.yaml file, you can look at it to see if there’s a profile entry under user:

conductor:
  ami: ami-4e7fb134
  region: us-east-1
  secretsKeyId: alias/fugue/rbac/secrets
user:
  profile: alice

In this case, the active user is alice. However, if no profile line exists, this means the user in the default profile is active.

If you’ve set the user via the environment variable FUGUE_USER_NAME or FUGUE_USER_USERID, just echo the variable you used:

echo $FUGUE_USER_USERID
echo $FUGUE_USER_NAME

The active user will be displayed.

The other method of checking the active user works whether or not you have a fugue.yaml file. Just issue any command with the -v verbose option set (e.g., fugue -v status). The CLI will print configuration info, including which user and profile is active, prior to executing the command.

-------------------------------Configuration Info-------------------------------
Fugue CLI Version: 1.18.5-4208-e4502ee6f4a2621078818528dfbd4a581fce2a69
Conductor AMI: ami-4e7fb134
Configuration File Path (symbolic links followed): /Users/main-user/projects/fugue.yaml
Conductor Region: us-east-1
Compositions Bucket: fugue-xxxxxxxxxxxx-us-east-1
Request Queue: fugue-demarc-requests
Response Table: fugue-cli-responses
Fugue User-Id: alice
Fugue Profile: alice
Fugue Credentials file: /Users/main-user/projects/credentials
--------------------------------------------------------------------------------

Replacing Lost Credentials

If you’ve lost the secret for a non-root user, you can execute the fugue policy generate-secret command to create a new secret. See example here.

If you’ve lost the root user credentials, you can execute the fugue support reset-secret command to generate a new secret. See example here.