Merge pull request #29 from kosty-cloud/fix/profile-session-comprehensive-scanner

v1.6.4 - Profile authentication fix

Fixed profile authentication bug where audits used wrong AWS account.

New feature:

aws_profile config option to reference AWS CLI profiles

Bug fix:

Profile sessions now correctly used across all services and commands

Breaking changes: None

Upgrade: pip install --upgrade kosty

Author: yassirkachri

README.md

@@ -55,7 +55,7 @@ AWS costs and security risks can spiral out of control quickly. Kosty helps you:
 - 🔐 **Detect** security misconfigurations and compliance issues
 - ⚡ **Optimize** with prioritized recommendations by financial impact
 - 🏢 **Scale** across entire AWS Organizations with parallel processing
-- 📊 **Track** ROI with comprehensive cost reporting
+- 📊 Track ROI with detailed cost reporting
 
 
 ## 🎯 Quick Start
@@ -491,8 +491,18 @@ default:
 profiles:
   customer01:
     regions: [us-east-1]
+    # Option 1: AssumeRole (recommended for multi-account)
     role_arn: "arn:aws:iam::123456789012:role/MyRole"
     mfa_serial: "arn:aws:iam::123456789012:mfa/device"
+  
+  customer02:
+    regions: [eu-west-1]
+    # Option 2: AWS CLI profile (for local development)
+    aws_profile: "customer02-prod"
+  
+  customer03:
+    regions: [ap-southeast-1]
+    # Option 3: Default credentials (env vars, instance role)
 ```
 
 See [Configuration Guide](docs/CONFIGURATION.md) for complete documentation.
@@ -514,13 +524,13 @@ See [Configuration Guide](docs/CONFIGURATION.md) for complete documentation.
 
 ## 🤝 Contributing
 
-We welcome contributions! Here's how you can help:
+We welcome contributions:
 
-1. **🐛 Report Issues** - Found a bug? [Open an issue](https://github.com/kosty-cloud/kosty/issues)
-2. **💡 Feature Requests** - Have an idea? [Start a discussion](https://github.com/kosty-cloud/kosty/discussions)
-3. **🔧 Add Services** - Implement new AWS service checks
-4. **📖 Improve Docs** - Help make documentation better
-5. **⭐ Star the Repo** - Show your support!
+1. **Report Issues** - Found a bug? [Open an issue](https://github.com/kosty-cloud/kosty/issues)
+2. **Feature Requests** - Have an idea? [Start a discussion](https://github.com/kosty-cloud/kosty/discussions)
+3. **Add Services** - Implement new AWS service checks
+4. **Improve Docs** - Help make documentation better
+5. **Star the Repo** - Show your support!
 
 ### Adding New Services
 
@@ -549,7 +559,7 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file
 
 ## 💼 Professional Services
 
-Kosty is free and open-source for self-service optimization. For teams who prefer expert guidance to maximize results and ensure safe implementation, I offer professional audits.
+Kosty is free and open-source. For teams who want expert guidance to maximize results and safe implementation, I offer professional audits.
 
 ### What's Included
 

docs/CONFIGURATION.md

@@ -120,6 +120,7 @@ kosty audit --profile production
 | `cross_account_role` | string | Role name for cross-account | `OrganizationAccountAccessRole` |
 | `org_admin_account_id` | string | Org admin account ID | `null` |
 | `role_arn` | string | Role ARN to assume | `null` |
+| `aws_profile` | string | AWS CLI profile name | `null` |
 | `mfa_serial` | string | MFA device ARN | `null` |
 | `duration_seconds` | integer | AssumeRole session duration | `3600` |
 
@@ -334,37 +335,70 @@ profiles:
 
 ## AWS Authentication
 
-### Default Credentials
+Kosty supports three authentication methods (in priority order):
 
-If no `role_arn` is configured, Kosty uses default AWS credentials:
+### 1. AssumeRole (Recommended for Multi-Account)
+
+Best for managing multiple customer accounts securely:
 
 ```yaml
-default:
-  regions:
-    - us-east-1
-  # No role_arn = uses default credentials
+profiles:
+  customer01:
+    role_arn: "arn:aws:iam::123456789012:role/MyRole"
+    duration_seconds: 3600  # 1 hour
 ```
 
-Kosty will use credentials from:
-1. Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
-2. `~/.aws/credentials`
-3. `~/.aws/config`
-4. IAM role (if running on EC2/Lambda)
+```bash
+kosty audit --profile customer01
+# → Assumes role without MFA prompt
+```
 
-### AssumeRole (without MFA)
+### 2. AWS CLI Profile
+
+Best for local development with multiple AWS accounts:
 
 ```yaml
 profiles:
   customer01:
-    role_arn: "arn:aws:iam::123456789012:role/MyRole"
-    duration_seconds: 3600  # 1 hour
+    aws_profile: "customer01-prod"  # References ~/.aws/credentials
+    regions:
+      - us-east-1
 ```
 
 ```bash
 kosty audit --profile customer01
-# → Assumes role without MFA prompt
+# → Uses credentials from ~/.aws/credentials profile "customer01-prod"
+```
+
+**Setup AWS CLI profile:**
+```bash
+# Configure profile
+aws configure --profile customer01-prod
+
+# Or edit ~/.aws/credentials
+[customer01-prod]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+```
+
+### 3. Default Credentials
+
+Best for CI/CD pipelines or EC2 instances with IAM roles:
+
+```yaml
+profiles:
+  customer01:
+    regions:
+      - us-east-1
+    # No role_arn or aws_profile = uses default credentials
 ```
 
+Kosty will use credentials from:
+1. Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
+2. `~/.aws/credentials` (default profile)
+3. `~/.aws/config` (default profile)
+4. IAM role (if running on EC2/Lambda/ECS)
+
 ### AssumeRole with MFA
 
 ```yaml

kosty.yaml.example

@@ -60,7 +60,7 @@ default:
 
 # Profile definitions
 profiles:
-  # Customer 1 profile
+  # Customer 1 profile - Using AssumeRole (recommended for multi-account)
   customer01:
     regions:
       - us-east-1
@@ -75,18 +75,25 @@ profiles:
       ec2_cpu: 15
       rds_cpu: 15
 
-  # Customer 2 profile
+  # Customer 2 profile - Using AWS CLI profile (for local development)
   customer02:
     regions:
       - eu-west-1
     max_workers: 8
-    role_arn: "arn:aws:iam::987654321098:role/KostyAuditRole"
+    aws_profile: "customer02-prod"  # References ~/.aws/credentials profile
     exclude:
       services:
         - "route53"
       tags:
         - key: "DoNotAudit"
 
+  # Customer 3 profile - Using default credentials (env vars, instance role)
+  customer03:
+    regions:
+      - ap-southeast-1
+    max_workers: 5
+    # No role_arn or aws_profile = uses default credentials
+  
   # Production environment
   production:
     regions:

kosty/__init__.py

@@ -1,2 +1,2 @@
-__version__ = "1.6.3"
+__version__ = "1.6.4"
 

kosty/core/config.py

@@ -35,6 +35,7 @@
     'org_admin_account_id': None,
     'save_to': None,
     'role_arn': None,
+    'aws_profile': None,
     'mfa_serial': None,
     'duration_seconds': 3600
 }
@@ -272,42 +273,61 @@ def get_all_profiles(self) -> List[str]:
     def get_aws_session(self) -> boto3.Session:
         """Create AWS session with AssumeRole/MFA if configured"""
         role_arn = self.get('role_arn')
+        aws_profile = self.get('aws_profile')
         mfa_serial = self.get('mfa_serial')
         duration = self.get('duration_seconds', 3600)
 
-        if not role_arn:
-            return boto3.Session()
-        
-        mfa_token = None
-        if mfa_serial:
-            mfa_token = input(f"🔐 Enter MFA token for {mfa_serial}: ")
-        
-        sts = boto3.client('sts')
-        
-        assume_role_params = {
-            'RoleArn': role_arn,
-            'RoleSessionName': f'kosty-{self.profile}',
-            'DurationSeconds': duration
-        }
-        
-        if mfa_serial and mfa_token:
-            assume_role_params['SerialNumber'] = mfa_serial
-            assume_role_params['TokenCode'] = mfa_token
-        
-        try:
-            response = sts.assume_role(**assume_role_params)
+        # Priority: role_arn > aws_profile > default credentials
+        if role_arn:
+            # AssumeRole flow
+            mfa_token = None
+            if mfa_serial:
+                mfa_token = input(f"🔐 Enter MFA token for {mfa_serial}: ")
 
-            return boto3.Session(
-                aws_access_key_id=response['Credentials']['AccessKeyId'],
-                aws_secret_access_key=response['Credentials']['SecretAccessKey'],
-                aws_session_token=response['Credentials']['SessionToken']
-            )
-        except Exception as e:
-            config_file = self._find_config_file() or 'No config file'
-            print(f"\nError: Failed to assume role")
-            print(f"  Profile: {self.profile}")
-            print(f"  Config: {config_file}")
-            print(f"  Role ARN: {role_arn}")
-            print(f"  Reason: {e}")
-            print("\nCannot proceed without valid role access. Aborting.\n")
-            raise SystemExit(1)
+            sts = boto3.client('sts')
+            
+            assume_role_params = {
+                'RoleArn': role_arn,
+                'RoleSessionName': f'kosty-{self.profile}',
+                'DurationSeconds': duration
+            }
+            
+            if mfa_serial and mfa_token:
+                assume_role_params['SerialNumber'] = mfa_serial
+                assume_role_params['TokenCode'] = mfa_token
+            
+            try:
+                response = sts.assume_role(**assume_role_params)
+                
+                return boto3.Session(
+                    aws_access_key_id=response['Credentials']['AccessKeyId'],
+                    aws_secret_access_key=response['Credentials']['SecretAccessKey'],
+                    aws_session_token=response['Credentials']['SessionToken']
+                )
+            except Exception as e:
+                config_file = self._find_config_file() or 'No config file'
+                print(f"\nError: Failed to assume role")
+                print(f"  Profile: {self.profile}")
+                print(f"  Config: {config_file}")
+                print(f"  Role ARN: {role_arn}")
+                print(f"  Reason: {e}")
+                print("\nCannot proceed without valid role access. Aborting.\n")
+                raise SystemExit(1)
+        
+        elif aws_profile:
+            # Use AWS CLI profile
+            try:
+                return boto3.Session(profile_name=aws_profile)
+            except Exception as e:
+                config_file = self._find_config_file() or 'No config file'
+                print(f"\nError: Failed to use AWS profile")
+                print(f"  Profile: {self.profile}")
+                print(f"  Config: {config_file}")
+                print(f"  AWS Profile: {aws_profile}")
+                print(f"  Reason: {e}")
+                print(f"\nMake sure '{aws_profile}' exists in ~/.aws/credentials or ~/.aws/config\n")
+                raise SystemExit(1)
+        
+        else:
+            # Use default credentials (env vars, instance role, default profile)
+            return boto3.Session()

setup.py

@@ -5,7 +5,7 @@
 
 setup(
     name='kosty',
-    version='1.6.3',
+    version='1.6.4',
     author='Yassir Kachri',
     author_email='yassir@kosty.cloud',
     description='AWS Cost Optimization & Security Audit CLI Tool - Identify cost waste, security vulnerabilities, and compliance issues across 16 core AWS services',