Update AWS Auth

[stewartshea]

Update AWS health codebundles to use environment variables for AWS credentials and enhance task tagging. Refactor runbooks and SLIs to include 'data:config' tags for better categorization. Remove direct access to AWS access keys in favor of a more secure environment-based approach.

---

Note

Medium Risk
Touches authentication wiring across many runbooks/SLIs; misconfiguration of the new aws-auth/env-based setup could break AWS access at runtime, though business logic is otherwise unchanged.

Overview
Refactors the AWS c7n health codebundles (ACM, EBS, EC2, Monitoring, Network, RDS, S3) to stop passing AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY into RW.CLI.Run Cli and instead use a suite-level &{env} plus a single imported aws_credentials secret.

Updates SLI/Runbook templates to replace explicit access-key secrets with {% include "aws-auth.yaml" ignore missing %}, and adds the data:config tag across tasks for improved categorization/metadata. Bumps rw-cli-keywords from 0.0.19 to 0.0.27.

^{Written by Cursor Bugbot for commit 3b2e234. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

AWS credentials pattern rejects valid auth values

High Severity

RW.Core.Import Secret now reads aws_credentials, but validation still uses pattern=\w*. The documented credential formats (like aws:access_key@cli or aws:irsa@cli) include : and @, so valid aws_credentials values can be rejected during suite initialization, preventing the runbook from executing.

Additional Locations (2)

• codebundles/aws-c7n-acm-health/sli.robot#L87-L91
• codebundles/aws-c7n-ec2-health/runbook.robot#L199-L203