Aws-cdk: toolkit: profiles and assumerole credentials issues

Created on 26 Nov 2018  路  9Comments  路  Source: aws/aws-cdk

Reported by @ChintanRaval on Gitter:

The following setup fails to default to the right region:

~/.aws/credentials

[my-auth-account]
aws_access_key_id = xxxx
aws_secret_access_key = xxxx

~/.aws/config

[default]
output = json
region = us-east-1

[profile my-auth-account]
source_profile = default

[profile my-dev-account]
source_profile = my-auth-account
role_arn = arn:aws:iam::123456789012:role/MyDesiredRole
mfa_serial = arn:aws:iam::112233445566:mfa/myusername
bug packagtools
Source
picture rix0rrr

All 9 comments

Afterwards, this gave an "security token expired" error:

~/.aws/credentials

<empty file>

~/.aws/config

[profile my-dev-account]
output = json
region = us-east-1
aws_access_key_id = xxxx
aws_secret_access_key = xxxx
role_arn = arn:aws:iam::123456789012:role/MyDesiredRole
mfa_serial = arn:aws:iam::112233445566:mfa/myusername
rix0rrr picture rix0rrr on 26 Nov 2018

I tried a variation of the first setup in AWS CLI but it was rejected there for not specifying a region. Will do some more debugging later.

rix0rrr picture rix0rrr on 26 Nov 2018

Can confirm that this REALLY doesn't work with my:

aws-cli/1.16.35 Python/2.7.12 Linux/4.4.0-121-generic botocore/1.12.25
rix0rrr picture rix0rrr on 26 Nov 2018

After an upgrade to the following, still doesn't work on my machine:

aws-cli/1.16.61 Python/2.7.12 Linux/4.4.0-121-generic botocore/1.12.51
rix0rrr picture rix0rrr on 26 Nov 2018

Scenario tested:

~/.aws/config

[default]
output = json
region = eu-west-1

[profile Assumert]
region = us-east-1
# source_profile = default does not work either

[profile Assumable]
role_arn = arn:aws:iam::112233445566:role/Assumable
source_profile = Assumert

~/.aws/credentials

[Assumert]
aws_access_key_id = XXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXX

Following result:

$  aws --profile Assumable ec2 describe-availability-zones
You must specify a region. You can also configure your region by running "aws configure".
rix0rrr picture rix0rrr on 26 Nov 2018
👍1

An answer to a GitHub question explicitly says the region will not be pulled from the source_profile: https://github.com/aws/aws-cli/issues/3334

rix0rrr picture rix0rrr on 26 Nov 2018

thanks @rix0rrr . I can confirm that I have the same issue with the below similar configuration.

DOES NOT WORK

~/.aws/config

[default]
output = json
region = ap-southeast-2

[profile my-auth-account]
source_profile = default

[profile my-dev-account]
source_profile = my-auth-account
role_arn = arn:aws:iam::112233445566:role/MyAppropriateRole
mfa_serial =arn:aws:iam::665544332211:mfa/myusername

~/.aws/credentials

[my-auth-account]
aws_access_key_id=xxxx
aws_secret_access_key=xxxx

use case and result:

C:\>aws --version
aws-cli/1.16.14 Python/2.7.9 Windows/8 botocore/1.12.4

C:\>aws s3 ls --profile my-dev-account
Enter MFA code for arn:aws:iam::665544332211:mfa/myusername:<i-entered-mfa-here>
2018-10-24 10:13:15 bucket1-xb55pg98y7i4-us-east-1
2018-10-24 10:14:00 bucket2-xb55pg98y7i4-ap-southeast-2
2018-11-15 11:42:24 foo-test-internal-54kljsfo3jfa
2018-11-21 16:07:09 bar-sandbox-pipeline-jxcvu9873h

C:\>aws ec2 describe-availability-zones --profile my-dev-account
You must specify a region. You can also configure your region by running "aws configure".

the reason it did not give me an error for aws s3 ls is probably since s3 is region-independent (although not really, but i don't have the right word for it)

WORKS!

Changing it as you've suggested, does work.
~/.aws/config

[profile my-dev-account]
source_profile = my-auth-account
output = json
region = ap-southeast-2
role_arn = arn:aws:iam::112233445566:role/MyAppropriateRole
mfa_serial =arn:aws:iam::665544332211:mfa/myusername

~/.aws/credentials

[my-auth-account]
aws_access_key_id = xxxx
aws_secret_access_key = xxxx

use case and result:

C:\>aws --version
aws-cli/1.16.14 Python/2.7.9 Windows/8 botocore/1.12.4

C:\>aws s3 ls --profile my-dev-account
Enter MFA code for arn:aws:iam::665544332211:mfa/myusername:<i-entered-mfa-here>
2018-10-24 10:13:15 bucket1-xb55pg98y7i4-us-east-1
2018-10-24 10:14:00 bucket2-xb55pg98y7i4-ap-southeast-2
2018-11-15 11:42:24 foo-test-internal-54kljsfo3jfa
2018-11-21 16:07:09 bar-sandbox-pipeline-jxcvu9873h

C:\>aws ec2 describe-availability-zones --profile my-dev-account
{
    "AvailabilityZones": [
        {
            "State": "available",
            "ZoneName": "ap-southeast-2a",
            "Messages": [],
            "RegionName": "ap-southeast-2"
        },
        {
            "State": "available",
            "ZoneName": "ap-southeast-2b",
            "Messages": [],
            "RegionName": "ap-southeast-2"
        },
        {
            "State": "available",
            "ZoneName": "ap-southeast-2c",
            "Messages": [],
            "RegionName": "ap-southeast-2"
        }
    ]
}
ChintanRaval picture ChintanRaval on 27 Nov 2018

Okay so we're NOT inconsistent with the CLI, it's just that the CLI S3 API does not require a region and therefore does not complain.

Then I don't see any further work here. I'm going to close this out if that's okay with you. Feel free to reopen if you encounter further issues.

rix0rrr picture rix0rrr on 27 Nov 2018
👍1

Agreed, thanks!

ChintanRaval picture ChintanRaval on 27 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ababra picture ababra  路  3Comments
nzspambot picture nzspambot  路  3Comments
slipdexic picture slipdexic  路  3Comments
v-do picture v-do  路  3Comments
cybergoof picture cybergoof  路  3Comments