kops can't assume roles in ~/.aws/config profiles by default

Created on 16 Mar 2017 · 18Comments · Source: kubernetes/kops

Not sure this is a documentation issue, a small bug, or even a feature request:

By default, kops will not assume roles defined in profiles in ~/.aws/config.
Golang's AWS SDK says that by defining the environment variable AWS_SDK_LOAD_CONFIG, the sessions will be created with the ability to assume roles, set default regions.

I don't quite understand the reason Golang SDK devs decided to go this route, but folks used to CLI/boto will find the current behavior weird, and will likely file bugs or ask questions in Slack.

```

using a profile that the user assumes a role

export AWS_PROFILE=subaccount-profile-with-role

aws ec2 describe-availability-zones --output text

AVAILABILITYZONES us-west-2 available us-west-2a
AVAILABILITYZONES us-west-2 available us-west-2b
AVAILABILITYZONES us-west-2 available us-west-2c

kops create -f /tmp/my-config --state --state s3://my-bucket/subfolder/kops ## doesn't work

error: error populating configuration: Got an error while querying for valid regions (verify your AWS credentials?)

export AWS_SDK_LOAD_CONFIG=1

kops create -f /tmp/my-config --state --state s3://my-bucket/subfolder/kops ## works!

using a profile that has access keys associated with the user

export AWS_PROFILE=subaccount-profile-with-access-keys

kops create -f /tmp/my-config --state --state s3://my-bucket/subfolder/kops ## works!

````

Source

tiadobatima

👍18

Most helpful comment

/remove-lifecycle stale
I'm also having this problem

@tiadobatima I have several profiles in my creds, so I could use a little more explicit explanation of what you're using as your file when you pass in the config. Is it just the .aws/credentials file? Or a copy of the section of your credentials with the access key and secret key for kops? or the credentials for your user account? both?

szeitlin on 31 Aug 2018

👍2

All 18 comments

I agree on the golang SDK's decision. It's out of line with other common software people use. I suggest kops exports this environment variable or updates internal config objects to set this value.

ahawkins on 28 Mar 2017

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

fejta-bot on 22 Dec 2017

/remove-lifecycle stale
agree with @ahawkins

qrevel on 8 Jan 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 8 Apr 2018

/remove-lifecycle stale
still not solved

qrevel on 8 Apr 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 7 Jul 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 6 Aug 2018

/remove-lifecycle stale
I'm also having this problem

szeitlin on 31 Aug 2018

👍2

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 30 Sep 2018

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot on 30 Sep 2018

/remove-lifecycle rotten

rot26 on 9 Oct 2018

/reopen

rot26 on 9 Oct 2018

@rot26: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

k8s-ci-robot on 9 Oct 2018

I must agree on this, it's really frustrating and disjointed to work with environment variables when you are used to just using profiles. The AWS configuration in INI format supports this, it would be really nice to just define a profile within CLI (--profile prod). Please considering reopening.

triwats on 26 Nov 2018

👍1

please reopen, still having issues with this

ghost on 24 Apr 2019

👍1

Please reopen. We need to be able to use CLI profiles.

demisx on 3 Jul 2019

IIRC, I found a way to work around this, but I don't have it on my current laptop. I'll write myself a note to dig this up and post it here.

szeitlin on 4 Jul 2019

I am using this for now to avoid setting persistent env vars:

export AWS_SDK_LOAD_CONFIG=1 \
export AWS_PROFILE=dl-infra-stg; \
export ZONES=(terraform output -json availability_zones | jq -r '.|join(",")'); \
export NAME=(terraform output cluster_name); \
export KOPS_STATE_STORE=(terraform output state_store); \
kops create cluster \
    --master-zones $ZONES \
    --zones $ZONES \
    --topology private \
    --dns-zone (terraform output public_zone_id) \
    --networking calico \
    --vpc (terraform output vpc_id) \
    --target=terraform \
    --out=. \
    {$NAME}

demisx on 4 Jul 2019

Was this page helpful?

0 / 5 - 0 ratings