Closed sprice-janrain closed 6 years ago
Hmm. Could it be this? https://github.com/99designs/aws-vault/blob/f62e3f49de476d9e9300cbe37ff7ea89619603d0/cli/login.go#L122
Looks like the URL is hardcoded to https://signin.aws.amazon.com/federation
. That certainly won't work on China and GovCloud accounts.
Yup, sounds like it needs to switch the url based on region. PR's welcomed!
Hrm. How would we figure out which region to login with? There's the option to configure a default region in ~/.aws/config
for a specific profile. Should it just look something like:
if region defined in config and region == `cn-north-1` {
federation_url := "https://signin.amazonaws.cn/federation"
} else {
federation_url := "https://signin.aws.amazon.com/federation"
}
Please don't consider that actual Go code, just pseudocode. I need to wrap my head around Go before I can dive into this one.
Looking elsewhere in login.go
, looks like I'd have to modify the console url based on region too. I see examples of using profile.Region
there, so I guess it shouldn't be too hard to come up with a working example.
How about this for a PR? https://github.com/99designs/aws-vault/pull/259
I've set up IAM users in non-China accounts that can assume roles in other non-China accounts, and aws-vault has been working great.
I've attempted to do the same thing in China, but I'm stuck troubleshooting
login
.Running
aws-vault exec
against an account I'm accessing via an assumed role works fine:Trying to run
aws-vault login
with the same account fails with400 Bad Request
. Debug output follows: