Open jcshort opened 7 years ago
Ugh, the way the AWS SDK can find credentials gets more complicated with every release. Sorry about this! I haven't tested vagrant-s3auth at all with assumed roles.
Based on the stack trace, this is actually failing while constructing a dummy AWS credentials provider that's only used to print where your credentials are coming from to stdout—i.e., whether they came from an env var or a profile. I suspect you'd have a slightly different stack trace if you set AWS_REGION
to some placeholder, like AWS_REGION=us-east-1
. Would you mind to give that a shot? That is, run
AWS_REGION=us-east-1 vagrant up
and see if the stack trace looks any different? If it does, post it here so I can take a look!
Otherwise, I'll dig into this eventually, but it might be a while until I find the time to replicate your IAM setup.
I think it is the STS
way that is not supported.
According to the current doc, and as many other softwares do, the plugin is only capable to use credentials coming from ~/.aws/credentials
formatted as a pair of AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.... and not as STS
with source_profiles
....
And I confirm that by many tries in my team
@jcshort, I would suggest you to rename your issue, "AWS STS credentials not supported" :)
We may be able to do something with https://github.com/a2ikm/aws_config ?
lib/vagrant-s3auth/util.rb
---------------------------------
require 'aws_config'
....
def self.s3_client(region = DEFAULT_REGION)
# AWS STS support
# https://github.com/aws/aws-sdk-ruby/issues/1256
credentials_provider = self.s3_credential_provider
if credentials_provider == ::Aws::SharedCredentials and !credential_provider.profile_name.nil? then
role_arn = AWSConfig[credential_provider.profile_name].role_arn || nil
unless role_arn.nil? do
credentials = Aws::AssumeRoleCredentials.new(
client: Aws::STS::Client.new(region: region, credentials: credentials),
duration_seconds: "1800",
role_arn: role_arn,
role_session_name: "vagrant"
)
::Aws::S3::Client.new(
region: region,
credentials: credentials
)
end
end
# Otherwise, return the simple client
::Aws::S3::Client.new(region: region)
end
Hmm, looks promising. Might you be interested in submitting a PR, @xakraz?
Yes, I will try to test it this week and submit a PR :D
Awesome! Let me know if I can be of any help.
On Mon, Feb 5, 2018 at 6:46 PM, Xavier Krantz notifications@github.com wrote:
Yes, I will try to test it this week and submit a PR :D
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/WhoopInc/vagrant-s3auth/issues/33#issuecomment-363260387, or mute the thread https://github.com/notifications/unsubscribe-auth/AA15IDMMh6dMtazvIW3yROK1T-PksGa7ks5tR5LpgaJpZM4OOwvm .
confirmed working in vagrant 2.1.1, with two caveats:
region
mfa_serial
is not supportedJust kidding, I misled myself with a stale version of the box downloaded with a local IAM user.
Seeing some issues with bucket region detection using a cross account role. The AWS_REGION env var seems to be ignored when using assumed roles, and it doesn't appear that assumed roles are allowed to set region in
~/.aws/config
either.some strings redacted with caps.
aws config: