search

cloud-custodian / cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
https://cloudcustodian.io
Apache License 2.0
5.38k stars 1.47k forks source link

AWS Middle East region Authentication is not working when giving it as a non default region #9646

Open Geemanthi opened 2 months ago

Geemanthi commented 2 months ago

Describe the bug

Hi,

I'm using ap-south-1 region as my AWS_DEFAULT_REGION and have added me-central-1 region in accounts.yml as another region for the policy executions. I'm running the following commands using some variables.

c7n-org run -c accounts.yml -s "$report_path" -u $policy_path --debug c7n-org report -c accounts.yml -u $policy_path -s "$report_path" -f "$report_path/report.csv" --format csv

It works, if I change AWS_DEFAULT_REGION variable to me-central-1. But I cannot do this change since some of my AWS accounts haven't been enabled that region. Can you give me a solution to fix this AuthFailure issue?

What did you expect to happen?

I expect to solve this AuthFailure issue in me-central-1 region and executions of the policies when I included in accounts.yml.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

2024-07-29 06:46:09,101: c7n_org:ERROR Exception running policy:ec2-enforcing-tagging-mark account:AWS-GMT-PE-TEST region:me-central-1 error:An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials

Policy

policies:
  - name: ec2-enforcing-tagging-mark
    resource: ec2
    description: | 
      Find all instances without mandatory tags and Mark them for stopping in 9 hours.
    filters:
      - "State.Name": running
      - or: 
        - "tag:Name": absent
        - "tag:CostCenter": absent
        - "tag:BusinessEntity": absent
        - "tag:Project": absent
        - "tag:Team": absent
        - "tag:Environment": absent
        - "tag:AssetOwner": absent
        - "tag:AssetUser": absent
        - "tag:RiskOwner": absent
        - "tag:AssetCustodian": absent
        - "tag:Organization": absent
        - "tag:Automation": absent
        - "tag:AssetClassification": absent
        - "tag:ApplicationName": absent
    actions:
      - type: mark-for-op
        tag: MarkForStopping
        op: stop
        hours: 9

Relevant log/traceback output

No response

Extra information or context

No response

kapilt commented 1 month ago

Are you passing a region flag on the cli or specifying regions in the accounts file? Ie don’t see a region being passed on cli and me is not a not a default execution region

kapilt commented 1 month ago

If your explicitly specifying run a region in the accounts config file for a given account, stopping due to error is the correct thing for us to do as it’s a misconfiguratiom from the user intent.

Geemanthi commented 1 month ago

I have specified the regions in accounts.yml as follows. Policy executions work fine in ap-south-1 and ap-southeast-1 regions. But, it gives that AuthFailure error when it comes to me-central-1 region only.

Also, I tried out -r flag in c7n-org command and still it gives error for middle east region. I am using AWS IAM user to authenticate with AWS account and AWS_DEFAULT_REGION has been set to ap-south-1.

accounts:
- account_id: 'accountid'
  name: accountname
  regions:
  - ap-south-1
  - me-central-1
  - ap-southeast-1
  role: arn:aws:iam::accountid:role/GMACloudcustodian