search

trek10inc / awsume

A utility for easily assuming AWS IAM roles from the command line.
https://awsu.me
MIT License
494 stars 90 forks source link

awsume doesn't work with Hong Kong ap-east-1 region #59

Closed vkarhaltsev closed 5 years ago

vkarhaltsev commented 5 years ago

Hello! I use awsume 3.2.9 and when I try to call some tools like awscli and terraform after awsume exported env variables everything works pretty cool except of ap-east-1 region:

awscli:

aws --version
aws-cli/1.16.190 Python/3.7.4 Darwin/17.7.0 botocore/1.12.180

awsume production

aws s3 ls s3://some-bucket-in-hong-kong-region/

An error occurred (IllegalLocationConstraintException) when calling the ListObjectsV2 operation: The ap-east-1 location constraint is incompatible for the region specific endpoint this request was sent to.

aws s3 ls --region ap-east-1 s3://some-bucket-in-hong-kong-region/

An error occurred (InvalidToken) when calling the ListObjectsV2 operation: The provided token is malformed or otherwise invalid.

terraform:

awsume production
terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

Error: Error refreshing state: 1 error(s) occurred:

* provider.aws.ap-east-1: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid
    status code: 403, request id: f366241f-a3eb-11e9-84a3-6d3d417c2079
mbarneyjr commented 5 years ago

I have just tested this and could only replicate the issue if the region was disabled

Please note that if you are using cross-account roles, both the account that holds your source_profile and the target account you're awsume-ing into must have the region you want to use enabled

vkarhaltsev commented 5 years ago

Hey, yes, I forgot to mention that I usse cross-account roles, my ~/.aws/config looks like that:

[profile production]
region = eu-west-2
source_profile = ops
role_arn = arn:aws:iam::11111111:role/ops-admin

I have enabled Hong Kong region in both source and target account and still has same issue :(

UPDATE: finally I made it to work! In addition to enabling region in both source and target accounts I had also to modify "Security Token Service (STS)" in IAM: I made "Global endpoint" to have value "Valid in all AWS Regions":

Screen Shot 2019-08-02 at 14 03 08
mbarneyjr commented 5 years ago

Great to hear it's working now, thanks for the update!