-
Notifications
You must be signed in to change notification settings - Fork 815
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can aws-vault handle setting default region automatically? #156
Comments
easy fix |
Right, but like I said I'm not using aws config files and I'd like to avoid introducing that dependency if possible. In other words, it'd be nice to have |
You did say credential files, and |
If anything, in future, |
My bad, I meant config and credential files :) |
I tried setting |
I think @FernandoMiguel might have gotten confused between
|
We don't actually read |
FYI, all my profiles are sourced from something else, so some are sourced from default [profile IAM] |
That would be |
just bad copy paste :p |
I can confirm that setting region does not work except via environment:
Fails:
Fails:
Of interest - once the MFA process has completed, I can drop AWS_REGION off the command while the session is valid. |
That's very odd. Will try and reproduce. |
I can't reproduce this. This is what I did: docker run --rm -it -v $PWD:/go/src/github.com/99designs/aws-vault -w /go/src/github.com/99designs/aws-vault golang:1.9
$ go run *.go add --backend file test
Enter Access Key ID: test
Enter Secret Access Key: test
Enter passphrase to unlock /root/.awsvault/keys:
Added credentials to profile "test" in vault
$ export AWS_VAULT_FILE_PASSPHRASE=test
$ export AWS_VAULT_BACKEND=file
$ mkdir -p ~/.aws
$ echo "[profile test]" > ~/.aws/config
$ echo "region = us-gov-west-1" >> ~/.aws/config
$ cat ~/.aws/config
[profile test]
region = us-gov-west-1
$ go run *.go --debug --backend file exec --no-session test -- env | grep AWS
tes2017/09/28 00:24:54 Parsing config file /root/.aws/config
2017/09/28 00:24:54 Skipping session token and using master credentials directly
2017/09/28 00:24:54 Looking up keyring for test
2017/09/28 00:24:54 Parsing config file /root/.aws/config
2017/09/28 00:24:54 Setting subprocess env: AWS_DEFAULT_REGION=us-gov-west-1, AWS_REGION=us-gov-west-1
2017/09/28 00:24:54 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2017/09/28 00:24:54 Executing subprocess env []
AWS_VAULT_FILE_PASSPHRASE=test
AWS_VAULT=test
AWS_DEFAULT_REGION=us-gov-west-1
AWS_REGION=us-gov-west-1
AWS_ACCESS_KEY_ID=test
AWS_SECRET_ACCESS_KEY=test
$ rm ~/.aws/config
$ go run *.go --debug --backend file exec --no-session test -- env | grep AWS
2017/09/28 00:27:26 Skipping session token and using master credentials directly
2017/09/28 00:27:26 Looking up keyring for test
2017/09/28 00:27:26 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2017/09/28 00:27:26 Executing subprocess env []
AWS_VAULT_FILE_PASSPHRASE=test
AWS_VAULT=test
AWS_ACCESS_KEY_ID=test
AWS_SECRET_ACCESS_KEY=test |
Could I trouble @sharms and @jleclanche to try running those commands with |
Sure - here is what it looks like without AWS_REGION set:
Repeated with AWS_REGION set:
Configuration files:
|
Thanks, could you try it with |
No problem. With |
Ok that is a good lead. I will investigate. Thanks for your patience 🙇🏼 |
Btw, what version are you on @sharms? |
|
This is now in master, so closing. Reopen if it's not fixed for you @sharms / @jleclanche |
@lox can you clarify what landed? Are we able to attach regions to aws-vault sessions now? |
It will be out in the next release, which we will try and do today or tomorrow. The change I made was to read the This is the relevant PR: #163 |
It's a slightly speculative fix, I'd love to hear if it fixes your issue. |
Well, it's certainly an improvement :) But it doesn't really change the original issue that I had, which is that I'd like to tell aws-vault "the session 'home' should have an AWS_DEFAULT_REGION of us-east-1, and the session 'dev' should have an AWS_DEFAULT_REGION of us-west-1". |
Hmmmm. Apologies if I misunderstood, I'd interpreted it as "the region in the profile in ~/.aws/config should be respected for STS sessions". In your example, do you have two entries in your ~/.aws/config for |
Well as I mentioned, I do not have a ~/.aws/config file usually. aws-vault handles the use case of profile management quite nicely, except for attaching default regions to them. |
Ah right, apologies, yes, I have totally missed the point 😓 |
Ah right, I got misdirected by @sharms question, which is fixed. |
I guess the difficulty with saving additional metadata in the keyring is that it's hard to know what the source of truth is. Debugging what was setting the region gets much harder, especially when you add in things like assuming roles with |
Just wanted to confirm @lox that the fixes did solve my issue, thanks! |
I'm going to close this one out. Happy to discuss more if you want @jleclanche. |
I don't use aws credentials files on my dev machine, which means unless I explicitly do
AWS_REGION=us-east-1 aws-vault exec example
, the region is not set in the resulting session.Is there a way to have aws-vault set the (default?) region on the profile at profile creation, so that unless explicitly overridden, it's just in there as well?
The text was updated successfully, but these errors were encountered: