This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to deploy to non-default region when using AssumeRole credentials #266
Comments
Additional information: |
|
Whoops, accidentally closed the issue. Sorry... |
Hi @scottjbaldwin, Good afternoon. Thanks for reporting the issue. Somehow I'm unable to reproduce the issue. Below are the steps I followed:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<account-id>>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} You may replace
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:GetRole",
"lambda:TagResource",
"lambda:ListFunctions",
"apigateway:PUT",
"lambda:GetFunction",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"apigateway:DELETE",
"iam:PassRole",
"lambda:AddPermission",
"iam:DetachRolePolicy",
"apigateway:PATCH",
"lambda:DeleteFunction",
"apigateway:POST",
"apigateway:GET"
],
"Resource": "*"
}
]
}
In this case, my
Please review if you are following different steps or if I'm missing anything. Thanks, |
@ashishdhingra, |
@scottjbaldwin Could you please elaborate what are you referring to by default region? Is it the region in the |
Note, you will have to enable |
@ashishdhingra by non-default region, I mean a region that you don't get access to by default in an AWS account, i.e. an opt-in region as per this table https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions:~:text=for%20a%20resource-,Available%20Regions,-Your%20account%20determines |
@scottjbaldwin Thanks for the inputs, it really helped. It appears to be reproducible for non-default (required to opt-in region). Executing
Executing AWS CLI command {
"LocationConstraint": "ap-southeast-4"
} Also using the So the issue appears to be with the underlying .NET SDK that fails to successfully call |
@scottjbaldwin Upon further investigation, Managing AWS STS in an AWS Region mentions that In PowerShell session: In command line (Windows): Also refer AWS STS Regionalized endpoints where it states that AWS recommends using Regional AWS STS endpoints instead of the global endpoint. So, you may set it at Please let me know if it works for you. After your confirmation, I would consider this issue as resolved (since it is the default behavior as per above documentation) and convert this issue into Thanks, |
Hey @ashishdhingra, thanks so much for diving into this issue and providing the resolution. I really appreciate your diligence on this one. This does indeed fix the issue, and I am able to deploy my application (although there were still some remaining regional issues, but completely unrelated to this issue). I guess that means I'll need to update my blogpost, as technically it is not so much a bug, as a corner case that people need to be aware of. Totally support this issue being converted into a Again, thanks for your help. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Describe the bug
When trying to deploy a serverless application to a non-default region (i.e.
ap-southeast-4
) using a profile that uses a session token fromsts
, the cli is unable to upload the packaged lambda code to the S3 bucket.Expected Behavior
The lambda code in the zip file should upload and the serverless template should be deployed.
This works perfectly fine if the region is a default region like
ap-southeast-2
.Current Behavior
The output of
dotnet lambda deploy-serveress
first hints an an issue by sayingand then after compiling and zipping the code, when it attempts to upload the zip file, it errors out with
And exits the deployment.
Reproduction Steps
serverless.AspNetCoreWebAPI --name mel-test --output .\mel-test --region ap-southeast-4
(or equivalent non-default region)Possible Solution
Looking through the source code for the aws extensions for dotnet, I couldn't see anything obvious. I did see that you use the C# sdk, so the issue may be with it's handling of profiles, but because I found the issue in this lbrary, I decided to raise the bug here.
I did check the results of
aws s3api get-bucket-location --bucket <mel-bucket> --profile <assumerole-profile>
and recieved the expected results:Which says to me that the profile and the bucket are set up fine, and given this is the same call that GetBucketRegionAsycn makes, I can only assume that it's some difference between the way the cli handles the profile vs how the C# sdk handles the profile.
Additional Information/Context
I am using MFA for my roles, and I'm using this powershell module AWSCredentialsManager to assist with the AssumeRole and MFA details.
There was an issue with this library using non-default regions initially, but this issue was addressed in version 0.1.6 which is the version of the library I am currently using.
Targeted .NET platform
7.0.201
CLI extension version
Environment details (OS name and version, etc.)
Windows 10
The text was updated successfully, but these errors were encountered: