You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When trying to run cloud custodian from an isolated subnet - No internet / NAT gateway, only vpc endpoints I encounter a timeout to the sts global endpoint address "sts.amazonaws.com".
I think the bug is due to https://github.com/cloud-custodian/cloud-custodian/blob/master/c7n/commands.py#L48, where the region is set to "". Therefore, first initalization of SessionFactory is done with an empty string region, and therefore the get_sts_client goes to the global region despite the fact that the C7N_USE_STS_REGIONAL environment variable is set to true.
What did you expect to happen?
I found an environment variable that should suppose force using regional sts endpoint. I set export C7N_USE_STS_REGIONAL=true and still see the same behavior.
Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
What region are you executing in and what region are you targeting? Do you have vpc endpoints setup for each of the services? Ie does this issue exhibit sans custodian with the aws cli?
Also to be clear sans network endpoint via internet will mean running a separate install for each region as vpc endpoints only target local regions by default (a bunch of networking setup and manual east west dns). Hence would like to understand if the aws cli works in this context.
Hi, just to clarify what I'm trying to do, is to run cloud custodian on an isolated environment which will deploy custodian lambda functions with cloudtrail mode. Cloud custodian deployed lambda functions will run from a VPC-free environment.
Executing region is us-east-1, I do have all the needed vpc endpoints in place.
Describe the bug
When trying to run cloud custodian from an isolated subnet - No internet / NAT gateway, only vpc endpoints I encounter a timeout to the sts global endpoint address "sts.amazonaws.com".
I think the bug is due to https://github.com/cloud-custodian/cloud-custodian/blob/master/c7n/commands.py#L48, where the region is set to "". Therefore, first initalization of
SessionFactory
is done with an empty stringregion
, and therefore theget_sts_client
goes to the global region despite the fact that theC7N_USE_STS_REGIONAL
environment variable is set totrue
.What did you expect to happen?
I found an environment variable that should suppose force using regional sts endpoint. I set
export C7N_USE_STS_REGIONAL=true
and still see the same behavior.Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
Policy
Relevant log/traceback output
No response
Extra information or context
Running with assume role on isolated subnet with VPC endpoints:
The text was updated successfully, but these errors were encountered: