-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Assume Role ARN with opt-in regions gives 403 #46
Comments
Status update: The account that we've used for testing cross account access seems to be broken, but ops is looking into that. |
Done! Details in slack. |
Thanks for setting up the environment @sunker. I am able to reproduce the issue now. Still, your suggestion @robbierolin is not fixing the issue. Note that:
When using assumed roles, the I wonder, how can we differentiate between calls to the STS and the target service (e.g. CloudWatch)? Maybe we need to disable opt-in regions if "Assume Role" is used? |
Just to clarify for me was able to get it working by
Does that work for you? |
Got it. Yes, I was missing the |
Some AWS regions are opt-in regions, which means they can't be accessed until they are explicitly turned on (see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions)
When using the Assume Role ARN field, credentials from one account (Account A) can be used to retrieve data from another account (Account B). Currently there exists a bug when trying to load data from an opt-in region in Account B will give
This is because the region selected in the configuration is used both for the call to STS to assume the role and the call to the data source (e.g. cloudwatch). This can be fixed by replacing the region used here https://github.com/grafana/grafana-aws-sdk/blob/main/pkg/awsds/sessions.go#L167 with a non-opt-in region (e.g. us-east-1) when the configured region is an opt-in region and Assume Role ARN is configured. Then the regionCfg used here https://github.com/grafana/grafana-aws-sdk/blob/main/pkg/awsds/sessions.go#L227 should use the configured region.
Note the environment variable
AWS_STS_REGIONAL_ENDPOINTS=regional
must be set to get credentials that can be used in an opt-in region.Steps to reproduce:
e.g.
e.g.
me-south-1
as Default RegionThe text was updated successfully, but these errors were encountered: