Send the STS queries to the local region

kubernetes · Aug 15, 2020 · 1a253dc · 1a253dc
1 parent 5dcc951
commit 1a253dc
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 13 deletions.
diff --git a/nodeup/pkg/model/bootstrap_client.go b/nodeup/pkg/model/bootstrap_client.go
@@ -39,7 +39,11 @@ func (b BootstrapClientBuilder) Build(c *fi.ModelBuilderContext) error {
 	var err error
 	switch kops.CloudProviderID(b.Cluster.Spec.CloudProvider) {
 	case kops.CloudProviderAWS:
-		authenticator, err = awsup.NewAWSAuthenticator()
+		region, regionErr := awsup.FindRegion(b.Cluster)
+		if regionErr != nil {
+			return fmt.Errorf("querying AWS region: %v", regionErr)
+		}
+		authenticator, err = awsup.NewAWSAuthenticator(region)
 	default:
 		return fmt.Errorf("unsupported cloud provider %s", b.Cluster.Spec.CloudProvider)
 	}

diff --git a/upup/pkg/fi/cloudup/awsup/BUILD.bazel b/upup/pkg/fi/cloudup/awsup/BUILD.bazel
@@ -30,7 +30,6 @@ go_library(
         "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/awserr:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/client:go_default_library",
-        "//vendor/github.com/aws/aws-sdk-go/aws/ec2metadata:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/endpoints:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/request:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/session:go_default_library",

diff --git a/upup/pkg/fi/cloudup/awsup/aws_authenticator.go b/upup/pkg/fi/cloudup/awsup/aws_authenticator.go
@@ -35,8 +35,8 @@ type awsAuthenticator struct {
 
 var _ fi.Authenticator = &awsAuthenticator{}
 
-func NewAWSAuthenticator() (fi.Authenticator, error) {
-	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
+func NewAWSAuthenticator(region string) (fi.Authenticator, error) {
+	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true).WithRegion(region)
 	sess, err := session.NewSession(config)
 	if err != nil {
 		return nil, err

diff --git a/upup/pkg/fi/cloudup/awsup/aws_verifier.go b/upup/pkg/fi/cloudup/awsup/aws_verifier.go
@@ -32,7 +32,6 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -42,6 +41,8 @@ import (
 type AWSVerifierOptions struct {
 	// NodesRoles are the IAM roles that worker nodes are permitted to have.
 	NodesRoles []string `json:"nodesRoles"`
+	// Region is the AWS region of the cluster.
+	Region string
 }
 
 type awsVerifier struct {
@@ -57,7 +58,7 @@ type awsVerifier struct {
 var _ fi.Verifier = &awsVerifier{}
 
 func NewAWSVerifier(opt *AWSVerifierOptions) (fi.Verifier, error) {
-	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
+	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true).WithRegion(opt.Region)
 	sess, err := session.NewSession(config)
 	if err != nil {
 		return nil, err
@@ -71,13 +72,7 @@ func NewAWSVerifier(opt *AWSVerifierOptions) (fi.Verifier, error) {
 
 	partition := strings.Split(aws.StringValue(identity.Arn), ":")[1]
 
-	metadata := ec2metadata.New(sess, config)
-	region, err := metadata.Region()
-	if err != nil {
-		return nil, fmt.Errorf("error querying ec2 metadata service (for region): %v", err)
-	}
-
-	ec2Client := ec2.New(sess, config.WithRegion(region))
+	ec2Client := ec2.New(sess, config)
 
 	return &awsVerifier{
 		accountId: aws.StringValue(identity.Account),

diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go
@@ -406,6 +406,7 @@ func (tf *TemplateFunctions) KopsControllerConfig() (string, error) {
 			}
 			config.Server.Provider.AWS = &awsup.AWSVerifierOptions{
 				NodesRoles: nodesRoles.List(),
+				Region:     tf.Region,
 			}
 		default:
 			return "", fmt.Errorf("unsupported cloud provider %s", cluster.Spec.CloudProvider)