Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid Profile with EC2InstanceMetadata #95

Closed
Chainbreaker1 opened this issue Feb 21, 2020 · 9 comments
Closed

Invalid Profile with EC2InstanceMetadata #95

Chainbreaker1 opened this issue Feb 21, 2020 · 9 comments
Labels

Comments

@Chainbreaker1
Copy link

@Chainbreaker1 Chainbreaker1 commented Feb 21, 2020

Hi,

im trying to get awsume to work on a ec2 machine. This machine has a assigned Role from which I would like to switch to other roles. In the aws cli everything work with the --profile argument, but awsume logs "AWSume error: Invalid profile"

My profile looks like:
[profile int]
role_arn = arn:aws:iam::1234567890:role/SomeOtherRole
credential_source = Ec2InstanceMetadata
output = json
region = eu-central-1

So there is no AccessKey in the profile, because the ec2 Instance profile should be the source of aws access management.

Am I missing something, or is this a bug/missing feature?

@kirnberger1980
Copy link

@kirnberger1980 kirnberger1980 commented Feb 21, 2020

it would be nice to have this feature for me as well.

@goyertp
Copy link

@goyertp goyertp commented Feb 21, 2020

Need this Feature really hard!

@mbarneyjr
Copy link
Member

@mbarneyjr mbarneyjr commented Feb 24, 2020

Howdy!

Thanks for bringing this issue to our attention

This issue should be resolved with 4.2.5, feel free to re-open if you have other issues

@Chainbreaker1
Copy link
Author

@Chainbreaker1 Chainbreaker1 commented Feb 25, 2020

Hi mbarneyjr,

ty for your quick reply. Sadly the changes did not do the trick:

configuration:

[default]
credential_source = Ec2InstanceMetadata
region = eu-central-1
output = json

[profile int]
role_arn = arn:aws:iam::1234567890:role/SomeOtherRole
credential_source = Ec2InstanceMetadata
output = json
region = eu-central-1
awsume -v
4.2.5
awsume -l
Listing...

======================AWS Profiles=====================
PROFILE  TYPE  SOURCE  MFA?  REGION        ACCOUNT
default  User  None    No    eu-central-1  Unavailable
int      Role  None    No    eu-central-1  123456789

awsume int
Awsume error: Invalid profile None Missing keys aws_access_key_id, aws_secret_access_key

@mbarneyjr
Copy link
Member

@mbarneyjr mbarneyjr commented Feb 26, 2020

Hmmm, something must be wrong with your installation.

If you build a docker image from this dockerfile and run awsume int, you should see the error "unable to locate credentials"

FROM python:latest

RUN pip install awsume

RUN mkdir ~/.aws
RUN echo "[profile int]" >> ~/.aws/config
RUN echo "role_arn = arn:aws:iam::1234567890:role/SomeOtherRole" >> ~/.aws/config
RUN echo "credential_source = Ec2InstanceMetadata" >> ~/.aws/config
RUN echo "output = json" >> ~/.aws/config
RUN echo "region = eu-central-1" >> ~/.aws/config

@Chainbreaker1
Copy link
Author

@Chainbreaker1 Chainbreaker1 commented Feb 26, 2020

I got it to work with the int profile. The problem was the default profile which has no role. You can reproduce it when you remove the role_arn line in the int profile. The intention here was to not do a role switch but use the currently assigned role.
This works with the aws cli, so it might be a bug in awsume.

@mbarneyjr
Copy link
Member

@mbarneyjr mbarneyjr commented Feb 26, 2020

Awsume is going to delegate to the awscli or sdks when Environment, EcsContainer, or Ec2InstanceMetadata is in a role profile, since all of the implementation to read from those things is available in the cli or sdks.

If you aren't trying to awsume a role with the Ec2InstanceMetadata, then any awscli calls you make with or without --profile int will use the same credentials (assuming you haven't set your aws environment variables to something else, see the configuration precedence section in this doc). With that being the case, awsume int wouldn't change anything (except for maybe the AWS_PROFILE_NAME variable, but using the cli/sdk would function the same without that, regardless I'll mark this down as a bug to fix since it's a valid profile to the awscli)

@mbarneyjr mbarneyjr reopened this Feb 26, 2020
@mbarneyjr mbarneyjr added the bug label Feb 26, 2020
@mbarneyjr
Copy link
Member

@mbarneyjr mbarneyjr commented Mar 1, 2020

I've pushed a pre-release that should resolve this issue. Try installing awsume==4.2.7a1 and let me know if you're still experiencing issues

@mbarneyjr
Copy link
Member

@mbarneyjr mbarneyjr commented Mar 8, 2020

Deploying to awsume==4.2.7, feel free to open if you still have issues!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants