Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failures when trying against a us-gov based region #148

Open
dbadrak opened this issue Aug 14, 2020 · 4 comments · Fixed by #163
Open

Failures when trying against a us-gov based region #148

dbadrak opened this issue Aug 14, 2020 · 4 comments · Fixed by #163

Comments

@dbadrak
Copy link

dbadrak commented Aug 14, 2020

When using a profile that is in a GovCloud region (us-gov-east-1, us-gov-west-1), this fails in a number of different places.

When constructing an ssm client to pull the global configuration, it is true that it needs to use the us-east-1 region. However, if that's not the region selected or in the profile, it fails because the ssm global parameters /aws/service/global-infrastructure isn't available IN the us-gov regions. The data are available at /aws/service/global-infrastructure/us-gov-west-1/ (and east).

One cannot jump between regions in the same profile because they are different accounts. It appears that to use a GovCloud region, two profiles need to be specified one for non-gov (us-east-1, for example) and a second one for gov (in either gov region). Each GovCloud comes with two accounts, one EastWest (non-gov regions) and one Gov (us-gov regions).

@meshuga
Copy link
Member

meshuga commented Aug 15, 2020

Hi, thanks for the info. We initially created the tool to work with the Public AWS partition and didn't think about other ones. The issue might also occur in AWS China.

@leandrodamascena
Copy link
Member

Hi dudes. Yes, the same thing occurs in China regions (cn-north-1 and cn-northwest-1).

I'm trying to map all the points of failure and contact one friend with account in one of those regions. I have no idea a specific deadline to finish this, but I'll try to update the issue this week.

Thank you for the info.

@meshuga
Copy link
Member

meshuga commented Nov 16, 2020

I think the best solution to that problem will be to be able to pass two profiles:

  1. --profile profile-name as the main profile, that can point to a region in any partition
  2. --aws-partition-profile profile-name as a profile that resides in the main AWS partition (partition aws), so that we are able to connect to SSM.

We should detect if a region in a profile is outside of the aws partition and if is, throw an error and ask a user to pass an additional profile in --aws-partition-profile parameter.

Although it will solve GovCloud partition, China partition can be problematic as users of AWS China usually have one account (for operations within that country).

I also need to research more what happens with global services like IAM or if in case of services outside main partition, it's possible to skip checks and necessary calls to us-east-1 region.

@leandrodamascena
Copy link
Member

@dbadrak hei friend! @meshuga opened a PR to fix this and I merged. Can you clone/update the repository and try again? Thank you so much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants