-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failures when trying against a us-gov based region #148
Comments
Hi, thanks for the info. We initially created the tool to work with the Public AWS partition and didn't think about other ones. The issue might also occur in AWS China. |
Hi dudes. Yes, the same thing occurs in China regions (cn-north-1 and cn-northwest-1). I'm trying to map all the points of failure and contact one friend with account in one of those regions. I have no idea a specific deadline to finish this, but I'll try to update the issue this week. Thank you for the info. |
I think the best solution to that problem will be to be able to pass two profiles:
We should detect if a region in a profile is outside of the Although it will solve GovCloud partition, China partition can be problematic as users of AWS China usually have one account (for operations within that country). I also need to research more what happens with global services like IAM or if in case of services outside main partition, it's possible to skip checks and necessary calls to |
#148 added support for other partitions (govcloud, iso, isob, cn)
When using a profile that is in a GovCloud region (us-gov-east-1, us-gov-west-1), this fails in a number of different places.
When constructing an ssm client to pull the global configuration, it is true that it needs to use the us-east-1 region. However, if that's not the region selected or in the profile, it fails because the ssm global parameters /aws/service/global-infrastructure isn't available IN the us-gov regions. The data are available at /aws/service/global-infrastructure/us-gov-west-1/ (and east).
One cannot jump between regions in the same profile because they are different accounts. It appears that to use a GovCloud region, two profiles need to be specified one for non-gov (us-east-1, for example) and a second one for gov (in either gov region). Each GovCloud comes with two accounts, one EastWest (non-gov regions) and one Gov (us-gov regions).
The text was updated successfully, but these errors were encountered: