-
-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does not support AssumeRole or MFA profiles #44
Comments
@phene could you capture to this issue more details how profile with assume role is setup |
Please see the Using IAM Roles section of AWS CLI configuration guide. The |
We have the same needs and same issues. |
+1 to this |
assume role would require full support for boto (right?) which seems a bit large dependency to add into awscurl as assume role just replaces env variables to the ones corresponding to the role have you considered just running as shown in: https://gist.github.com/brianredbeard/035ee1419bc38a0e2d854fb828d585d7
|
I do not think boto is big dependency - or let me rephrase it - problematic. Chance is when you use awscurl - you already have boto installed along with botocore etc. This way awscurl could simplify codebase and leveraging ofifcial's SDK config/env/profile readers and MFA and cross roles. |
so trying to understand value proposition, if you have boto installed why use awscurl? |
The AWS CLI does not make it easy to create signed requests to Elasticsearch. That is the sole reason I use awscurl. |
The issue was partially fixed by #63. AWS_PROFILE=my-mfa-profile-with-assume-role awscurl $MY_HOST/test/v1/url but doesn't work with CLI arg: awscurl --profile my-mfa-profile-with-assume-role $MY_HOST/test/v1/url
Traceback (most recent call last):
File "/Users/myuser/Library/Python/2.7/bin/awscurl", line 8, in <module>
sys.exit(main())
File "/Users/myuser/Library/Python/2.7/lib/python/site-packages/awscurl/awscurl.py", line 501, in main
inner_main(sys.argv[1:])
File "/Users/myuser/Library/Python/2.7/lib/python/site-packages/awscurl/awscurl.py", line 471, in inner_main
args.profile)
File "/Users/myuser/Library/Python/2.7/lib/python/site-packages/awscurl/awscurl.py", line 393, in load_aws_config
access_key, secret_key, security_token = cred.access_key, cred.secret_key, cred.token
AttributeError: 'NoneType' object has no attribute 'access_key' |
Following up on #44 (comment) and #44 (comment): Until #102 is merged, you can do the following to invoke
Assuming roles in AWS and dealing with permissions gets complicated quickly. So, don't forget about using |
Note: the AWS_PROFILE workaround above doesn't appear to work for the external credential_process case where the profile in
Running:
Results in:
|
I was going to open this as a separate issue "Using aws-adfs credentials only works with 0.27" but when researching related tickets was unsure if this is useful as a separate bug as it introduces very little new information. TLDR: This was working with 0.27. I started using awscurl a short while ago when 0.27 was the current version which was installed. After upgrading to 0.29 today, my workflow broke. What does the credential setup look like? Using aws-adfs (https://github.com/venth/aws-adfs), logging in to a "federated role" in AWS account A and then using entries in ~/.aws/config to assume working roles in different accounts (B).
aws-adfs puts temporary credentials into This is the awscurl command I use to test: This whole situation seems quite complex, I found a number of related issues:
It was quite surprising to me that setting the |
@erpel wow - thanks for detailed report! I’ll have another look |
Are there any plans to fix this? It is almost unusable without assumeRoles being supported. |
It would probably be a very easy fix to introduce a new flag to "force" usage of |
@erpel yes, PR, welcome -- I will have a look at integrating that. |
Take a look at #172 please. It looks like there might be a possibility of more workflows working out of the box without a dedicated flag. |
@okigan any update on this matter? We miss this functionality too. |
@ikarlashov some progress, botocore is becoming a standard dependency for awscurl (which was a blocker, #205). Now that probably does not fully solve this issue, but I am bit concerned merging PR from @erpel as I have not tested this recently and unclear if it breaks other users. Open to ideas. |
Maybe we can collect common and supported combinations of configs and access settings and configs. Use that to build a suite of (semi) automated tests to verify that no known setup is broken. The hard part about this could be having access to AWS accounts with all the different setup. |
AWSCurl does not support profiles that assume role (for cross-account access) or MFA.
The text was updated successfully, but these errors were encountered: