Does this plugin support cross account access?

[martinmicunda]

Hi,

I try to publish my files to multiple accounts e.g. (dev, prod) however when I use this plugin I am getting Access Denied error. Does this plugin support assume role option to publish the files?

NOTE: when I run cli aws --profile dev s3 sync ./public s3://dev --delete then I can upload files successfully

gulpfile

import gulp from 'gulp';
import AWS from 'gulp-awspublish/node_modules/aws-sdk';
import awspublish from 'gulp-awspublish';

AWS.config.credentials.disableAssumeRole = false;
AWS.config.credentials.profile = 'dev';
const publisher = awspublish.create({
    region: 'eu-west-1',
    params: {
        Bucket: `dev`
    },
    credentials: AWS.config.credentials
});

gulp.task('publish', () => {
    return gulp.src('./public')
        .pipe(publisher.publish())
        .pipe(publisher.sync())
        .pipe(awspublish.reporter());
});

config

[default]
region=eu-west-1
output=json

[profile dev]
role_arn=arn:aws:iam::******:role/developer
source_profile=default
mfa_serial=arn:aws:iam::******:mfa/******

[profile prod]
role_arn=arn:aws:iam::******:role/developer
source_profile=default
mfa_serial=arn:aws:iam::******:mfa/******

[mikereinhold]

Same issue here, similar config as @martinmicunda

[mikereinhold]

See aws/aws-sdk-js#993

Apparently the js sdk doesn't read from an aws config file (such as /.aws/config) for role_arn and source_profile, however they can be read from a credentials file (/.aws/credentials).

Just adding your cross account configurations in the credentials file works as expected. It doesn't seem to be documented anywhere that this configuration is an option (even though it makes sense)...

[martinmicunda]

Thanks for tip @mikereinhold ;)

[martinmicunda]

@mikereinhold could you share your settings as I tried to add cross account configurations in the credentials file but I am still getting Access Denied error. Thanks

[mikereinhold]

@martinmicunda - I am not using MFA on these cross account roles (yet), so maybe that is a problem, but this is what I'm doing:

~/.aws/credentials

[admin]
aws_access_key_id = <access_key>
aws_secret_access_key = <secret key>

[profile_1]
role_arn = arn:aws:iam::redacted_account_1:role/CrossAccountAdminRole1
source_profile = admin

[profile_2]
role_arn = arn:aws:iam::redacted_account_2:role/CrossAccountAdminRole2
source_profile = admin_profile

gulpfile.js

var AWS = require('aws-sdk');

var publisher = awspublish.create({
  region: 'region-id',
  params: {
    Bucket: '...'
  },
  credentials: new AWS.SharedIniFileCredentials({profile: 'profile_2'})
});

[martinmicunda]

@mikereinhold yeah it might be MFA however all my roles have to use MFA...

[mikereinhold]

@martinmicunda I'm planning on turning on MFA, so this would be a blocking issue for me if MFA is indeed the cause...

I'll update this if I have trouble when I turn it on...

[martinmicunda]

@mikereinhold the aws-auth-helper can help you with MFA it works for me..

[mikereinhold]

Interesting - thanks

[martinmicunda]

@mikereinhold have you got gulp-awspublish running with MFA.. I am using aws-auth-helper on my serverless project with MFA successfully however when I try to use MFA with gulp-awspublish I am getting 400 Bad Request error and AWS S3 has plenty of 400 responses so it's really hard to figure out what really cause the issue...