This repository has been archived by the owner on Feb 11, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 573
Add support for account switching roles #536
Comments
This is not the same as using .aws/config and .aws/credentials, but I can use this plugin successfully with an assumed role by making sure these vars are set in my environment: export AWS_ACCESS_KEY_ID=XXX (they come from aws sts assume-role command) |
I tried this just recently and had trouble with identification, the error message being
Did you encounter the same issue ? I can provide a full debug log if it helps. |
I think you have accidentally mixed up the values of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY |
Would love to see this addressed. |
Here's a way to do this in the Vagrantfile: require "iniparse"
def get_role_creds(profile, session_name)
# Run aws sts assume-role to get temporary creds for the assumed role
data = File.read(open(ENV['HOME'] + '/.aws/config'))
aws_config = IniParse.parse(data)
profile_config = aws_config['profile ' + profile]
role_arn = profile_config['role_arn']
json = `aws sts assume-role --role-arn #{role_arn} --role-session-name #{session_name}`
session_data = JSON.parse(json)
creds = session_data['Credentials']
return creds
end
Vagrant.configure("2") do |config|
config.vm.box = "dummy"
aws_profile = 'myprofile'
aws_session_name = 'my_session_name_vagrant'
creds = get_role_creds(aws_profile, aws_session_name)
config.vm.provider :aws do |aws, override|
aws.region = "us-west-2"
aws.access_key_id = creds['AccessKeyId']
aws.secret_access_key = creds['SecretAccessKey']
aws.session_token = creds['SessionToken']
# ...
end
end |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Trying to use this at work we're unable to use our existing access keys and since they come from an AWS account which only has IAM users and little else. These users are then granted the ability to assume roles in different accounts where they can manage resources related to this account. The typical setup of
~/.aws/config
and~/.aws/credentials
is something along the lines of...~/.aws/credentials
~/.aws/config
Just this setup (which is what I'm using for everything aws cli), with
aws.aws_profile = "dev"
gives me a~/.vagrant.d/gems/2.4.3/gems/vagrant-aws-0.7.2/lib/vagrant-aws/config.rb:537:in
read_aws_files': undefined method[]' for nil:NilClass (NoMethodError)
and it appears like credentials needs to have a matching section for the profile. Putting my shared key in a[dev]
section in~/.aws/credentials
, ending up with~/.aws/credentials
~/.aws/config
gets me to...
...
Subnet ID not found
, suggesting that it's not trying to create the instance in the dev account, but rather in the shared account.Haven't dug into the code and not sure if this is a bug, feature or a lacking feature :)
The text was updated successfully, but these errors were encountered: