aws-vault
aws-vault copied to clipboard
99designs
STS fails due to missing region after upgrade to v6.5.0
After upgrading to v6.5.0 I get the following error when trying to create a session:
aws-vault: error: exec: Failed to get credentials for mindhive-ops: operation error STS: GetSessionToken, failed to resolve service endpoint, an AWS region is required, but was not found
I have worked around this by adding the following to my .aws/config:
[default]
region=ap-southeast-2
But that obviously could affect all of my profiles in some way.
Was this intended? That I need to explicitly set a region now?
- [X] I am using the latest release of AWS Vault
- [X] I have provided my
.aws/config(redacted if necessary) - [X] I have provided the debug output using
aws-vault --debug(redacted if necessary)
Debug output:
$ aws-vault --debug exec mindhive-ops -- echo hello
2022/02/17 07:54:21 aws-vault v6.5.0
2022/02/17 07:54:21 Loading config file /Users/damon/.aws/config
2022/02/17 07:54:21 Parsing config file /Users/damon/.aws/config
2022/02/17 07:54:21 [keyring] Considering backends: [keychain]
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] Found 4 results
2022/02/17 07:54:21 profile mindhive-ops: using stored credentials
2022/02/17 07:54:21 profile mindhive-ops: using GetSessionToken
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] Found 4 results
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] Found 4 results
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,bWluZGhpdmUtb3Bz,,-62135596800", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] No results found
aws-vault: error: exec: Failed to get credentials for mindhive-ops: operation error STS: GetSessionToken, failed to resolve service endpoint, an AWS region is required, but was not found
.aws/config:
[default]
s3=
use_accelerate_endpoint = true
max_concurrent_requests = 15
[profile dev]
[profile mindhive-ops]
[profile *****]
source_profile=mindhive-ops
role_arn=arn:aws:iam::******:role/ops
role_session_name=******
region=us-east-1
Interesting, perhaps this is due to the upgrade of the AWS SDK #769.
Is a config without a region valid? What region should it default to?
Maybe related? We're getting consistent MFA token errors at least with regions eu-north-1 & eu-south-1:
An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed with invalid MFA one time pass code.
All other regions I've tested have worked fine (I tested all of eu & some random us regions). Versions older than 6.5.0 also work fine.
I am using 6.5.0-Homebrew for a long time without any issue.
It might be temporarily issue with AWS STS.
Because, I used eu-north-1 region last week with no problem. I just wanted to test it again when I see this issue.
But as of Fri Apr 8 15:43:15 UTC 2022 it is not working. I switched to eu-west-1 to make it work in .aws/config temporarily then set the region eu-north-1
Similar comment to those above: I was getting MultiFactorAuthentication failed with invalid MFA one time pass code. in us-west-2, but I temporarily switched to us-east-1 with the AWS_REGION env variable and the request came back successful.
After that, any subsequent requests made to us-west-2 were successful for me.
Today eu-north-1 based configuration works again so I'm willing to believe that the issue is originating from AWS services.
Encountered the same problem with v6.6.0.
Resolved this issue by downgrading to v6.3.1 temporary.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
No one here has yet stated what they expect the behaviour to be when a region is not specified. Is there a particular region aws-vault should default to? And why?
@mtibben The issue isn't that there is no region specified. The issue is that the region specified under the profile doesn't count. One must specify the default region, despite the region being specified for the profile.
@jaitaiwan No that's not what the issue demonstrates. The profile in question here is mindhive-ops. The "workaround" was to specify a default region.
So this issue is about when a region cannot be determined from the config.
My question remains - what do you expect aws-vault to do without a region?
@mtibben It wasn't mentioned when I originally posted the issue but I was trying to use the "*****" (name hidden) profile which has source_profile=mindhive-ops. That ***** profile does have a region specified but because the source profile doesn't have a region aws-vault exec **** ... was failing.
I would think the region from the target profile should be used in this situation.
@damonmaria can you provide full --debug output for that scenario? That isn't what is being shown above...
You are right @mtibben. The scenario I described above is not an issue in the current version of aws-vault I am using.
The --debug output above was not using an assume role profile and would have had no region specified. I guess aws-vault used to have a default. That it doesn't anymore I presume is OK.
I am happy to close this issue.