terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

AuthFailure in new region

Open Menahem1 opened this issue 2 years ago • 2 comments

AFT Version: 1.6.3

Bug Description With a global customizations i can't access to "new" AWS regions like af-south-1 or me-south-1 (inside the account, the region is already activated and i can launch the command) For example (in codepipeline with global customizations in post-api) with : aws ec2 describe-subnets --region af-south-1

i get An error occurred (AuthFailure) when calling the DescribeVpcs operation: AWS was not able to validate the provided access credentials

and directly in the account with the credentials it's working

Any idea how it's possible ?

Thanks

Menahem1 avatar Sep 14 '22 14:09 Menahem1

AWS Control Tower is not available in these regions. Please see, https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html

hanafya avatar Sep 14 '22 18:09 hanafya

Thanks @hanafya for the answer but i don't understand how Control Tower intervene here, it's only AFT with CodePipeline/CodeBuild & Assume role no ?

Menahem1 avatar Sep 14 '22 19:09 Menahem1

AWS Control Tower is not supported in af-south-1 or me-south-1. Some functionality, such as EnabledControls, will not work in these regions. As such, it is possible that you may experience errors using AFT in these regions.

Specifically addressing your AuthFailure error, this is due to AWS CLI version that ships with the CodeBuild container image used in the customization pipelines. In v1 of the AWS CLI, STS Tokens generate default to using the global STS endpoint which fail in opt-in regions.

For more information, please see: https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

I've created a backlog to address this with the team.

balltrev avatar Sep 19 '22 21:09 balltrev

Hi @Menahem1,

As of AFT 1.11.0, AFT uses the aws/codebuild/amazonlinux2-x86_64-standard:5.0 container image for CodeBuild jobs, which ships with the AWS CLI v2 by default.

The AWS CLI v2 uses regional endpoints by default so this issue should be resolved for AFT versions 1.11.0+ when using the AWS CLI.

When using AWS SDKs, note that you must set the AWS_STS_REGIONAL_ENDPOINTS=regional envvar for this behavior. See: https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

stumins avatar Nov 27 '23 19:11 stumins