Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pubsys: use base region for contacting STS #1064

Merged
merged 1 commit into from
Aug 23, 2020
Merged

pubsys: use base region for contacting STS #1064

merged 1 commit into from
Aug 23, 2020

Conversation

zmrow
Copy link
Contributor

@zmrow zmrow commented Aug 23, 2020 

The region used for the base credentials provider should be the one in which
you want to talk to STS to get temporary credentials, not the region in which
you want to talk to a service endpoint like EC2.  This is needed because you
may be assuming a role in an opt-in region from an account that has not
opted-in to that region, and you need to get session credentials from an STS
endpoint in a region to which you have access in the base account.

Note: this uses the first region in the given region list to talk to STS, the same way we use the first region to register an AMI and copy out from that region. I think we should have a separate discussion about whether these belong in separate settings, like base_region perhaps, since there has been some confusion about the region list.

Testing done:

  • Reconfirmed ami, ami-public, and ami-private in standard regions.
  • Confirmed that clients built with the updated method can now talk to services in opt-in regions from non-opted-in accounts. Before, you'd get a InvalidClientTokenId 403 error.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@zmrow
pubsys: use base region for contacting STS
e272d1b 
The region used for the base credentials provider should be the one in which
you want to talk to STS to get temporary credentials, not the region in which
you want to talk to a service endpoint like EC2.  This is needed because you
may be assuming a role in an opt-in region from an account that has not
opted-in to that region, and you need to get session credentials from an STS
endpoint in a region to which you have access in the base account.
@tjkirch tjkirch mentioned this pull request Aug 23, 2020
Merged
@tjkirch tjkirch merged commit 10d0e7d into bottlerocket-os:develop Aug 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjkirch tjkirch tjkirch approved these changes

@bcressey bcressey bcressey approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@iliana iliana Awaiting requested review from iliana

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zmrow @tjkirch @bcressey @samuelkarp