-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assuming role configured in AWS profile does not work outside of aws
partition (China, US Gov Cloud, etc.)
#861
Comments
To add to this, when I enable IMDS authentication I seem to be able to find the correct endpoint , but when I disable IMDS versions v1 and v2 the failure occurs! |
Thanks for the bug report, @csy97. Yes, it looks like a bug. Specifically, it looks like assuming a role is not working outside of the global regions - i.e. China, US Gov Cloud. We'll continue looking into this - I'll provide an update soon. |
aws
partition (China, US Gov Cloud, etc.)
hello ,I noticed that this aws-c-auth seems to have fixed the problem and the project has updated the branch information for crt dependency, I would like to enquire when the new binary/rpm version of mount-s3 will be released! |
Hi @csy97, we have integrated the fix and we are adding integration tests for it. We plan to include it in the next release, but we cannot share a date for it, yet. |
Hey @csy97. For this issue, we recommend that you put the configuration for the AWS profile in your AWS config file (typically For instance, we'd recommend this: # in ~/.aws/config`
# "profile" below is important
[profile bwmtest2]
output=json
region=cn-northwest-1
role_arn=arn:aws-cn:iam::714736990101:role/s3fullrole
source_profile=default # in ~/.aws/credentials`
[default]
aws_access_key_id = ak
aws_secret_access_key = sk The benefit here is that you could share the config file and avoid sharing the credentials file. I've just tested this use case in cn-north-1 with mountpoint-s3 v1.7.0 released today, storing the profile in a config file and credentials in a credentials file and it worked OK. Storing the profile configuration in the credentials file does not work, and we would not recommend it. I'll close this issue for now, please re-open if you are still having issues. |
Mountpoint for Amazon S3 version
mount-s3 1.6.0
AWS Region
cn-northwest-1
Describe the running environment
When I use the command AWS_DEFAULT_REGION=cn-northwest-1 AWS_PROFILE=bwmtest2 mount-s3 --region cn-northwest-1 --debug --log-directory . / testtmppp /mnt/ mount-s3 will fail when mounted
But the fact that I was able to get the IAM role correctly
Mountpoint options
What happened?
Note that this problem only occurs when I need to ASSUME, if I use ak/sk directly I don't have this problem!
This is my credentials file.
I think this is a bug in China, the resources in China are segregated from global, when I refer to a source_profile mount-s3 in credentials it sends the request to global's sts endpoint instead of China's endpoint, thus causing the authentication to fail.
The steps to reproduce this are very simple in the China region, through the source_profile assume role can appear this
I saw through a packet grab that the request from sts was sent to sts.amazonaws.com instead of the China endpoint I uploaded the attachment.
sts.zip
Relevant log output
The text was updated successfully, but these errors were encountered: