Failures when trying against a us-gov based region #148
Comments
|
Hi, thanks for the info. We initially created the tool to work with the Public AWS partition and didn't think about other ones. The issue might also occur in AWS China. |
|
Hi dudes. Yes, the same thing occurs in China regions (cn-north-1 and cn-northwest-1). I'm trying to map all the points of failure and contact one friend with account in one of those regions. I have no idea a specific deadline to finish this, but I'll try to update the issue this week. Thank you for the info. |
|
I think the best solution to that problem will be to be able to pass two profiles:
We should detect if a region in a profile is outside of the Although it will solve GovCloud partition, China partition can be problematic as users of AWS China usually have one account (for operations within that country). I also need to research more what happens with global services like IAM or if in case of services outside main partition, it's possible to skip checks and necessary calls to |
#148 added support for other partitions (govcloud, iso, isob, cn)
When using a profile that is in a GovCloud region (us-gov-east-1, us-gov-west-1), this fails in a number of different places.
When constructing an ssm client to pull the global configuration, it is true that it needs to use the us-east-1 region. However, if that's not the region selected or in the profile, it fails because the ssm global parameters /aws/service/global-infrastructure isn't available IN the us-gov regions. The data are available at /aws/service/global-infrastructure/us-gov-west-1/ (and east).
One cannot jump between regions in the same profile because they are different accounts. It appears that to use a GovCloud region, two profiles need to be specified one for non-gov (us-east-1, for example) and a second one for gov (in either gov region). Each GovCloud comes with two accounts, one EastWest (non-gov regions) and one Gov (us-gov regions).
The text was updated successfully, but these errors were encountered: