-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS environment variables are not honored #1742
Comments
Hi @foolioo , can you please let us know which AWS environment variables specifically aren't working for you? Is it just Are you running from an EC2 instance, or another environment, like a local laptop? Also, if you run |
I cannot know exactly which environment variable isn't honored by steampipe even when trying to set
Kindly clarify why this should matter when AWS environment are available for steampipe?
I use the steampipe dashboard and that is where the error appears and same as before, it is unclear why it matters but here you go :) psql (15.3, server 14.2)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.
steampipe=> select name from aws_iam_role limit 1;
ERROR: rpc error: code = Unknown desc = operation error IAM: ListRoles, https response error StatusCode: 403, RequestID: cc000269-3591-4c0d-bdd6-d08bf25b0baf, api error AccessDenied: User: arn:aws:sts::1234:assumed-role/foo/i-xxx is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::1234:role/ because no identity-based policy allows the iam:ListRoles action I can confirm that $ aws iam list-policies --scope AWS --no-only-attached --query 'Policies[].PolicyName' --no-cli-pager | grep IAMReadOnlyAccess
"IAMReadOnlyAccess", |
@cbruno10 Maybe aws/aws-sdk-go-v2#2867 is the corresponding issue and seems like https://github.com/hasheddan/stack-aws/blob/5680d65ec37d585a3fc5c8f8112d3680b38cccfd/pkg/clients/aws.go#L123-L145 is the solution (aws/aws-sdk-go-v2#475 (comment)) |
@foolioo Can you please share the following information:
For the environment variables you listed in your original comment, And thanks for sharing those issues. It looks like support for the web identity credential provider was added in AWS SDK Go v2 v0.20.0, and we currently v1.44.189. So I'm not sure if we need the workaround code you linked in the plugin, or if there's something shorter we can add if our plugin is not compatible with that authentication method today. |
Both files do not exist. Otherwise I wouldn't report that AWS environment variables are not honored
steampipe service start --foreground --dashboard --dashboard-listen=network |
Thanks @foolioo for the additional info, we'll look to try and reproduce from our end using the environment variables you listed above and let you know what we find. |
@cbruno10 Where you able to reproduce and find the issue? |
Hi @foolioo , no not yet, we're still investigating. We'll share more info once we have it. |
May not resolve issue but could you maybe try setting the env var I did attempt a basic example of testing environment variables for authentication (access/secret key combination) & that worked out fine.
Also would it be possible to test if writing the env vars to relevant config/credentials files works successfully with Steampipe? |
@foolioo I think you should remove this from your spc file: profile = "default" since you don’t have any aws config files defined then I assume you do not have a default profile to reference? |
Good catch, I didn't set
When adding the line back in I do indeed get a (different) but understandable error.
|
Hey @foolioo - can you check/confirm that removing the |
@graza-io Confirmed. Removing the |
Describe the bug
AWS CLI and AWS SDK honor AWS environment variables, while steampipe does not and displays the error
Steampipe version (
steampipe -v
)Plugin version (
steampipe plugin list
)To reproduce
/aws_insights.dashboard.ec2_application_load_balancer_detail
Expected behavior
AWS plugin should honor AWS environment variables.
Additional context
AWS_ROLE_ARN
states:If there is no bug, then any guidance on how to make AWS plugin to honor AWS environment variables will be appreciated.
The text was updated successfully, but these errors were encountered: