aws-vault: STS fails due to missing region after upgrade to v6.5.0

After upgrading to v6.5.0 I get the following error when trying to create a session: aws-vault: error: exec: Failed to get credentials for mindhive-ops: operation error STS: GetSessionToken, failed to resolve service endpoint, an AWS region is required, but was not found

I have worked around this by adding the following to my .aws/config:

[default]
region=ap-southeast-2

But that obviously could affect all of my profiles in some way.

Was this intended? That I need to explicitly set a region now?

  • I am using the latest release of AWS Vault
  • I have provided my .aws/config (redacted if necessary)
  • I have provided the debug output using aws-vault --debug (redacted if necessary)

Debug output:

$ aws-vault --debug exec mindhive-ops -- echo hello
2022/02/17 07:54:21 aws-vault v6.5.0
2022/02/17 07:54:21 Loading config file /Users/damon/.aws/config
2022/02/17 07:54:21 Parsing config file /Users/damon/.aws/config
2022/02/17 07:54:21 [keyring] Considering backends: [keychain]
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] Found 4 results
2022/02/17 07:54:21 profile mindhive-ops: using stored credentials
2022/02/17 07:54:21 profile mindhive-ops: using GetSessionToken
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] Found 4 results
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] Found 4 results
2022/02/17 07:54:21 [keyring] Querying keychain for service="aws-vault", account="sts.GetSessionToken,bWluZGhpdmUtb3Bz,,-62135596800", keychain="aws-vault.keychain"
2022/02/17 07:54:21 [keyring] No results found
aws-vault: error: exec: Failed to get credentials for mindhive-ops: operation error STS: GetSessionToken, failed to resolve service endpoint, an AWS region is required, but was not found

.aws/config:

[default]
s3=
    use_accelerate_endpoint = true
    max_concurrent_requests = 15

[profile dev]

[profile mindhive-ops]

[profile *****]
source_profile=mindhive-ops
role_arn=arn:aws:iam::******:role/ops
role_session_name=******
region=us-east-1

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 12
  • Comments: 15 (4 by maintainers)

Most upvoted comments

Encountered the same problem with v6.6.0.

Resolved this issue by downgrading to v6.3.1 temporary.

+4
maxsxu on Apr 21, 2022

Maybe related? We’re getting consistent MFA token errors at least with regions eu-north-1 & eu-south-1:

An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed with invalid MFA one time pass code.

All other regions I’ve tested have worked fine (I tested all of eu & some random us regions). Versions older than 6.5.0 also work fine.

+2
bcha on Apr 8, 2022

@mtibben It wasn’t mentioned when I originally posted the issue but I was trying to use the “*****” (name hidden) profile which has source_profile=mindhive-ops. That ***** profile does have a region specified but because the source profile doesn’t have a region aws-vault exec **** ... was failing.

I would think the region from the target profile should be used in this situation.

+1
damonmaria on Feb 18, 2023

Today eu-north-1 based configuration works again so I’m willing to believe that the issue is originating from AWS services.

+1
iluwatar on Apr 11, 2022
Read more comments on GitHub
← aws-vault: secret-service gets: No such interface “org.freedesktop.DBus.Properties”
aws-vault: "The security token included in the request is invalid" →