kops: kops can't assume roles in ~/.aws/config profiles by default

Not sure this is a documentation issue, a small bug, or even a feature request:

By default, kops will not assume roles defined in profiles in ~/.aws/config. Golang’s AWS SDK says that by defining the environment variable AWS_SDK_LOAD_CONFIG, the sessions will be created with the ability to assume roles, set default regions.

I don’t quite understand the reason Golang SDK devs decided to go this route, but folks used to CLI/boto will find the current behavior weird, and will likely file bugs or ask questions in Slack.

#### using a profile that the user assumes a role
# export AWS_PROFILE=subaccount-profile-with-role

# aws ec2 describe-availability-zones --output text
AVAILABILITYZONES       us-west-2       available       us-west-2a
AVAILABILITYZONES       us-west-2       available       us-west-2b
AVAILABILITYZONES       us-west-2       available       us-west-2c

# kops create -f /tmp/my-config --state --state s3://my-bucket/subfolder/kops   ## doesn't work
error: error populating configuration: Got an error while querying for valid regions (verify your AWS credentials?)

# export AWS_SDK_LOAD_CONFIG=1

# kops create -f /tmp/my-config --state --state s3://my-bucket/subfolder/kops  ## works!



#### using a profile that has access keys associated with the user
# export AWS_PROFILE=subaccount-profile-with-access-keys

# kops create -f /tmp/my-config --state --state s3://my-bucket/subfolder/kops   ## works!

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 18
  • Comments: 18 (3 by maintainers)

Most upvoted comments

/remove-lifecycle stale I’m also having this problem

@tiadobatima I have several profiles in my creds, so I could use a little more explicit explanation of what you’re using as your file when you pass in the config. Is it just the .aws/credentials file? Or a copy of the section of your credentials with the access key and secret key for kops? or the credentials for your user account? both?

+2
szeitlin on Aug 31, 2018

please reopen, still having issues with this

+1
ghost on Apr 24, 2019

I must agree on this, it’s really frustrating and disjointed to work with environment variables when you are used to just using profiles. The AWS configuration in INI format supports this, it would be really nice to just define a profile within CLI (--profile prod). Please considering reopening.

+1
triwats on Nov 26, 2018
Read more comments on GitHub
← kops: kops ami might have a problem with k8s 1.8 (kope.io/k8s-1.8-debian-jessie-amd64-hvm-ebs-2018-02-08)
kops: kops can't use credentials generated by aws sso (#aws configure sso) →