#geodesic (2020-08)

What should be in ~/.aws/config is found on this page: https://docs.cloudposse.com/geodesic/module/quickstart/ First have a Root account and create a user in iam who is assigned sts:AssumeRole

• More info on that found here: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

• In your secondary account (possibly staging) have a user with the a policy attached with access you wish for them to control in the secondary account

• in IAM create a role and select “Another AWS Account” as the Trust Entity

• Provide the Account ID of the Root account

• do aws-vault add for your primary admin account, note for me this was not the user i created in the root account, but my primary admin user

• build geodesic with the secondary account listed in the dockerfile under:

• ENV AWS_DEFAULT_PROFILE

• do all the make init, make docker/build and docker run commands from the quick start

• once in geodesic do assume-role and things were working If anyone reviews this and finds i did something incorrectly please let me know. All the best.

@jla do we need to add mfa explicilty for all user in root account ?

@jla we were using aws-google-auth previosuly

hrmmm i’m not quite following. so you were using aws-google-auth on an older version of geodesic. then you upgraded and that stopped working? you’ve found docs related to aws-vault which isn’t what you are using, so you want to know if anyone else knows what’s causing the aws-google-auth to work?

if that’s the case, please share some raw commands and errors - definitely need some more context.

Correct, SSO is the better way to go. We use saml2aws but the geodesic prompt still has some artifacts that suggest using aws-vault.

Note, that aws-vault uses keys from an encrypted vault and when combined with MFA, isn’t that bad of an alternative for smaller companies maybe not using SSO/SAML yet.