Discussions related to https://github.com/cloudposse/geodesic
RESOLVED Issues getting Geodesic to successfully assume-role, issues with configuration of ~/.aws/config, aws-vault and the roles, user accounts in AWS IAM
What should be in ~/.aws/config is found on this page: https://docs.cloudposse.com/geodesic/module/quickstart/ First have a Root account and create a user in iam who is assigned sts:AssumeRole
• More info on that found here: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
• In your secondary account (possibly staging) have a user with the a policy attached with access you wish for them to control in the secondary account
• in IAM create a role and select “Another AWS Account” as the Trust Entity
• Provide the Account ID of the Root account
• do aws-vault add for your primary admin account, note for me this was not the user i created in the root account, but my primary admin user
• build geodesic with the secondary account listed in the dockerfile under:
• ENV AWS_DEFAULT_PROFILE
• do all the make init, make docker/build and docker run commands from the quick start
• once in geodesic do assume-role and things were working If anyone reviews this and finds i did something incorrectly please let me know. All the best.
@jla do we need to add mfa explicilty for all user in root account ?
@jla we were using aws-google-auth previosuly
after updating geodesic getting issue in login to cluster and aws-vault came into picture any suggestions? i have seen few docs but it was not so clear. any leads will be so helpful
hrmmm i’m not quite following. so you were using
aws-google-auth on an older version of geodesic. then you upgraded and that stopped working? you’ve found docs related to
aws-vault which isn’t what you are using, so you want to know if anyone else knows what’s causing the
aws-google-auth to work?
if that’s the case, please share some raw commands and errors - definitely need some more context.
using aws-google-auth -p default to get token using key and secret is nto good i think
Correct, SSO is the better way to go. We use
saml2aws but the
geodesic prompt still has some artifacts that suggest using
aws-vault uses keys from an encrypted vault and when combined with MFA, isn’t that bad of an alternative for smaller companies maybe not using SSO/SAML yet.