#geodesic (2020-08)

geodesic https://github.com/cloudposse/geodesic

Discussions related to https://github.com/cloudposse/geodesic Archive: https://archive.sweetops.com/geodesic/

2020-08-19

Shankar Kumar Chaudhary avatar
Shankar Kumar Chaudhary

after updating geodesic getting issue in login to cluster and aws-vault came into picture any suggestions? i have seen few docs but it was not so clear. any leads will be so helpful

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

hrmmm i’m not quite following. so you were using aws-google-auth on an older version of geodesic. then you upgraded and that stopped working? you’ve found docs related to aws-vault which isn’t what you are using, so you want to know if anyone else knows what’s causing the aws-google-auth to work?

if that’s the case, please share some raw commands and errors - definitely need some more context.

Shankar Kumar Chaudhary avatar
Shankar Kumar Chaudhary

using aws-google-auth -p default to get token using key and secret is nto good i think

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Correct, SSO is the better way to go. We use saml2aws but the geodesic prompt still has some artifacts that suggest using aws-vault.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Note, that aws-vault uses keys from an encrypted vault and when combined with MFA, isn’t that bad of an alternative for smaller companies maybe not using SSO/SAML yet.

2020-08-07

Jesse avatar
Jesse

RESOLVED Issues getting Geodesic to successfully assume-role, issues with configuration of ~/.aws/config, aws-vault and the roles, user accounts in AWS IAM

1
Jesse avatar
Jesse

What should be in ~/.aws/config is found on this page: https://docs.cloudposse.com/geodesic/module/quickstart/ First have a Root account and create a user in iam who is assigned sts:AssumeRole

• More info on that found here: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

• In your secondary account (possibly staging) have a user with the a policy attached with access you wish for them to control in the secondary account

• in IAM create a role and select “Another AWS Account” as the Trust Entity

• Provide the Account ID of the Root account

• do aws-vault add for your primary admin account, note for me this was not the user i created in the root account, but my primary admin user

• build geodesic with the secondary account listed in the dockerfile under:

• ENV AWS_DEFAULT_PROFILE

• do all the make init, make docker/build and docker run commands from the quick start

• once in geodesic do assume-role and things were working If anyone reviews this and finds i did something incorrectly please let me know. All the best.

Shankar Kumar Chaudhary avatar
Shankar Kumar Chaudhary

@Jesse do we need to add mfa explicilty for all user in root account ?

Shankar Kumar Chaudhary avatar
Shankar Kumar Chaudhary

@Jesse we were using aws-google-auth previosuly

    keyboard_arrow_up