stackoom
  简体   繁体   中英

Why the does AWS CLI use different AWS services on darwin (mac) vs. linux? When does the rds describe-db-instances command use STS?

 原文  2022-12-09 16:37:12       python/ amazon-web-services/ amazon-rds/ botocore/ aws-sts

Question

Running

aws --profile=REDACTED --region=REDACTED rds describe-db-instances

fails for me on linux but succeeds on darwin (mac).

It seems that on my linux, a call is made to AWS's Simple Token Service that I don't have permissions to. But for some reason, that call is skipped on my mac.

Why might the first call run by the AWS CLI vary by system? Why would a call to the Simple Token Service be required when using the AWS CLI?

Is there perhaps something related to authentication or session management that I don't have configured properly on the linux machine I'm running on?

I confirmed I'm using the same version, aws-cli/1.25.76 Python/3.10.8 Linux/6.0.11 botocore/1.27.75 , on each machine.

At first, the error appeared permissions-related


An error occurred (AccessDenied) when calling the AssumeRole operation: User: REDACTED is not authorized to perform: sts.AssumeRole on resource: REDACTED

I confirmed I do not have sts.AssumeRole .

However, while investigating, I accidentally made a typo and noticed something strange: on darwin, the first call made by the above command appears to be to the rds service, while on linux the first call is to the sts service.

For example,

aws --profile=REDACTED --region=typo-region rds describe-db-instances

yields this on my darwin machine


Could not connect to the endpoint URL: "https://rds.typo-region.amazonaws.com/"

and this on my linux machine


Could not connect to the endpoint URL: "https://sts.typo-region.amazonaws.com/"

I'm not yet familiar enough with how the aws command and it's boto internals work to understand why the extra call to sts is being made on one machine and not the other.

1 answers

solution1
 1  2022-12-09 16:45:02

Most likely the profiles are differently configured on the two machines, one is using a "regular" role / profile with ordinary credentials simply set while the other is using a profile with a role_arn set prompting the CLI to perform an AssumeRole call into that target role.

Alternatively it may be the case that one machine has the nested credentials already retrieved and cached, while the other one does not. And if you removed the permissions / changed the trust relationship in the meantime the old credentials are still valid while the new credentials cannot be retrieved.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use JMESPath to query AWS CLI RDS instances by DBInstanceIdentifier AWS.CloudWatch SDK vs. CLI produces different results How does one use the tags option when creating resources with the aws cli? does aws charge for stopped instances Selecting an RDS DB for newly created secrets in AWS CLI How to use MFA with AWS CLI? Why does the AWS CLI report `Credential should be scoped to a valid region` when I have set a region? AWS SAM CLI on Mac OS build does not work - cannot find docker Differences between AWS CloudWatch alarms created by Console vs. CLI How to use AWS CLI with Digital Ocean Spaces?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM