diff --git a/client/client.go b/client/client.go index 3055e6be5..6c8a58712 100644 --- a/client/client.go +++ b/client/client.go @@ -411,6 +411,11 @@ func configureAwsClient(ctx context.Context, logger hclog.Logger, awsConfig *Con config.WithRetryer(newRetryer(logger, awsConfig.MaxRetries, awsConfig.MaxBackoff)), } + if account.DefaultRegion != "" { + // According to the docs: If multiple WithDefaultRegion calls are made, the last call overrides the previous call values + configFns = append(configFns, config.WithDefaultRegion(account.DefaultRegion)) + } + if account.LocalProfile != "" { configFns = append(configFns, config.WithSharedConfigProfile(account.LocalProfile)) } @@ -450,6 +455,20 @@ func configureAwsClient(ctx context.Context, logger hclog.Logger, awsConfig *Con // Test out retrieving credentials if _, err := awsCfg.Credentials.Retrieve(ctx); err != nil { logger.Error("error retrieving credentials", "err", err) + + var ae smithy.APIError + if errors.As(err, &ae) { + if strings.Contains(ae.ErrorCode(), "InvalidClientTokenId") { + return awsCfg, diag.FromError( + err, + diag.USER, + diag.WithSummary("Invalid credentials for assuming role"), + diag.WithDetails("The credentials being used to assume role are invalid. Please check that your credentials are valid in the partition you are using. If you are using a partition other than the AWS commercial region, be sure set the default_region attribute in the cloudquery.yml file."), + diag.WithSeverity(diag.WARNING), + ) + } + } + return awsCfg, diag.FromError( err, diag.USER, @@ -548,6 +567,10 @@ func Configure(logger hclog.Logger, providerConfig interface{}) (schema.ClientMe &ec2.DescribeRegionsInput{AllRegions: aws.Bool(false)}, func(o *ec2.Options) { o.Region = defaultRegion + if account.DefaultRegion != "" { + o.Region = account.DefaultRegion + } + if len(localRegions) > 0 && !isAllRegions(localRegions) { o.Region = localRegions[0] } diff --git a/client/config.go b/client/config.go index 2d70e6455..b481c51d3 100644 --- a/client/config.go +++ b/client/config.go @@ -10,6 +10,7 @@ type Account struct { RoleARN string `yaml:"role_arn,omitempty" hcl:"role_arn,optional"` RoleSessionName string `yaml:"role_session_name,omitempty" hcl:"role_session_name,optional"` ExternalID string `yaml:"external_id,omitempty" hcl:"external_id,optional"` + DefaultRegion string `yaml:"default_region,omitempty" hcl:"default_region,optional"` Regions []string `yaml:"regions,omitempty" hcl:"regions,optional"` source string } diff --git a/docs/index.md b/docs/index.md index 17e10f945..c84a4f9d7 100644 --- a/docs/index.md +++ b/docs/index.md @@ -263,10 +263,11 @@ providers: #### Arguments for Accounts block: -- `role_arn` **(Optional)** - The role that CloudQuery will use to perform the fetch -- `local_profile` **(Optional)** - Local Profile is the named profile in your shared configuration file (usually `~/.aws/config`) that you want to use for the account -- `external_id` **(Optional)** - The unique identifier used to by non aws entities to assume a role in an AWS account -- `role_session_name` **(Optional)** - Override the default Session name. +- `role_arn` **(Optional)** - The role that CloudQuery will use to perform the fetch +- `local_profile` **(Optional)** - Local Profile is the named profile in your shared configuration file (usually `~/.aws/config`) that you want to use for the account +- `external_id` **(Optional)** - The unique identifier used by non-AWS entities to assume a role in an AWS account +- `role_session_name` **(Optional)** - Override the default Session name. +- `default_region` **(Optional)** - this sets the Default Region for the AWS SDK. If you are assuming a role in a partition other than the AWS commercial region, it is important that this attribute is set - `regions` **(Optional)** - Limit fetching resources within this specific account to only these regions. This will override any regions specified in the provider block. You can specify all regions by using the `*` character as the only argument in the array