cloudquery · bbernays · Jul 7, 2022 · Jul 6, 2022 · Jul 6, 2022 · Jul 6, 2022
@@ -411,6 +411,11 @@ func configureAwsClient(ctx context.Context, logger hclog.Logger, awsConfig *Con
 		config.WithRetryer(newRetryer(logger, awsConfig.MaxRetries, awsConfig.MaxBackoff)),
 	}
 
+	if account.DefaultRegion != "" {
+		// According to the docs: If multiple WithDefaultRegion calls are made, the last call overrides the previous call values
+		configFns = append(configFns, config.WithDefaultRegion(account.DefaultRegion))
+	}
+
 	if account.LocalProfile != "" {
 		configFns = append(configFns, config.WithSharedConfigProfile(account.LocalProfile))
 	}
@@ -450,6 +455,20 @@ func configureAwsClient(ctx context.Context, logger hclog.Logger, awsConfig *Con
 	// Test out retrieving credentials
 	if _, err := awsCfg.Credentials.Retrieve(ctx); err != nil {
 		logger.Error("error retrieving credentials", "err", err)
+
+		var ae smithy.APIError
+		if errors.As(err, &ae) {
+			if strings.Contains(ae.ErrorCode(), "InvalidClientTokenId") {
+				return awsCfg, diag.FromError(
+					err,
+					diag.USER,
+					diag.WithSummary("Invalid credentials for assuming role"),
+					diag.WithDetails("The credentials being used to assume role are invalid. Please check that your credentials are valid in the partition you are using. If you are using a partition other than the AWS commercial region, be sure set the default_region attribute in the cloudquery.yml file."),
+					diag.WithSeverity(diag.WARNING),
+				)
+			}
+		}
+
 		return awsCfg, diag.FromError(
 			err,
 			diag.USER,
@@ -548,6 +567,10 @@ func Configure(logger hclog.Logger, providerConfig interface{}) (schema.ClientMe
 			&ec2.DescribeRegionsInput{AllRegions: aws.Bool(false)},
 			func(o *ec2.Options) {
 				o.Region = defaultRegion
+				if account.DefaultRegion != "" {
+					o.Region = account.DefaultRegion
+				}
+
 				if len(localRegions) > 0 && !isAllRegions(localRegions) {
 					o.Region = localRegions[0]
 				}

@@ -10,6 +10,7 @@ type Account struct {
 	RoleARN         string   `yaml:"role_arn,omitempty" hcl:"role_arn,optional"`
 	RoleSessionName string   `yaml:"role_session_name,omitempty" hcl:"role_session_name,optional"`
 	ExternalID      string   `yaml:"external_id,omitempty" hcl:"external_id,optional"`
+	DefaultRegion   string   `yaml:"default_region,omitempty" hcl:"default_region,optional"`
 	Regions         []string `yaml:"regions,omitempty" hcl:"regions,optional"`
 	source          string
 }

@@ -263,10 +263,11 @@ providers:
 
 #### Arguments for Accounts block:
 
-- `role_arn`  **(Optional)** - The role that CloudQuery will use to perform the fetch
-- `local_profile`  **(Optional)** - Local Profile is the named profile in your shared configuration file (usually `~/.aws/config`) that you want to use for the account
-- `external_id`    **(Optional)** - The unique identifier used to by non aws entities to assume a role in an AWS account
-- `role_session_name`    **(Optional)** - Override the default Session name.
+- `role_arn` **(Optional)** - The role that CloudQuery will use to perform the fetch
+- `local_profile` **(Optional)** - Local Profile is the named profile in your shared configuration file (usually `~/.aws/config`) that you want to use for the account
+- `external_id` **(Optional)** - The unique identifier used by non-AWS entities to assume a role in an AWS account
+- `role_session_name` **(Optional)** - Override the default Session name.
+- `default_region` **(Optional)** - this sets the Default Region for the AWS SDK. If you are assuming a role in a partition other than the AWS commercial region, it is important that this attribute is set 
 - `regions`  **(Optional)** - Limit fetching resources within this specific account to only these regions. This will override any regions specified in the provider block. You can specify all regions by using the `*` character as the only argument in the array