control-tower icon indicating copy to clipboard operation
control-tower copied to clipboard
verified publisher icon EngineerBetter

control-tower deploy does not work with AWS STS session tokens

Open andy-paine opened this issue 5 years ago • 2 comments

I was trying to do control-tower deploy --iaas AWS using temporary (STS) session credentials via aws-vault.

When trying to create the blobstore AWS user in Terraform, CT failed with InvalidClientTokenId: The security token included in the request is invalid.

Disabling temporary sessions with aws-vault - aws-vault exec myprofile -n -- control tower deploy --iaas AWS fixed the issue for me for now. Terraform is normally capable of using temporary credentials from the environment so it would be nice if the Terraform CT ran also respected these.

andy-paine avatar Aug 12 '20 11:08 andy-paine

This would be really good to have, but a little difficult to implement I think, because currently the IAAS creds that Control Tower picks up from environment are also baked into the self-update pipeline and further used in Control Tower self update runs, so I guess temporary credentials would not work here.

irbekrm avatar Aug 14 '20 12:08 irbekrm

Experienced the same issue using aws-okta command.

EnorMOZ avatar Oct 03 '20 00:10 EnorMOZ