We are trying to move away from hand-coded aws scripts that deal with authentication explicitly. We wanted to use the new AWS CLI script, but keep getting the following error:
I’ve checked, re-checked, double checked, and even tried local aws commands with the same keys (aws sts get-caller-identity) which return positive.
I’ve followed the instructions here:
Note that it doesn’t seem to matter which key / secret I put it, your “Save and Test” functionality always returns a failure (even though my local aws cli return positive). The deploy fails as well (obviously).
Side note: We are using gov cloud services. Not sure if this matters, or how your “save and test” works.
Upon debug printing variables from a deploy, I in fact see no AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_DEFAULT_REGION set as an environment variable.
Thanks for getting in touch! The Save and Test function for an AWS account calls the AWS security endpoint to get the current caller identity. We don’t specify (or currently support specifying) any different regions, and the default behaviour seems to fallback to authenticating against USEast1.
I’m interested if you had to do anything specific to be able to authenticate against your Gov region. Would you be willing to provide a redacted copy of your existing script?
Looking closer, the authentication wasn’t in the script (we set it up another way, credentials file). To be honest, it’s been awhile since I set it up. I originally set this step up to run a powershell script, and remember having problems getting the credentials to be recognized.
But we wanted to make it cleaner, and add some transforms (so we wanted to use the new AWS CLI step). I’ve even tried setting system level environmental variables, but none of the Octopus scripts seem to recognize it. I can RDP to the Octopus server (manually setting these ENV variables) and run aws s3 ls and see the buckets in my GovCloud.
Not sure why Octopus isn’t actually setting ENV variables of the AWS Account I setup, nor use my ENV variables I manually set up.
Thanks for keeping in touch and letting me know where you’re at! I brought up your suggestion to the engineers here, and at the moment we feel like it’s possible that we could eventually support selecting the region on the account to accommodate for Gov cloud. However we haven’t ever used Gov cloud, nor do we have access for testing. If and when we get to that stage, would you be happy to work with us to test it by chance?
The conversation is still going on, but I just wanted to give you a bit of an update for the time being.
