Credential issues when the authMode is ECS-METADATA
38 views
Skip to first unread message
Jiajia Zhou
Apr 3, 2024, 3:40:46 AMApr 3
to Cloud Carbon Footprint
Hi everyone!
We've been setting up ccf-backstage-plugin in our existing Backstage application.
Our backstage app is deployed in the ECS Fargate container in account A, and all the cost and usage reports are in account B. We need to assume the `ccf-app` role in account B to read the cost and usage reports via athena.
But currently the authMode for ECS-METADATA doesn't support the ECS Fargate container assuming the role of anothe account, right? Unlike the `ChainableTemporaryCredentials` obtained when the authMode is AWS.
Any responses and helps will be greatly appreciated!
But currently the authMode for ECS-METADATA doesn't support the ECS Fargate container assuming the role of anothe account, right? Unlike the `ChainableTemporaryCredentials` obtained when the authMode is AWS.
Any responses and helps will be greatly appreciated!
Cloud Carbon Footprint
Apr 4, 2024, 3:28:19 PMApr 4
to Cloud Carbon Footprint
HI Jiajia,
Thanks for bringing this up and awesome to hear you are setting up the ccf-backstage-plugin!
Currently, there is not a great solution for this. You would need to explicitly set the auth config for account B in your environment variables to get this to run properly. However, this is something we think would be a great addition to CCF, so please do not hesitate to create a new issue on our Github, or even submit a PR to implement this change! We can also add documentation to make this more clear.
Thanks,
Thanks for bringing this up and awesome to hear you are setting up the ccf-backstage-plugin!
Currently, there is not a great solution for this. You would need to explicitly set the auth config for account B in your environment variables to get this to run properly. However, this is something we think would be a great addition to CCF, so please do not hesitate to create a new issue on our Github, or even submit a PR to implement this change! We can also add documentation to make this more clear.
Thanks,
The CCF Team at Thoughtworks
Jiajia Zhou
Apr 8, 2024, 10:53:27 PMApr 8
to Cloud Carbon Footprint
Thanks for the response.
That problem has been solved. It turns out that I have a misunderstanding of the two authmodes: `AWS` and `ECS-METADATA`. I changed the authMode to AWS and set up the iam role accordding to this artical: https://repost.aws/knowledge-center/ecs-iam-role-another-account
So authMode still has to be set to AWS even if it's deployed in an ecs fargate container and needs to assume to another account.
I have other questions about the `Tagging`. I configured the `resourceTagNames: ["user:foo-bar", "aws:cloudformation:stack-name"]` in app-config.local.yaml but the estimate resullt didn't show the tags.
And I check the Athena query, it didn't contain any tag fields as well.
Is there anything else I need to do? Or I have to do set the cacheMode to `MONGODB` according to the document: 'Currently tagging support is limited to AWS and those using MongoDB.'
Any responses and helps will be greatly appreciated!
Reply all
Reply to author
Forward
0 new messages