Support building for Gov.cloud only accounts #1641
Conversation
Fixes awslabs#1536 if a suser only has access to an AWS account in GovCloud then obtaining the binary versions from S3 will fail. As this bucket is public we do not need any authentication so add --no-sign-request and hardcode the region (which would not be the default region for any govCloud). chose `us-west-2` as the region to use as this appears to be the canonical location. As it is just metdata using a region on the other side of the world should not matter too much when the overhead of the packer build is taken into account
|
I'm missing something in the lint error. Seems to all be changelog related which I did not change? |
Fixed at baef6f0 |
| @@ -13,7 +13,7 @@ MINOR_VERSION="${1}" | |||
|
|
|||
| # retrieve the available "VERSION/BUILD_DATE" prefixes (e.g. "1.28.1/2023-09-14") | |||
| # from the binary object keys, sorted in descending semver order, and pick the first one | |||
| LATEST_BINARIES=$(aws s3api list-objects-v2 --bucket amazon-eks --prefix "${MINOR_VERSION}" --query 'Contents[*].[Key]' --output text | cut -d'/' -f-2 | sort -Vru | head -n1) | |||
| LATEST_BINARIES=$(aws s3api list-objects-v2 --bucket amazon-eks --no-sign-request --region us-west-2 --prefix "${MINOR_VERSION}" --query 'Contents[*].[Key]' --output text | cut -d'/' -f-2 | sort -Vru | head -n1) | |||
There was a problem hiding this comment.
--no-sign-request the bucket is public and does not need auth so do not attempt it - if we only have a account in the govCloud region we would not be able to auth anyway and this is the crux of the issue.
--region us-west-2 the users default region may be for us-gov-west-n / us-gov-east-n so we need to specify a region that is not a govCloud region as they bucket is not available there. whilst this may be sub ptimal for someone building an image in an asian region - we are only querying metadata here and as such the overhead of the additioanl latency will disappear into the amount of time it takes to actually do real work (build the image with packer)
|
@ndbaker1 any chance of a review here? |
|
looks like this is a subset of #1718 |
possibly - with only access to GovCloud these where the only changes I needed to make in order to build at the time of writing. |
Fixes #1536, #1482
obsoletes #1537
Description of changes:
if a user only has access to an AWS account in GovCloud then obtaining the binary versions from S3 will fail.
As this bucket is public we do not need any authentication so add --no-sign-request and hardcode the region (which would not be the default region for any govCloud).
chose
us-west-2as the region to use as this appears to be thecanonical location. As it is just metdata using a region on the other
side of the world should not matter too much when the overhead of the
packer build is taken into account
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Testing Done
ran
make k8s=1.25 enable_fips=true source_ami_owners=045324592363 aws_region=us-gov-east-1and verified make completed without error (and the previous error about kubernetes versions being unavailable was no longer present).in order to repo the original change you need
awscli setup with only an account in gov.cloud.prior to this change
after this change
See this guide for recommended testing for PRs. Some tests may not apply. Completing tests and providing additional validation steps are not required, but it is recommended and may reduce review time and time to merge.