bootstrap-aws-installer: Drop "credential_source" in .aws/config.

Setting `credential_source` is used when assuming role credentials --
that is, when running as one role, use the AssumeRole right to become
someone else.

The AWS command-line tools only do this if `role_arn`, the role to
assume, is also set -- if it is not set, it transparently falls
through to IAM role attached to the EC2 instance profile.  However,
with the `aws-sdk-go` package, used by Teleport, this configuration
produces an error.

Remove the `credential_source = Ec2InstanceMetadata` line, which isn't
necessary for the AWS CLI, and interferes with Teleport operation.
This commit is contained in:
Alex Vandiver 2022-10-28 18:34:13 -04:00 committed by Tim Abbott
parent 6662a3bac4
commit 721a1d7a10
1 changed files with 2 additions and 2 deletions

View File

@ -41,13 +41,13 @@ export DEBIAN_FRONTEND=noninteractive
# The following line gets subbed in with the contents of bootstrap-awscli.sh # The following line gets subbed in with the contents of bootstrap-awscli.sh
AWS= AWS=
# Set up AWS so we can use the role credentials we were started with, which give secrets access # Set up a bare-bones AWS configuration
mkdir -p /root/.aws mkdir -p /root/.aws
cat >/root/.aws/config <<EOF cat >/root/.aws/config <<EOF
[default] [default]
region = us-east-1 region = us-east-1
output = text output = text
credential_source = Ec2InstanceMetadata # Credentials are from the IAM role attached to the EC2 instance
EOF EOF
# Set up public keys for root, so we can fetch the repo; this is a # Set up public keys for root, so we can fetch the repo; this is a