Must specify userName when calling with non-User credentials
Closed this issue · 6 comments
I've successfully made the script work by hardcoding an IAM UserName in /dist/index.js, before the iam.getUser call. Without this workaround, I cannot run the script, neither with an instance role nor with AWS keys set as env parameters.
I think there is something to fix there, here the link to the corresponding function in AWS javascript SDK:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html#getUser-property
Can you paste in the error you're getting?
I just tried using the environment variables and it authenticated correctly. It's delegating authentication to the AWS SDK so it should "just work".
Actually, what AWS region are you in? Just noticed its defaulting "us-east-1" - https://github.com/Setfive/cloudwatch-autowatch/blob/master/src/config.ts#L20 which might be your issue?
I'm in the "eu-west-1", I don't think the error comes from there though.
Here a pastebin of the error: https://pastebin.com/LQLz7sDU
It's interesting "listSnsTopics" works since that requires authentication as well.
To confirm, you're setting environment variables for an IAM user that has permissions to create CloudWatch alarms right? Or are you using IAM roles from the EC2?
I've tried both methods with the FullAdminAccess policy in a dev account.
However, it's normal the error happens only for the "generateAlarms" command as the "listSnsTopics" doesn't use the methods which generates the error message here
Ah I see, the "getUser" call seems to fail when using an IAM role. On a82f52a switched to use the STS service and it should be working now.
Tested and confirmed on an EC2 with the "arn:aws:iam::aws:policy/AdministratorAccess" role granted.
I've pulled the update, it seems it fixed the issue.
Case closed.