Different env var to select region? about chamber HOT 5 CLOSED

Sounds like you need to ensure the IAM role has access to all regions.

I believe you can use a * for the region in the ARN for the permission. [1][2]

You can then either let chamber infer it's own region using the Metadata API or keep AWS_REGION set to the current region instead of the region you created the parameter in.

@ejcx and @dfuentes, please correct me if I'm wrong.

[1] https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/
[2] http://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html

from chamber.

Yuck! I don't think we considered this too much.

I think the easy fix is to have an extra ENV var like you pointed out, or some other mechanism so you don't clobber your AWS_REGION variable.

I can also think of a kind of hacky way to do this where you export the secrets to an encrypted file (with a key that is generated on the fly). Then there are more ways to run your program than just chamber exec and it can still be secure and you avoid clobbering your region.

@dfuentes is honestly the sane one here though =]. Ill chat with him about it.

from chamber.

Hey, thanks for the responses. I had a think about some kind of wrapper around chamber exec, but thought I'd bring up the env var suggestion, as it's a fair bit less work ;)

Thanks

from chamber.

Totally seems reasonable to add an override environment variable. I will draft up a PR for this

from chamber.

Thanks so much for this!

from chamber.