making endpoint-url config respected

[ror6ax]

Following up from aws/aws-cli#1270

I'm looking to use Hashicorp Vault, which depends on aws-sdk-go with connection to Eucalyptus cloud(aws clone).

For cli, following works:
aws --endpoint-url http://eucalyptrusurl iam list-users

Problem is, Vault uses SDK and config endpoint URL parameter is not recognized.

I have two questions:

1. Does sdk care about .aws/credentials at all?
2. How to I pass endpoint via Go SDK?

Sorry for noob question, I'm not a Go develper by any means, but have to get this fixed,,,
Thnx

[jasdel]

Thanks for contacting us @ror6ax. I think this the Vault project will be better able to help with configuring the Vault tool to connect to a custom endpoint. Unless there is a way to pass the aws.Config returned by getClientConfig back to Vault I don't think modifying the config value here will have the impact you're looking for.

The best way to contact Vault is via their github repo, #vault-tool on Freenode, or their Google Groups.

The shared configuration files (~/.aws/config and ~/.aws/credentials) do not define a endpoint value. The --endpoint-url is specific to the CLI due to its command line nature. To se the SDK's endpoint all you need to do is is set Config.Endpoint to the target prior to creating the needed service client.

sess := session.Must(session.NewSession())

s3Svc := s3.New(sess, aws.NewConfig().WithEndpoint("http://eucalyptrusurl"))

// Make s3 requests to custom endpoint

[ror6ax]

I've contacted them as well for clarifications.

I've modified AWS client file as follows:

--- a/builtin/logical/aws/client.go
+++ b/builtin/logical/aws/client.go
@@ -50,10 +50,10 @@ func getRootConfig(s logical.Storage) (*aws.Config, error) {

 func clientIAM(s logical.Storage) (*iam.IAM, error) {
        awsConfig, _ := getRootConfig(s)
-       return iam.New(session.New(awsConfig)), nil
+       return iam.New(session.New(awsConfig.WithEndpoint("http:/myeucalyptus-cloud.net
 }

 func clientSTS(s logical.Storage) (*sts.STS, error) {
        awsConfig, _ := getRootConfig(s)
-       return sts.New(session.New(awsConfig)), nil
+       return sts.New(session.New(awsConfig.WithEndpoint("http:/myeucalyptus-cloud.net
 }

Ok, go's dependency system got the better of me :)
I originally wrote there is no effect, but there is one now.

vault read aws/creds/readonly
Error reading aws/creds/readonly: Error making API request.

URL: GET http://127.0.0.1:8200/v1/aws/creds/readonly
Code: 400. Errors:

* Error attaching user policy: SerializationError: failed to decode query XML error response
caused by: expected element type <ErrorResponse> but have <Response>

or with another example payload

 vault read aws/creds/deploy                                       Error reading aws/creds/deploy: Error making API request.

URL: GET http://127.0.0.1:8200/v1/aws/creds/deploy
Code: 400. Errors:

* Error putting user policy: MalformedPolicyDocument: Error in uploaded policy: net.sf.json.JSONException: Expecting net.sf.json.JSONArray but got net.sf.json.JSONObject
        status code: 400, request id: 93c3faa8-35ba-4b20-9044-c452a9148991

Apparently the replacement service sends not 1:1 response with AWS. Any tips on how do I debug these?

[xibz]

Hello @ror6ax, you can enable logging to inspect the contents of the body.

sts := sts.New(session.New((&aws.Config{                                                                            
    // Config params                                                                                    
  }).WithLogLevel(aws.LogDebugWithHTTPBody | aws.LogDebug | aws.LogDebugWithSigning)))

Please let us know if that helps.

[xibz]

Hello @ror6ax, if you are still experiencing issues, please feel free to reach out to us on our gitter channel.