🐛 Fix SSM access by setting explicit AWS region

go-go-golems · Jan 19, 2025 · 66b6812 · 66b6812
1 parent f24e146
commit 66b6812
Showing 1 changed file with 56 additions and 5 deletions.
diff --git a/pkg/handlers/config/ssm-evaluator.go b/pkg/handlers/config/ssm-evaluator.go
@@ -2,28 +2,69 @@ package config
 
 import (
 	"context"
+	"strings"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/sync/errgroup"
 )
 
 type SsmEvaluator struct {
-	client *ssm.Client
-	ctx    context.Context
+	client    *ssm.Client
+	stsClient *sts.Client
+	ctx       context.Context
 }
 
 func NewSsmEvaluator(ctx context.Context) (*SsmEvaluator, error) {
-	cfg, err := config.LoadDefaultConfig(ctx)
+	cfg, err := config.LoadDefaultConfig(ctx,
+		config.WithRegion("us-east-1"), // Explicitly set region based on parameter ARN
+	)
 	if err != nil {
 		return nil, errors.Wrap(err, "unable to load AWS SDK config")
 	}
 
+	// Get credentials for logging
+	creds, err := cfg.Credentials.Retrieve(ctx)
+	if err != nil {
+		log.Warn().Err(err).Msg("failed to retrieve AWS credentials for debug logging")
+	} else {
+		// Only show first 4 chars of access key
+		truncatedKey := creds.AccessKeyID
+		if len(truncatedKey) > 4 {
+			truncatedKey = truncatedKey[:4] + strings.Repeat("*", len(truncatedKey)-4)
+		}
+		log.Debug().
+			Str("access_key", truncatedKey).
+			Str("provider", string(creds.Source)).
+			Msg("AWS credentials loaded")
+	}
+
+	log.Debug().
+		Str("region", cfg.Region).
+		Str("retry_mode", string(cfg.RetryMode)).
+		Msg("AWS config loaded")
+
+	// Get caller identity for additional context
+	stsClient := sts.NewFromConfig(cfg)
+	identity, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+	if err != nil {
+		log.Warn().Err(err).Msg("failed to get AWS caller identity")
+	} else {
+		log.Debug().
+			Str("account", *identity.Account).
+			Str("arn", *identity.Arn).
+			Str("user_id", *identity.UserId).
+			Msg("AWS caller identity")
+	}
+
 	return &SsmEvaluator{
-		client: ssm.NewFromConfig(cfg),
-		ctx:    ctx,
+		client:    ssm.NewFromConfig(cfg),
+		stsClient: sts.NewFromConfig(cfg),
+		ctx:       ctx,
 	}, nil
 }
 
@@ -52,6 +93,16 @@ func (s *SsmEvaluator) Evaluate(node interface{}) (interface{}, bool, error) {
 				})
 				log.Info().Msgf("getting parameter %s from AWS SSM", k)
 				if err := eg.Wait(); err != nil {
+					// Get current identity for error context
+					identity, identityErr := s.stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+					if identityErr == nil {
+						log.Info().
+							Str("parameter", k).
+							Str("account", *identity.Account).
+							Str("arn", *identity.Arn).
+							Str("error", err.Error()).
+							Msg("failed to get SSM parameter - current AWS identity")
+					}
 					return nil, false, errors.Wrap(err, "failed to get parameter from AWS SSM")
 				}