I'm currently trying to setup a confd POC using SSM as provider for the keys, we currently have one account on AWS which is the root account and multiples roles to separate the environments.
currently my AWS config looks like that
[default]
region=eu-west-1
output=json
role_arn=arn:aws:iam::*:role/OrganizationAccountAccessRole
This works quite fine for me given the command
aws ssm get-parameters --names /eric
give me back the key I created for this poc
PARAMETERS arn:aws:ssm:eu-west-1:*:parameter/eric * /eric String test 1
for confd though it does not
confd -onetime -backend ssm --log-level debug
2019-04-07T18:25:08Z 3ce95f057568 confd[359]: DEBUG Processing key=/eric
2019-04-07T18:25:08Z 3ce95f057568 confd[359]: DEBUG Got the following map from store: map[]
2019-04-07T18:25:08Z 3ce95f057568 confd[359]: DEBUG Using source template /etc/confd/templates/myconfig.conf.tmpl
2019-04-07T18:25:08Z 3ce95f057568 confd[359]: DEBUG Compiling source template /etc/confd/templates/myconfig.conf.tmpl
2019-04-07T18:25:08Z 3ce95f057568 confd[359]: ERROR template: myconfig.conf.tmpl:2:17: executing "myconfig.conf.tmpl" at <getv "/eric">: error calling getv: key does not exist: /eric
2019-04-07T18:25:08Z 3ce95f057568 confd[359]: FATAL template: myconfig.conf.tmpl:2:17: executing "myconfig.conf.tmpl" at <getv "/eric">: error calling getv: key does not exist: /eric
I did one short test and created the key /eric in the root account instead of the role account, after doing that it worked as I expected, which makes me wonder, is there any hidden configuration for confd to make it "use" the role? because currently it seems like it does not take the role into consideration.
my confd template looks like
[template]
src = "myconfig.conf.tmpl"
dest = "/tmp/myconfig.conf"
keys = [
"/eric"
]
and my confd config looks like
database_url = {{getv "/eric"}}
Can someone give me any direction regarding this specific problem?
Ok, I found the issue, my AWS config has been completely ignored, after looking at the currently open pull requests for this project I found this one.
https://github.com/kelseyhightower/confd/pull/736, The author mentions
so yes setting the var AWS_SDK_LOAD_CONFIG to true made this, I assume that when this pr get merge this "workaround" will not be necessary.