| 1 Jun 2022 |
 Mic92 | what do you usually use? | 13:39:53 |
| Mic92 | I have multi-region deployment so those normal iam methods wouldn't work | 13:40:25 |
| Mic92 | Turns out I was also using vault_aws_auth_backend_role_tag wrong in terraform but it is also impossible to use because it creates dependency cycles between the ec2 instances I am trying to create. | 14:04:43 |
| Mic92 | It also seems that nixos-vault-service cannot be used with aws ec2 auth. Once there are two services that require a secret. The second instance cannot authenticate because of nonce missmatches | 15:07:52 |
 @grahamc:nixos.org | that is surprising, we use it for aws ec, auth | 16:59:24 |
| Mic92 | Check out this: https://github.com/DeterminateSystems/nixos-vault-service/issues/58 | 17:19:40 |
| @grahamc:nixos.org | hum... | 17:22:11 |
| Mic92 | It was definitly client nonce errors. I had to delete the old onces manually from vault | 17:22:43 |
| Mic92 | And I also saw the error messages | 17:22:56 |
| @grahamc:nixos.org | oh we don't use config.type = "ec2"; because it isn't recommended anymore by hashicorp | 17:23:03 |
| @grahamc:nixos.org | we use the type iam | 17:23:07 |
| @grahamc:nixos.org | we will document the incompatibility | 17:23:34 |
| Mic92 | Yeah, but iam is simply not usable if you have multiple regions | 17:23:45 |
| @grahamc:nixos.org | no? | 17:23:51 |
| @grahamc:nixos.org | how so? | 17:23:53 |
| Mic92 | because a role is tight to a single region | 17:23:57 |
| @grahamc:nixos.org | I don't think IAM roles are tied to a region | 17:24:20 |
| Mic92 | not iam roles | 17:25:07 |
| @grahamc:nixos.org | but at any rate, it should work across regions without too much work | 17:25:16 |
| Mic92 | but roles you create in vault | 17:25:16 |
| Mic92 | I would need to hard code per region vault roles in my nixos modules | 17:25:39 |
| Mic92 | https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_auth_backend_role | 17:26:14 |
| Mic92 | Because one needs to set inferred_aws_region | 17:26:26 |
| @grahamc:nixos.org | ah, right | 17:26:56 |
| @grahamc:nixos.org | yeah so we've created multiple one per region of course | 17:27:03 |
| @grahamc:nixos.org | because instance profile ARNs are per region I think | 17:27:24 |
| Mic92 | I really should just have used client certs. | 17:27:50 |
| Mic92 | This is causing some much trouble down the line | 17:27:59 |
| @grahamc:nixos.org | still could :) but I've found the AWS methods very very worth it | 17:28:28 |
| @grahamc:nixos.org | but our instances are all ephemeral, and that makes it easy | 17:28:45 |
