| 1 Jun 2022 |
 @grahamc:nixos.org | we use the type iam | 17:23:07 |
| @grahamc:nixos.org | we will document the incompatibility | 17:23:34 |
 Mic92 | Yeah, but iam is simply not usable if you have multiple regions | 17:23:45 |
| @grahamc:nixos.org | no? | 17:23:51 |
| @grahamc:nixos.org | how so? | 17:23:53 |
| Mic92 | because a role is tight to a single region | 17:23:57 |
| @grahamc:nixos.org | I don't think IAM roles are tied to a region | 17:24:20 |
| Mic92 | not iam roles | 17:25:07 |
| @grahamc:nixos.org | but at any rate, it should work across regions without too much work | 17:25:16 |
| Mic92 | but roles you create in vault | 17:25:16 |
| Mic92 | I would need to hard code per region vault roles in my nixos modules | 17:25:39 |
| Mic92 | https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_auth_backend_role | 17:26:14 |
| Mic92 | Because one needs to set inferred_aws_region | 17:26:26 |
| @grahamc:nixos.org | ah, right | 17:26:56 |
| @grahamc:nixos.org | yeah so we've created multiple one per region of course | 17:27:03 |
| @grahamc:nixos.org | because instance profile ARNs are per region I think | 17:27:24 |
| Mic92 | I really should just have used client certs. | 17:27:50 |
| Mic92 | This is causing some much trouble down the line | 17:27:59 |
| @grahamc:nixos.org | still could :) but I've found the AWS methods very very worth it | 17:28:28 |
| @grahamc:nixos.org | but our instances are all ephemeral, and that makes it easy | 17:28:45 |
| Mic92 | This is definitely the last company I will setup this because they of their higher security needs. But otherwise the operational complexity is too high. One shouldn't need a devops just to maintain the security management. | 17:31:20 |
| @grahamc:nixos.org | we've found that once it is up and you have one project using it, extending it to the rest has been really easy and straight forward | 17:32:39 |
| @grahamc:nixos.org | but coming in to it without having used it and going from 0 to in production is definitely a very tall order | 17:32:49 |
| Mic92 | Documentation is severe lacking and the error message are not helpful. | 17:33:58 |
| @grahamc:nixos.org | I haven't personally found that to be true, but it may be that I come to it with some important background context | 17:34:20 |
| @grahamc:nixos.org | * I haven't personally found that to be true, but it is probable that I come to it with some important background context | 17:34:30 |
| Mic92 | They ask end-users to deal with Nonces. If you don't have a background in cryptography, this is just care-less | 17:38:48 |
| @grahamc:nixos.org | ah, yeah, that has to do with the otherwise insecure method that the deprecated aws-ec2 auth method uses | 17:39:06 |
| @grahamc:nixos.org | the iam method doesn't need it and is much safer | 17:39:14 |
| @grahamc:nixos.org | I guess the ec2 method isn't deprecated, but the iam approach is recommended in a way that feels like ec2 was deprecated | 17:41:47 |
