| 1 Jun 2022 |
 @grahamc:nixos.org | hum... | 17:22:11 |
 Mic92 | It was definitly client nonce errors. I had to delete the old onces manually from vault | 17:22:43 |
| Mic92 | And I also saw the error messages | 17:22:56 |
| @grahamc:nixos.org | oh we don't use config.type = "ec2"; because it isn't recommended anymore by hashicorp | 17:23:03 |
| @grahamc:nixos.org | we use the type iam | 17:23:07 |
| @grahamc:nixos.org | we will document the incompatibility | 17:23:34 |
| Mic92 | Yeah, but iam is simply not usable if you have multiple regions | 17:23:45 |
| @grahamc:nixos.org | no? | 17:23:51 |
| @grahamc:nixos.org | how so? | 17:23:53 |
| Mic92 | because a role is tight to a single region | 17:23:57 |
| @grahamc:nixos.org | I don't think IAM roles are tied to a region | 17:24:20 |
| Mic92 | not iam roles | 17:25:07 |
| @grahamc:nixos.org | but at any rate, it should work across regions without too much work | 17:25:16 |
| Mic92 | but roles you create in vault | 17:25:16 |
| Mic92 | I would need to hard code per region vault roles in my nixos modules | 17:25:39 |
| Mic92 | https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/aws_auth_backend_role | 17:26:14 |
| Mic92 | Because one needs to set inferred_aws_region | 17:26:26 |
| @grahamc:nixos.org | ah, right | 17:26:56 |
| @grahamc:nixos.org | yeah so we've created multiple one per region of course | 17:27:03 |
| @grahamc:nixos.org | because instance profile ARNs are per region I think | 17:27:24 |
| Mic92 | I really should just have used client certs. | 17:27:50 |
| Mic92 | This is causing some much trouble down the line | 17:27:59 |
| @grahamc:nixos.org | still could :) but I've found the AWS methods very very worth it | 17:28:28 |
| @grahamc:nixos.org | but our instances are all ephemeral, and that makes it easy | 17:28:45 |
| Mic92 | This is definitely the last company I will setup this because they of their higher security needs. But otherwise the operational complexity is too high. One shouldn't need a devops just to maintain the security management. | 17:31:20 |
| @grahamc:nixos.org | we've found that once it is up and you have one project using it, extending it to the rest has been really easy and straight forward | 17:32:39 |
| @grahamc:nixos.org | but coming in to it without having used it and going from 0 to in production is definitely a very tall order | 17:32:49 |
| Mic92 | Documentation is severe lacking and the error message are not helpful. | 17:33:58 |
| @grahamc:nixos.org | I haven't personally found that to be true, but it may be that I come to it with some important background context | 17:34:20 |
| @grahamc:nixos.org | * I haven't personally found that to be true, but it is probable that I come to it with some important background context | 17:34:30 |
