AWS Datasource metadata - Account ID, Region

[air3ijai]

Hello,

We recently updated our GitHub Actions workflow to use gomplate and all works fine. We use it for Kubernetes manifests preprocessing and for this also use some data from the AW Secrets Manager.

But in one case we also need AWS Account ID and for this we still use aws cli

echo "ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')" >> $GITHUB_ENV

And we also populate AWS Region. As it is not so sensitive, we define it directly in a workflow, but sometimes it maybe required to define it using GitHub Actions Secrets and then it maybe more complicated to use it.

region: '{{ .Env.AWS_REGION }}'

Is there a way to get such a AWS metadata and use it during template preprocessing?

{{ (ds "sm").aws_account_id }}
{{ (ds "sm").aws_region }}

[hairyhenderson]

Hi @air3ijai, have you seen the aws.* functions? I think these will meet your needs.

For region, you should be able to use aws.EC2Region, and for the account ID, I think aws.Account should work.

[air3ijai]

@hairyhenderson, thank you for the documentation reference - I missed it, again :)

aws.Account - works as expected

gomplate -i '{{ aws.Account }}'

123456789012

aws.EC2Region - can't make it work

gomplate -i '{{ aws.EC2Region }}'

unknown

env | grep AWS

AWS_TIMEOUT=2000
AWS_REGION=us-east-2
AWS_PROFILE=staging
AWS_DEFAULT_REGION=us-east-2
AWS_ACCESS_KEY_ID=********
AWS_SECRET_ACCESS_KEY=********

cat ~/.aws/credentials | grep staging -A3

[staging]
aws_access_key_id = ********
aws_secret_access_key = ********
region = us-east-2

[hairyhenderson]

Hmm... aws.Account uses the STS GetCallerID API, which works whether or not you're in an EC2 environment.

From what I recall aws.EC2Region was only ever intended to work if gomplate is being run on an EC2 instance, as it's using the instance metadata service (which is only accessible from within an EC2 instance).

You can call it with a default value though, so this could work:

{{ aws.EC2Region (env.Getenv "AWS_REGION") }}

[air3ijai]

Yes, this one works as expected

gomplate -i '{{ aws.EC2Region (env.Getenv "AWS_REGION") }}'

us-east-2

Also tested from EC2 instance

gomplate -i '{{ aws.EC2Region }}'

us-east-1

curl http://169.254.169.254/latest/meta-data/placement/region

us-east-1

It returns instance region and same as in instance metadata, but not one defined by variable during the call

env | grep AWS

AWS_REGION=us-east-2
AWS_SECRET_ACCESS_KEY=********
AWS_ACCESS_KEY_ID=********

Thank you for the help and clarifications!

[hairyhenderson]

Thanks for following up, glad to hear it's solved! 🙇‍♂️