Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New region ap-east-1 causes issues with multiple services

See original GitHub issue

Opening a new issue (formerly https://github.com/boto/boto3/issues/1943) as the new region has an impact on multiple services.

The following calls are failing:

  • CloudFormation ListStacks
  • CloudWatch DescribeAlarms
  • CloutTrail DescribeTrails
  • Config DescribeConfigRules
  • Config DescribeConfigurationRecorderStatus
  • Config DescribeConfigurationRecorders
  • DynamoDB ListTables
  • EC2 DescribeFlowLogs
  • EC2 DescribeImages
  • EC2 DescribeSnapshots
  • EC2 DescribeVolumes
  • EC2 DescribeVpcPeeringConnections
  • EC2 DescribeVpcs
  • ELB DescribeLoadBalancers
  • EMR ListClusters
  • ElastiCache DescribeCacheSecurityGroups
  • Elasticache DescribeCacheParameterGroups
  • KMS ListKeys
  • Lambda ListFunctions
  • RDS DBParameterGroups
  • RDS DescribeDBSecurityGroups
  • Redshift DescribeClusterParameterGroups
  • Redshift DescribeClusterSecurityGroups
  • SNS ListTopics
  • SQS ListQueues

This is caused by the ap-east-1 region being returned by get_available_regions, even though it is not enabled.

There may be other instances, these are just the ones failing in https://github.com/nccgroup/ScoutSuite.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:17 (1 by maintainers)

github_iconTop GitHub Comments

8reactions
kyleknapcommented, Jun 27, 2019

@j4v I agree we need to add a workaround for users that want to programmatically make API calls to all available regions but have not opted into every region (e.g. ap-east-1). I think it would make sense to have an opt-out flag in the get_available_regions method call that removes any opt-in regions from the returned list. So something like:

import boto3.session
# Does not list ap-east-1 because it is opt-in
boto3.session.Session().get_available_regions('s3', allow_opt_in_regions=False)
# However if you do not specify allow_opt_in_regions, you get all of the regions
boto3.session.Session().get_available_regions('s3')

I think this direction makes sense because:

  1. We cannot know if a specific account has opted into a region. The get_available_regions() does not make any HTTP request and there is not even an API call to list all of the regions that is available to a user. So we cannot add the functionality of excluding a region that is opt-in without a new parameter or new method on the session.

  2. There is already a allow_non_regional parameter to exclude regions that are just special endpoints. So there is a precedence for having a filter parameter in the method.

  3. We would make the allow_opt_in_regions default to True because it would be a breaking change for users that have already opted into ap-east-1 and expect the get_available_regions() calls to return it to start filtering it out.

The only issue is that we do not have the upstream metadata yet in our endpoints.json to programmatically account for each new opt-in region. So we will have to go get that added in order to programmatically account for any new opt-in region.

Let us know what you think.

2reactions
SpenGietzcommented, Jul 12, 2019

@kyleknap I like that idea a lot, it would be really helpful for my use case.

It’s probably on the AWS side of development and not the boto side, but it would be nice if we could determine whether opt-in regions were enabled or not programmatically as well without the need for new APIs or permissions. Maybe something like STS GetCallerIdentity to a disabled opt-in region returns “region disabled” or something, rather than a somewhat-cryptic error message. I’m not sure the best route for that, more-so just throwing out ideas.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Regions and Zones - Amazon Elastic Compute Cloud
Each Region is a separate geographic area. Availability Zones are multiple, isolated locations within each Region. Local Zones provide you the ability to ......
Read more >
Save yourself a lot of pain (and money) by choosing your AWS ...
Ireland and Oregon are the two regions where new services and features are in most cases available at the same time as N....
Read more >
CloudAMPQ AWS ec2-ap-east-1 Status. Check if ... - StatusGator
Recent CloudAMPQ AWS ec2-ap-east-1 Outages and Issues. Follow the recent outages and downtime for CloudAMPQ AWS ec2-ap-east-1 in the table below.
Read more >
AWS S3: The bucket you are attempting to access must be ...
It seems likely that this bucket was created in a different region, ... are probably more likely the cause of your problem but...
Read more >
Checking if a region is enabled using the AWS API. - Cloudar
UPDATE: AWS added a way to see the regional status to the ec2 api. ... the new AWS region in Hong Kong, ap-east-1,...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Prompt for MFA token for users

Next page

If the key of the object contains control characters, delete () of s3.Bucket.objectsCollection fails.