AWS Shell Plugin and 1Password

Options
zondi
zondi
Community Member
edited January 2023 in CLI

Running into something like this:

$ aws s3 ls
[ERROR] 2023/01/05 01:07:46 could not run plugin AWS CLI: failed to provision credentials, encountered error(s):
region is required for the AWS Shell Plugin MFA workflow: set 'default region' in 1Password or set the 'AWS_DEFAULT_REGION' environment variable yourself

$ op plugin inspect aws

AWS CLI
Credential type: Access Key
Configured Aliases
✔ Alias for "aws" configured
✔ Aliases sourced (/home/$user/.config/op/plugins.sh)
Configured Credentials
✔ "AWS $OrgName: $User" (vault: "$Vault")
Configured for current terminal session.

When you make a call, it hangs and then generates that output.

We generally don't set the default region when configuring aws-cli for any profile.

And even if you run:

$ aws configure set region us-west-2 --profile $profile

the same error is triggered.

Can't seem to find any help resource that has anything to say about it.

Thanks

1Password Version: 8.9.10
Extension Version: Not Provided
OS Version: Ubuntu (Pop!OS 22.04)
Browser: Not Provided

Comments

  • zondi
    zondi
    Community Member
    Options

    For anyone that runs into the same issue:

    set the region environment variable

    1. If you have an existing credential in 1Password that you want to use with this plugin, either update it with the "one-time password" and "mfa serial fields" or (recommended) allow 1Password to generate this. Meaning, select the "Import into 1Password" option.

    2. Once the process has been completed and before you run your first aws command, add those fields. You will screenshot the AWS-generated QR code and then use the one-time password option to add it to the newly-created entry.

    3. If you have multiple AWS accounts (as is often the case), select either the "Prompt me for each new terminal session" or if you are structured your environments, the "Use automatically when in this directory or subdirectories"

    The documentation team needs to move up the "Optional: Set up multi-factor authentication" as no sane person will ever create an account without this.

    Especially with the availability of global condition keys which makes it very easy to implement with roles, etc.

    Doesn't matter whether it is CLI or Console.

  • Jack.P_1P
    Jack.P_1P
    Options

    Thanks for sharing your feedback @zondi!

    Jack

This discussion has been closed.