Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mfa_code attribute doesn't work #441

Open
yuji-tamai opened this issue Dec 1, 2023 · 4 comments
Open

mfa_code attribute doesn't work #441

yuji-tamai opened this issue Dec 1, 2023 · 4 comments

Comments

@yuji-tamai
Copy link

yuji-tamai commented Dec 1, 2023

I'm trying to use Packer with AssumeRoke configured with MFA.

  • PC: MacBook m2 Pro
  • OS: Sonoma 14.1.1
  • Packer version: 1.9.4

~/.aws/config

[profile base]
region = ap-northeast-1
output = json

[profile packer]
region = ap-northeast-1
output = json
role_arn = arn:aws:iam::999999999999:role/assumerole-admin
source_profile = base
mfa_serial = arn:aws:iam::999999999999:mfa/testuser
role_session_name = testuser
duration_seconds = 43200

~/.aws/credentials

[base]
aws_access_key_id=XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

It works fine with AWS CLI.

$ aws s3 ls --profile packer
Enter MFA code for arn:aws:iam::999999999999:mfa/testuser:
2023-05-08 11:09:56 aaaaaaaa
2023-04-27 17:48:31 bbbbbbbb
2022-08-09 15:20:57 cccccccc

How ever, an error occurs in packer, probably bacause the mfa_code attribute isn't effective.

sample.json

{
  "variables": {
    "mfa_code": "000000"
  },
  "builders": [{
    "type": "amazon-ebs",
    "region": "ap-northeast-1",
    "source_ami": "ami-xxxxxxxx",
    "instance_type": "t2.small",
    "ssh_username": "ec2-user",
    "ami_name": "role-example",
    "mfa_code": "{{user `mfa_code`}}",
    "profile": "packer"
  }],
 "provisioners": [{
    "type": "shell",
    "inline": [
      "sudo yum -y update",
      "sudo yum -y install nginx"
    ]
  }]
}

command

$ packer build -var 'mfa_code=123456' sample.json
amazon-ebs: output will be in this color.

Build 'amazon-ebs' errored after 852 microseconds: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

==> Wait completed after 902 microseconds

==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

==> Builds finished but no artifacts were created.

This error occurs whether the mfa_code attribute is present or not, and whether the value of mfa_code is correct or incorrect.

How can I make the mfa_code attribute effective?

Copy link

github-actions bot commented Dec 1, 2023

Hi 👋 thanks for reaching out.

For general questions we recommend reaching out to the [community forum](https://discuss.hashicorp.com/c/packer) for greater visibility.
As the GitHub issue tracker is only watched by a small subset of maintainers and is really reserved for bugs and enhancements, you'll have a better chance of finding someone who can help you in the forum.
We'll mark this issue as needs-reply to help inform maintainers that this question is awaiting a response.
If no activity is taken on this question within 30 days it will be automatically closed.

If you find the forum to be more helpful or if you've found the answer to your question elsewhere please feel free to post a response and close the issue.

@nywilken
Copy link
Contributor

nywilken commented Dec 7, 2023

Hi @yuji-tamai thanks for reaching out. This sounds like a bug on with the Amazon integration. Do you know the version of the AWS version you are using?

If you could provided a redacted Packer log that would be helpful. You can generate one by running
PACKER_LOG=1 packer build tempalte.json.

@nywilken nywilken transferred this issue from hashicorp/packer Dec 7, 2023
@yuji-tamai
Copy link
Author

@nywilken Thank you for your reply.
The aws version and packer log are written below.

$ aws --version
aws-cli/2.13.28 Python/3.11.6 Darwin/23.1.0 source/arm64 prompt/off

$ PACKER_LOG=1 packer build -var 'mfa_code=559697' sample.json
2023/12/18 11:16:18 [INFO] Packer version: 1.9.4 [go1.21.1 darwin arm64]
2023/12/18 11:16:18 [TRACE] discovering plugins in
2023/12/18 11:16:18 [TRACE] discovering plugins in /opt/homebrew/bin
2023/12/18 11:16:18 [INFO] Discovered potential plugin: amazon = /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64
2023/12/18 11:16:18 [INFO] found external [chroot ebs ebssurrogate ebsvolume instance] builders from amazon plugin
2023/12/18 11:16:18 [INFO] found external [import] post-processors from amazon plugin
2023/12/18 11:16:18 found external [ami parameterstore secretsmanager] datasource from amazon plugin
2023/12/18 11:16:18 [INFO] PACKER_CONFIG env var not set; checking the default config file path
2023/12/18 11:16:18 [INFO] PACKER_CONFIG env var set; attempting to open config file: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 [WARN] Config file doesn't exist: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 [INFO] Setting cache directory: /Users/yuji.tamai/.cache/packer
2023/12/18 11:16:18 [INFO] Starting external plugin /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 start builder ebs
2023/12/18 11:16:18 Starting plugin: /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 []string{"/opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64", "start", "builder", "ebs"}
2023/12/18 11:16:18 Waiting for RPC address for: /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 Plugin address: unix /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3887406117
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 Waiting for connection...
2023/12/18 11:16:18 Received unix RPC address for /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64: addr is /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3887406117
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 Serving a plugin connection...
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 [TRACE] starting builder ebs
2023/12/18 11:16:18 [INFO] Starting internal plugin packer-provisioner-shell
2023/12/18 11:16:18 Starting plugin: /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer []string{"/opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer", "plugin", "packer-provisioner-shell"}
2023/12/18 11:16:18 Waiting for RPC address for: /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] Packer version: 1.9.4 [go1.21.1 darwin arm64]
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var not set; checking the default config file path
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var set; attempting to open config file: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 packer-provisioner-shell plugin: [WARN] Config file doesn't exist: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] Setting cache directory: /Users/yuji.tamai/.cache/packer
2023/12/18 11:16:18 packer-provisioner-shell plugin: args: []string{"packer-provisioner-shell"}
2023/12/18 11:16:18 packer-provisioner-shell plugin: Plugin address: unix /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3160410359
2023/12/18 11:16:18 packer-provisioner-shell plugin: Waiting for connection...
2023/12/18 11:16:18 Received unix RPC address for /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer: addr is /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3160410359
2023/12/18 11:16:18 packer-provisioner-shell plugin: Serving a plugin connection...
2023/12/18 11:16:18 Preparing build: amazon-ebs
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 [INFO] (aws): No AWS timeout and polling overrides have been set. Packer will default to waiter-specific delays and timeouts. If you would like to customize the length of time between retries and max number of retries you may do so by setting the environment variables AWS_POLL_DELAY_SECONDS and AWS_MAX_ATTEMPTS or the configuration options aws_polling_delay_seconds and aws_polling_max_attempts to your desired values.
2023/12/18 11:16:18 Build debug mode: false
2023/12/18 11:16:18 Force build: false
2023/12/18 11:16:18 On error:
2023/12/18 11:16:18 Waiting on builds to complete...
2023/12/18 11:16:18 Starting build run: amazon-ebs
2023/12/18 11:16:18 Running builder: amazon-ebs
amazon-ebs: output will be in this color.

2023/12/18 11:16:18 [INFO] (telemetry) Starting builder amazon-ebs
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 [INFO] Attempting to use session-derived credentials
2023/12/18 11:16:18 [INFO] (telemetry) ending amazon-ebs
==> Wait completed after 1 millisecond 940 microseconds
2023/12/18 11:16:18 machine readable: error-count []string{"1"}
==> Some builds didn't complete successfully and had errors:
2023/12/18 11:16:18 machine readable: amazon-ebs,error []string{"Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set."}
==> Builds finished but no artifacts were created.
2023/12/18 11:16:18 [INFO] (telemetry) Finalizing.
Build 'amazon-ebs' errored after 1 millisecond 900 microseconds: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

==> Wait completed after 1 millisecond 940 microseconds

==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

==> Builds finished but no artifacts were created.
2023/12/18 11:16:18 waiting for all plugin processes to complete...
2023/12/18 11:16:18 /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64: plugin process exited
2023/12/18 11:16:18 /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer: plugin process exited

@pbudzon
Copy link

pbudzon commented Jan 7, 2024

I can confirm this has been a problem for a number of months now: assume role + MFA does not work. Any combination of configurations we've tried: using profile with mfa_code or assume_role with mfa_code, neither works correctly. Assuming a role without MFA works fine.

Workaround we have found for this, is to use aws configure export-credentials --profile your_profile --format env and them source the values that pop up instead. It's annoying and causes problems if the credentials expire when packer is still running, but so far it's the only way to run packer with a role requiring MFA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants