-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS profile does not work with role_arn and credential_source = Ec2InstanceMetadata #5018
Comments
Quick question, does it work if you set the |
Ah no, it doesn't appear to.
|
It might be related to aws/aws-sdk-go#2005 - looks like the go sdk doesn't yet support credential_source |
Using AWS_SDK_LOAD_CONFIG=1 fixed a similar issue for me where I was using roles to switch from a master account. Obviously not related to this issue, but thought I'd leave a comment here for future seekers |
aws/aws-sdk-go#2201 just got merged which adds support for |
Is there a prevision to fix it? aws/aws-sdk-go#2201 was merged recenlty. |
Looks like this is not lined up for next release: 6f2ae99 Support was added in v1.15.54, the sdk bump for aws provider 1.41.0 is v1.15.53. |
This should be supported in version 1.41.0 since the aws-sdk-go dependency was updated to v1.15.55 in #6164. See also: https://github.com/terraform-providers/terraform-provider-aws/blob/v1.41.0/vendor/vendor.json#L177-L184 |
thanks @bflad I missed that one |
Hmm, seems I can't get it to work.. aws provider v1.42.0. My
My providers config:
Still I get
Anything I could provide further? |
@GroovyCarrot I'm having this same problem. Have you found a work-around? |
I was able to get assume role to work by setting |
@kipkoan Can you explain what you did along with setting I set up my ~/.aws/config file with a profile, the whole file looks like this:
The role and S3 bucket with the state file do not live in the same account as the EC2. The instance has IAM permission to assume role Then my provider looks like this:
I also tried assume role. And I tried getting access and secret keys for the role using aws sts assume role and adding them to the provider. I tested the instance's permissions by running |
@shanee-spring - The s3 backend does not use the |
@shanee-spring (and future readers of this) the thing that doesn't work until TF v0.12 is using the ~/.aws/config to get the role arn (allowing you to not specify that in the Terraform backend directly). |
Easy test case for this with 2 accounts (this is In account 1: Create an EC2 Instance, assign an IAM role to that instance
Run this .tf on this instance:
Expected: Actual: As stated, |
Hi again folks 👋 You may want to try this with version 2.20.0 of the Terraform AWS Provider -- this AWS Go SDK dependency update is specifically surrounding the support of AWS profiles using both |
Still does not work using
Using I also tried @sndwch's example, and had the same result. |
Also im doing a similar setup but in ECS cluster in fargate
I recreated the environment on the EC2 instance and it works the confif is the following
with the
and the
setting the skip_metadata_api_check IS NOT working. |
The root cause of this issue explained here hashicorp/aws-sdk-go-base#7 I have a slightly different use case - running TF in EKS pod that uses IAM attached to Service Account as described here https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html The long story short, I get
Then I have
Terraform picking up EKS node instance profile instead of everything defined in
For my particular use case, AWS metadata IP should be anyway iptabled out so not accessible by EKS pods, I just haven't got there yet. Still this is a bug in https://github.com/hashicorp/aws-sdk-go-base/ worth fixing - I can imagine there might be use cases these workarounds does not apply. Such as using |
@llibicpep I think your analysis nailed the problem, and was a huge help to me in putting together this proposed fix. It could still use some additional test cases if anyone else has time to pitch in. @bflad could you review? |
Mine is when EC2 attached to a Role because needed for AWS Session Manager and i use shared credentials file for Terraform Backend when running |
I encountered this issue when writing a metadata-server mock. There my solution was to just not implement instance-id on the metadata API, having the same effect as setting |
Reference: #5018 Reference: #6913 Reference: #7333 Reference: #9236 Reference: #9869 Reference: #9898 Reference: #9962 Reference: #9986 Reference: #10507 Reference: #11429 Reference: #12236 Reference: #12727 Reference: #12815 Reference: #13057 Changes: ``` NOTES * provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) * provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries ENHANCEMENTS * provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable) * provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments BUG FIXES * provider: Ensure configured STS endpoint is used during `AssumeRole` API calls * provider: Prefer AWS shared configuration over EC2 metadata credentials by default * provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default ``` Output from acceptance testing: ``` --- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s) --- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s) --- PASS: TestAccAWSProvider_Region_AwsChina (3.99s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s) --- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s) --- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s) --- PASS: TestAccAWSProvider_Endpoints (4.53s) --- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s) ```
…14077) * Update module hashicorp/aws-sdk-go-base to v0.5.0 * provider: Authentication updates for Terraform AWS Provider v3.0.0 Reference: #5018 Reference: #6913 Reference: #7333 Reference: #9236 Reference: #9869 Reference: #9898 Reference: #9962 Reference: #9986 Reference: #10507 Reference: #11429 Reference: #12236 Reference: #12727 Reference: #12815 Reference: #13057 Changes: ``` NOTES * provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) * provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries ENHANCEMENTS * provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable) * provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments BUG FIXES * provider: Ensure configured STS endpoint is used during `AssumeRole` API calls * provider: Prefer AWS shared configuration over EC2 metadata credentials by default * provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default ``` Output from acceptance testing: ``` --- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s) --- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s) --- PASS: TestAccAWSProvider_Region_AwsChina (3.99s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s) --- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s) --- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s) --- PASS: TestAccAWSProvider_Endpoints (4.53s) --- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s) ``` * docs/provider: Add authentication changes section to version 3 upgrade guide and remove pre-3.0 notes Co-authored-by: Renovate Bot <bot@renovateapp.com>
Hi folks 👋 Version 3.0 of the Terraform AWS Provider will include a few authentication changes that should help in this case including:
This major version update will release in the next two weeks or so. Please follow the v3.0.0 milestone for tracking the progress of that release. If you are still having trouble after updating when its released, please file a new issue. Thanks! |
This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Terraform v0.11.7
AWS provider v1.25
I have a server that is set up to run in a production AWS account with an IAM role attached. I then use the aws ini configuration to set up a profile for the
production
account, and also a profile for thenon-prod
uction account which has staging resources in it. There is a trust relationship between the role attached to the instance, and the role in the non-production account. On awscli this works as expected.~/.aws/config
In terraform I then point it to the
non-prod
profile, however I get access denied to resources.Expected Behavior
I expect profile
non-prod
to authenticate by using assuming the non-production account role, using the role attached to the instance.Actual Behavior
It appears to just authenticate as the role attached to the instance instead, which cannot access resources outside of it's own account.
I have also tried the
assume_role {...}
provider config, however I get "No valid credential sources found for AWS Provider.
"Explicit profiles are much the preference in any case, as they can be configured independently; using restricted key/secret pairs on an employee's machine, and the role attached to the instance in production.
Community Note
The text was updated successfully, but these errors were encountered: