Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question: Does S3 remote state mechanism support AWS STS tokens? #4868

Closed
mrwilby opened this issue Jan 27, 2016 · 8 comments
Closed

Question: Does S3 remote state mechanism support AWS STS tokens? #4868

mrwilby opened this issue Jan 27, 2016 · 8 comments

Comments

@mrwilby
Copy link

mrwilby commented Jan 27, 2016

The main AWS provider appears to, but the docs for the S3 remote configuration simply state:

https://www.terraform.io/docs/commands/remote-config.html

"S3 - ... Supports and honors the standard AWS environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGION. These can optionally be provided as parameters in the access_key, secret_key and region variables respectively..."

What about reading AWS_SECURITY_TOKEN ?

I am seeing errors:

Error reloading remote state: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.
status code: 403, request id:

@mrwilby
Copy link
Author

mrwilby commented Jan 27, 2016

If I stop assuming a role before calling terraform then the reported 403 error goes away.

@hngkr
Copy link

hngkr commented Feb 3, 2016

I actually got 404's when trying to configure a remote configuration in an S3 bucket from my PC using an STS environment variable setup that otherwise works fine for running terraform plan/apply (region: eu-west-1)

When I redid the command on a server running with the same role that I had assumed with STS, then it worked. So I believe that you're correct in assuming that there's some kind of funkyness involved with remote config and STS...

This is what I'm seeing:

$ terraform remote config -backend=S3 -backend-config="bucket=<bucketname-that-exists>" -backend-config="key=state/<keyname>" -backend-config="region=eu-west-1"

Error while performing the initial pull. The error message is shown
below. Note that remote state was properly configured, so you don't
need to reconfigure. You can now use `push` and `pull` directly.

Error reloading remote state: 404NotFound: 404 Not Found
    status code: 404, request id: 26FAAAA4F60118D3

This seems like it's the way that credentials are loaded in func getCreds in buildin/providers/aws/config.go might be better at handling STS (or environment variables set up with the content from a STS call) than what's used for s3 remote state in terraform/state/remote/s3.go around line 65 (where SessionToken seems to be explicitly set to "") -- but I can't really figure out why it's better.

@mlrobinson
Copy link

I'm currently using S3 remote states with STS Assume Role credentials. I believe I had the same issues, so I ended up adding a Bucket Policy on the bucket containing the state, that allowed the role I was assuming in the other account to update the state files. This works for us.

I do not see the error you mentioned above. I pass in these environment variables to terraform (provided by script):

AWS_DEFAULT_REGION
AWS_REGION
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN

@hngkr
Copy link

hngkr commented Feb 4, 2016

I don't think that I will be be allowed to set the bucket policy that you're able to.

With the same credentials, I can make aws_s3_bucket_object's in the account that I'm "assuming" into without modifying bucket policies. And I can enable remote state when I'm on a server with the same instance role.

My environment variables:

AWS_ACCESS_KEY_ID
AWS_DEFAULT_REGION
AWS_PROFILE
AWS_REGION
AWS_SECRET_ACCESS_KEY
AWS_SECURITY_TOKEN
AWS_SESSION_TOKEN

@n-my
Copy link

n-my commented Jun 11, 2016

Once you get the token from STS, set the env var AWS_SESSION_TOKEN instead of AWS_SECURITY_TOKEN and you should be good to go

@osterman
Copy link

If using cross-account STS/IAM tokens, we ran into a problem where the proper role_arn was not being used. It's been fixed here: #10067

@mitchellh
Copy link
Contributor

Closing since this is answered by @n-my. Other comments are different questions!

@ghost
Copy link

ghost commented Apr 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

7 participants