Issue: 7192 - Add support for AWS shared config file #11734
Conversation
craiglink
commented
Feb 7, 2017
craiglink
commented
Add support to AWS Provider shared profiles via ~/.aws/config file
The AWS SDK for Go added support for this file in v 1.3
This change enables shared profile use if the existing creds.Get()
code path fails.
|
Hey @craiglink - can you give an example provider configuration block that utilizes this? It looks like |
catsby
added
waiting-response
|
This pull request adds support for a feature which the AWS CLI and SDKs have supported for some time. Specifically it adds support for a second configuration file named ~/.aws/config which has a extended format differing from the standard credentials file which only supports key pairs . One feature enabled by this extended format is assuming roles based on other profiles defined in the config file using the role_arn and source_profile keys. This allows the source profile to be create by various means, key pairs, MFA tokes, and SAML providers. It also allows the roles to vary from user to user, but allows the Terraform scripts to reference them by the same logic name. The existing Terraform implementation supports a profile, but only looks in the ~/.aws/credentials file or specified shared_credentials_file using the basic credential file format. The AWS Provider also exposes the ability to role switch, but forces all users to use the same role because it’s declared in the Terraform scripts. Abstracting this to the AWS SDK credential provider provides more flexibility. To enable the extended format, session.NewSessionWithOptions must be specified to enable the SharedConfigFile option. Additionally the SDK is enabled to determine the appropriate credentials to use via the profile name verses providing them in the AwsConfig structure. |
|
@catsby just wanted to make sure you saw I responded. I assume I don't have a way to remove the "waiting for response" tag |
catsby
removed
the
waiting-response
|
any updates on getting this merged in or questions or concerns? |
|
+1 for this feature, my exact use case |
|
@catsby any updates on getting this merged in or questions or concerns? |
|
+1 for this. I don't think this will play nicely with using a profile with MFA. I believe you'd have to add this option |
|
#9349 + this PR would provide full AWS config + MFA support but unfortunately it looks like the other PR is abandoned. |
|
@kushmansingh This PR would let us define the MFA serial etc in Which is perhaps a decision that the Terraform authors/contribs need to make:
I'd be learning towards the second one as it means that anything that works with |
|
@ashb I like the second option better as well. The only problem is that aws-sdk-go requires you to set the To avoid adding yet another option to the tf AWS provider, my recommendation would be to use the This is a short example to illustrate my point https://play.golang.org/p/ama7Q8KMVI CC: @craiglink |
|
To any maintainers of Terraform: I'd very much like to see this make it in, and am willing to do the work to get a PR updated and merged. However I don't want to do that work (and continue to keep it updated) if it's not going to be merged. If you @-mention me and let me know that 1) this feature is desired, and 2) anything about this current implementation I'll do the work to rebase and fix an issues on this PR. (if the original author is not around/doesn't have time to do it themselves) |
|
When is this going to be merged?, it's one outstanding issue I'd really like to see fixed. |
|
This probably needs to be moved to the AWS provider before it'll be merged. |
|
OK so this is my first time diving into terraform. I fully expected it would work with a profile using MFA and a role_arn and source_profile value, like such: Running this should work: Unfortunately this does not: There are too many issues floating around complaining and or trying to address different parts of this overall issue. Can the Hashicorp team please just get together and issue a single pull request to make all functionality behave like the CLI, including caching temporary credentials? Also, setting a role_arn in a tf file feels fundamentally wrong. People reference different roles. |
The current policy to assume the roles requires
to have STS credentials with MultiFactorAuthPresent for the current
credentials.
But in the current implementation you must run terraform using
credentials with the role `admin`, to be able to access the bucket
with the state and the operations in the root account.
When terraform tries to assume the role for the submodule, it does it
without asking for the MFA credentials, so assume role
fails.
The solution would be to execute the project with the root user
credentials, and then terraform assumes role for but using MFA:
- Getting the state for S3, using assume role[1]
- Configure root account, users
The problem is that MFA support is not implemented in terraform[2].
It would require changes in the code [3] to add logic to ask for
the MFA token:
assumeRoleProvider.SerialNumber = aws.String("arn:awss:iam::246505230303:mfa/hector.rivas+aws.admin@keytwine.com")
assumeRoleProviderleProvider.TokenProvider = stscreds.StdinTokenProvider
Leaving the code here for reference
[1] https://www.terraform.io/docs/backends/types/s3.html#role_arn
[2] hashicorp/terraform#11734
[3] https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/auth_helpers.go#L211-L227
|
What is the status on this PR? |
|
Hello @craiglink, and thanks for working on this! As part of the the Terraform 0.10 release earlier this year, all of the Terraform providers were moved to their own repositories in the terraform-providers GitHub organization, and removed from the Terraform Core repository. Unfortunately due to the fact that new issues and pull requests are being opened constantly, it was not possible for the various provider maintainers to merge all outstanding pull requests before this split, and there is no automatic way to migrate a pull request to a new repository. As a result, this pull request can sadly no longer be applied as-is, and so I'm going to close it. If you or someone else has the time and motivation to apply same changes to the Thanks again for working on this, and sorry it was not able to be merged before the provider repository changes. |
|
@cornfeedhobo @apparentlymart This PR already got ported to the new repo. Unfortunately it also doesn't get much attention: hashicorp/terraform-provider-aws#1608 |
This is simply a port of hashicorp/terraform#11734 to the new terraform-provider-aws. (the original PR won't be merged since the code it relates to has been moved to a new module). This won't support assuming roles where an MFA device has been specified for the profile (in ~/.aws/config). The original PR has some discussion of this, however, Terraform seems to utilise multiple, simultaneous sessions with AWS which complicates the situation somewhat.
…defined in ~/.aws/config (#1608) * Add support for assuming roles via profiles defined in ~/.aws/config This is simply a port of hashicorp/terraform#11734 to the new terraform-provider-aws. (the original PR won't be merged since the code it relates to has been moved to a new module). This won't support assuming roles where an MFA device has been specified for the profile (in ~/.aws/config). The original PR has some discussion of this, however, Terraform seems to utilise multiple, simultaneous sessions with AWS which complicates the situation somewhat. * Address nitpick comments Also remove leftover debug prefix on log message.
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
