amazon-ebs: Uses the wrong credentials when using credential_source #6717
Labels
Comments
rickard-von-essen
changed the title
|
A more validating test would be: |
rickard-von-essen
added
bug
stage/waiting-on-upstream
|
Reading a bit, |
Seems to work. It's a shame that's not yet supported. For now I can work around it by manually assuming a role and exported the session details: eval "$(aws sts assume-role \
--role-arn <myrole> \
--role-session-name <mysession> \
--output text \
--query 'Credentials.[
join(`=`, [`export AWS_ACCESS_KEY_ID`, AccessKeyId]),
join(`=`, [`export AWS_SECRET_ACCESS_KEY`, SecretAccessKey]),
join(`=`, [`export AWS_SESSION_TOKEN`, SessionToken])
] | join(`\n`, @)')"
packer build packer.json |
|
Thanks for the workaround. We'll keep an eye on the upstream issue and update this ticket when it's fixed and we've incorporated the updated sdk. |
|
aws/aws-sdk-go#2201 got merged which adds support for |
rickard-von-essen
added a commit
to rickard-von-essen/packer
that referenced
this issue
Oct 15, 2018
This adds support for credential_source, see aws/aws-sdk-go#2201 Closes hashicorp#6717
|
@hoshsadiq It would be great if you could try if #6849 solves this. |
|
I'd be happy to test but I'm away until the 22nd. will test it out then. Is there a binary I can use? |
|
I'm unable to get this to work with Packer v1.3.3 when using credential_source=EcsContainer. For background, I'm running packer inside an AWS CodeBuild job which uses an ECS Container. I'm running the CodeBuild job in a parent account, but need packer to assume a role into a child account. ~/.aws/credentials does not exist AWS_PROFILE=dev aws sts get-caller-identity outputs the correct info However, when running packer it's still using the role that the container is running as, and not assuming the AWS_PROFILE role from ~/.aws/config. I've also tried setting the amazon-ebs parameter "profile=dev", but it's still not using this profile. Any other suggestions, or should I fall back to using aws sts get-caller-identity to populate the credentials file? |
|
@SwampDragons @rickard-von-essen this is still an issue. Same packer.json produces the following: Interestingly it seems to be selecting the correct place to load the credentials. Looking at CloudTrail, it's showing error in the account is origin (before assuming the role) |
|
@sfdc-afraley as @rickard-von-essen has previously mentioned, a better test would be: Until it's fixed, I'd suggest simply using sts to assume the role first |
|
See #7142 |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi all,
I'm trying to create a packer image using amazon-ebs, however, packer is refusing to use the correct permissions when setting the profile parameter. My aws config is in the below gist. When running aws cli from the CLI, it uses the correct profile:
$ aws sts get-caller-identity --profile myprofile { "UserId": "<redacted>:botocore-session-1537008255", "Account": "<redacted>", "Arn": "arn:aws:sts::<redacted>:assumed-role/<redacted>/botocore-session-1537008255" }It seems the issue is caused in
step_pre_validate.goand having looked at the code, it doesn't look like it's picking the correct session.however, as you'll see from the gist, and the cloudwatch log entry, it is still using the original user (instead of the role profile is meant to assume).
Any ideas on how to solve this?
Version: Packer v1.3.0
Host platform: MacOS
Please see all details in this gist: https://gist.github.com/hoshsadiq/18f4ae539b15d65d1800f2f54558664e
The text was updated successfully, but these errors were encountered: