Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assume Role via .aws/config profiles does not work #11429

Closed
h3lo opened this issue Dec 27, 2019 · 8 comments · Fixed by #14077
Closed

Assume Role via .aws/config profiles does not work #11429

h3lo opened this issue Dec 27, 2019 · 8 comments · Fixed by #14077
Assignees
Labels
bug Addresses a defect in current functionality. provider Pertains to the provider itself, rather than any interaction with AWS.
Milestone

Comments

@h3lo
Copy link

h3lo commented Dec 27, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.14
Note that moving to v0.12.x is not feasible for our organization at this time.

AWS Provider is set to version 2.43.0.

Affected Resource(s)

  • provider itself

Terraform Configuration Files

provider "aws" {
  version = "2.43.0"
  region  = "us-east-1"
  profile = "acct1"
}

provider "aws" {
  version = "2.43.0"
  region  = "us-east-1"
  alias   = "acct2_east"
  profile = "acct2"

terraform {
  backend "s3" {
    encrypt = true
    bucket  = "someS3bucket"
    key     = "path/to/state.tfstate"
    profile = "acct1"
    region  = "us-east-1"
  }
}

In my .aws/config:

[default]
region = us-east-1

[profile acct1]
role_arn = arn:aws:iam::<ACCT1>:role/rolename
credential_source = Ec2InstanceMetadata

[profile acct2]
role_arn = arn:aws:iam::<ACCT2>:role/rolename
source_profile = acct1

Debug Output

# terraform0.11.14 plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.terraform_remote_state.network: Refreshing state...
aws_iam_role.*****: Refreshing state... (ID: *****)
aws_security_group.*****: Refreshing state... (ID: sg-*****)
data.aws_route53_zone.*****: Refreshing state...
aws_iam_role_policy_attachment.*****: Refreshing state... (ID: *****-*****)
aws_iam_instance_profile.*****: Refreshing state... (ID: *****)
aws_iam_role_policy_attachment.*****: Refreshing state... (ID: *****-*****)
aws_iam_role_policy.*****: Refreshing state... (ID: *****)
aws_security_group_rule.*****: Refreshing state... (ID: sgrule-*****)
aws_security_group_rule.*****: Refreshing state... (ID: sgrule-*****)
aws_security_group_rule.*****: Refreshing state... (ID: sgrule-*****)
aws_security_group_rule.*****: Refreshing state... (ID: sgrule-*****)
aws_instance.*****: Refreshing state... (ID: i-*****)
aws_route53_record.*****: Refreshing state... (ID: *****)
aws_route53_record.*****: Refreshing state... (ID: *****)
aws_route53_record.*****: Refreshing state... (ID: *****)

Error: Error refreshing state: 1 error occurred:
	* aws_route53_record.*****: 1 error occurred:
	* aws_route53_record.*****: aws_route53_record.*****: AccessDenied: User: arn:aws:sts::*****:assumed-role/*****/i-***** is not authorized to access this resource
	status code: 403, request id: *****

The role arn in the error is the arn of acct1 when it should be acct2 (as set in the aws config).

I also tried setting AWS_SDK_LOAD_CONFIG=1 but again, the behavior was identical.

Expected Behavior

Plan / Apply succeeds

Actual Behavior

TF tries to use the alias'd provider with the main acct instead of the second one.

Steps to Reproduce

  1. terraform plan

Important Factoids

Running aws cli commands on either acct1 or acct2 on this instance works without issue, so the roles and trust relationships are set up properly. If I add a block in the provider for the role assumption, it works, but this is unacceptable because then the TF cannot be run by a user with different roles. I need to be able to abstract this in AWS config profiles so the TF code is generic.

In addition, I tried setting the role assume stuff in the credentials file instead, but the behavior was identical. AWS CLI worked fine either way for both accounts, TF fails to properly assume the role for the provider.

References

This issue seems very similar, but was closed without resolution. The patch that claims to fix it very much does NOT fix role assumption via aws config file profiles. #1184

Please let me know if I should add any other specific details.

@ghost ghost added the service/route53 Issues and PRs that pertain to the route53 service. label Dec 27, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Dec 27, 2019
@pcantea
Copy link
Contributor

pcantea commented Feb 12, 2020

+1 also running into this. It seems to not work when using the EC2 instance metadata.

Terraform 0.12.20
provider version 2.48

provider "aws" {
  region  = "us-west-2"
  version = "2.48"
  profile = "production"
}

~/.aws/config:

[profile production]
role_arn = arn:aws:iam::111111111111:role/terraform-execution-role
credential_source = Ec2InstanceMetadata

Debug log:

2020-02-12T23:44:35.454Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:35 [INFO] No assume_role block read from configuration
2020-02-12T23:44:35.454Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:35 [INFO] Building AWS auth structure
2020-02-12T23:44:35.454Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:35 [INFO] Setting AWS metadata API timeout to 100ms
2020-02-12T23:44:35.772Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:35 [INFO] AWS EC2 instance detected via default metadata API endpoint, EC2RoleProvider added to the auth chain
2020-02-12T23:44:35.773Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:35 [INFO] AWS Auth provider used: "EC2RoleProvider"
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:35 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:35 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: POST / HTTP/1.1
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Host: sts.amazonaws.com
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: User-Agent: aws-sdk-go/1.28.9 (go1.13.7; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.20 (+https://www.terraform.io)
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Content-Length: 43
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Authorization: AWS4-HMAC-SHA256 Credential=ASIA2X7ZFRZTLXKS7DVX/20200212/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=6092d722ef501995dd1a07a24e90705ca921bd4474370f9db2562569e3733f47
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: X-Amz-Date: 20200212T234435Z
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: X-Amz-Security-Token: <TOKEN>
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Accept-Encoding: gzip
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Action=GetCallerIdentity&Version=2011-06-15
2020-02-12T23:44:35.774Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: -----------------------------------------------------
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:36 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: ---[ RESPONSE ]--------------------------------------
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: HTTP/1.1 200 OK
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Connection: close
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Content-Length: 491
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Content-Type: text/xml
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: Date: Wed, 12 Feb 2020 23:44:35 GMT
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: X-Amzn-Requestid: dbab43d4-46e4-4c76-b37a-e3f03ae64c89
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: -----------------------------------------------------
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:36 [DEBUG] [aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:   <GetCallerIdentityResult>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:     <Arn>EC2_INSTANCE_PROFILE_ARN</Arn>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:     <UserId>INSTANCE_PROFILE</UserId>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:     <Account>111111111111</Account>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:   </GetCallerIdentityResult>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:   <ResponseMetadata>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:     <RequestId>dbab43d4-46e4-4c76-b37a-e3f03ae64c89</RequestId>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4:   </ResponseMetadata>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: </GetCallerIdentityResponse>
2020-02-12T23:44:36.799Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 23:44:36 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2020-02-12T23:44:36.800Z [DEBUG] plugin.terraform-provider-aws_v2.48.0_x4: 2020/02/12 

@lapkritinis
Copy link

+1
its not exactly same - in my case, I want to use multiple providers for setting up vpc peering between accounts. I want to achieve it, by using "profile" property in aws provider, but it gets ignored (always gets picked "default" instead what is specified). Obviously I cannot use env variable AWS_PROFILE, because I need multiple profiles, not one.

@rehevkor5
Copy link
Contributor

rehevkor5 commented Feb 21, 2020

This might be a duplicate of #5018

@bflad bflad added bug Addresses a defect in current functionality. provider Pertains to the provider itself, rather than any interaction with AWS. and removed needs-triage Waiting for first response or review from a maintainer. service/route53 Issues and PRs that pertain to the route53 service. labels Jun 2, 2020
@bflad bflad self-assigned this Jun 2, 2020
@bflad bflad added this to the v3.0.0 milestone Jun 2, 2020
@joeaawad
Copy link

joeaawad commented Jun 5, 2020

@h3lo one work around idea until this gets fixed is to have the profiles use a variable for the profile name with acct1 and acct2 as the defaults. If you do that, the terraform code can be generic and if someone who doesn't have the same profiles wants to run it on their own machine, they just need to pass in the profile they want to use as an additional variable.

One gotcha with that workaround is that you can't use a variable in the terraform backend block. You could get around this by having a generic terraform state access role that everyone/every automated process that runs terraform has access to and has saved under a consistent profile name.

For the overall issue you're running into, have you checked if that only occurs when using Ec2InstanceMetadata as the credential_source? I've used that same sort of process where one profile uses a source_profile of another profile many times before in terraform 12 without issue but not in combination with the Ec2InstanceMetadata credential_source. It looks to me like @rehevkor5's comment about this being a duplicate of #5018 is the real issue.

@h3lo
Copy link
Author

h3lo commented Jun 13, 2020

I already use a single account to own all the state files (sort of a master account), so the backend is okay. In my case, the role on the instance has access to the s3 bucket with the backends so no role needs to be assumed. This leaves the TF backend clean (no hard coded profile or role assumed).

The issue persists if I remove the Ec2InstanceMetadata as the credential_source.

bflad added a commit that referenced this issue Jul 7, 2020
Reference: #5018
Reference: #6913
Reference: #7333
Reference: #9236
Reference: #9869
Reference: #9898
Reference: #9962
Reference: #9986
Reference: #10507
Reference: #11429
Reference: #12236
Reference: #12727
Reference: #12815
Reference: #13057

Changes:

```
NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default
```

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)
```
bflad added a commit that referenced this issue Jul 13, 2020
…14077)

* Update module hashicorp/aws-sdk-go-base to v0.5.0

* provider: Authentication updates for Terraform AWS Provider v3.0.0

Reference: #5018
Reference: #6913
Reference: #7333
Reference: #9236
Reference: #9869
Reference: #9898
Reference: #9962
Reference: #9986
Reference: #10507
Reference: #11429
Reference: #12236
Reference: #12727
Reference: #12815
Reference: #13057

Changes:

```
NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default
```

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)
```

* docs/provider: Add authentication changes section to version 3 upgrade guide and remove pre-3.0 notes

Co-authored-by: Renovate Bot <bot@renovateapp.com>
@bflad
Copy link
Contributor

bflad commented Jul 13, 2020

Hi folks 👋 Version 3.0 of the Terraform AWS Provider will include a few authentication changes that should help in this case. Similar enhancements and fixes were applied to the Terraform S3 Backend (part of Terraform CLI) in version 0.13.0-beta2.

The Terraform AWS Provider major version update will release in the next two weeks or so. Please follow the v3.0.0 milestone for tracking the progress of that release. If you are still having trouble after updating when its released, please file a new issue. Thanks!

@ghost
Copy link

ghost commented Jul 31, 2020

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Aug 12, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 12, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. provider Pertains to the provider itself, rather than any interaction with AWS.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants