Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AWS EKS IAM Roles #12236

Closed
ghost opened this issue Mar 3, 2020 · 17 comments · Fixed by #14077
Closed

Support AWS EKS IAM Roles #12236

ghost opened this issue Mar 3, 2020 · 17 comments · Fixed by #14077
Assignees
@bflad
Labels
provider Pertains to the provider itself, rather than any interaction with AWS.
Milestone
v3.0.0

Comments

@ghost
Copy link

ghost commented Mar 3, 2020

This issue was originally opened by @guidoffm as hashicorp/terraform#24252. It was migrated here as a result of the provider split. The original body of the issue is below.
@ghost ghost mentioned this issue Mar 3, 2020
Closed
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Mar 3, 2020
@ewbankkit
Copy link
Contributor

@guidoffm This should work with the current version of the provider if the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables are set correctly for the pod.
https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html

@guidoffm
Copy link

guidoffm commented Mar 4, 2020

Do I have to specify the AWS provider version explicitely for this?
If yes Terraform seems to try to contact the Terraform registry which is impossible on our side beacuse there is a proxy needed for this.

@guidoffm
Copy link

guidoffm commented Mar 4, 2020
edited
Loading

I tried this:

provider "aws" {
    region = "eu-central-1"
}

terraform {
   required_providers {
    aws = "~> 2.51"
  }

 backend "s3" {
     bucket = "mybucket"
     region = "eu-central-1"
     key = "state.tfstate"
 }
 
}

@mbelang
Copy link

mbelang commented Mar 20, 2020
edited
Loading

I have the exact same issue. I have the same setup for all my apps/addons and only my app that is running terraform is not able to work with the Service Account role.

I had to revert to kube2iam for this one.

aws provider 2.54
terraform 0.12.24

@mbelang
Copy link

mbelang commented Mar 20, 2020

@guidoffm the aws sdk should be ok https://github.com/terraform-providers/terraform-provider-aws/blob/master/go.mod#L6

@guidoffm
Copy link

I am not familiar with Go.

But from

https://github.com/aws/aws-sdk-go#complete-sdk-example

I find that these packages should be included:

  	"github.com/aws/aws-sdk-go/aws"
  	"github.com/aws/aws-sdk-go/aws/awserr"
  	"github.com/aws/aws-sdk-go/aws/request"
  	"github.com/aws/aws-sdk-go/aws/session"
  	"github.com/aws/aws-sdk-go/service/s3"

@guidoffm
Copy link

I think we can close this issue here. It is not a problem with the AWS provider but with the core product (remote state).

hashicorp/terraform#24252 should be reopened.

@mbelang
Copy link

mbelang commented Mar 23, 2020

Are you sure. I have also the error on the lock DynamoDB table too.

@guidoffm
Copy link

You find the S3 code here:

https://github.com/hashicorp/terraform/tree/master/backend/remote-state/s3

@eaterm
Copy link

eaterm commented May 4, 2020

I have the same issue. When running terraform in a pod with the service account role.
Terraform doesn't same to use this role.

@bflad bflad self-assigned this Jun 2, 2020
@bflad bflad added provider Pertains to the provider itself, rather than any interaction with AWS. and removed needs-triage Waiting for first response or review from a maintainer. labels Jun 2, 2020
@bflad bflad added this to the v3.0.0 milestone Jun 2, 2020
@bflad bflad added upstream-terraform Addresses functionality related to the Terraform core binary. and removed upstream-terraform Addresses functionality related to the Terraform core binary. labels Jun 2, 2020
@bflad
Copy link
Contributor

bflad commented Jun 2, 2020

Sorry about the confusion around this issue being migrated from hashicorp/terraform to here when the original issue related to the Terraform S3 Backend, which lives in the upstream codebase still. I've reopened the upstream issue. Better support for this is in progress now and will land in v0.13.0 upstream for the S3 backend and v3.0.0 in the provider.

@bflad bflad mentioned this issue Jun 2, 2020
Closed
@mbelang
Copy link

mbelang commented Jun 4, 2020

@bflad can you link upstream issue please?

@bflad
Copy link
Contributor

bflad commented Jun 5, 2020

@mbelang relevant links:

@maheshmadpathi
Copy link

@guidoffm This should work with the current version of the provider if the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables are set correctly for the pod.
https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html

Hello @ewbankkit My Terraform Pod has both the Vars but still assumes worker node's role. any idea why?

bflad added a commit that referenced this issue Jul 7, 2020
@bflad
provider: Authentication updates for Terraform AWS Provider v3.0.0
717f065 
Reference: #5018
Reference: #6913
Reference: #7333
Reference: #9236
Reference: #9869
Reference: #9898
Reference: #9962
Reference: #9986
Reference: #10507
Reference: #11429
Reference: #12236
Reference: #12727
Reference: #12815
Reference: #13057

Changes:

```
NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default
```

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)
```
@bflad bflad mentioned this issue Jul 7, 2020
Merged
bflad added a commit that referenced this issue Jul 13, 2020
@bflad @renovate-bot
provider: Authentication updates for Terraform AWS Provider v3.0.0 (#…
2e86bbd 
…14077)

* Update module hashicorp/aws-sdk-go-base to v0.5.0

* provider: Authentication updates for Terraform AWS Provider v3.0.0

Reference: #5018
Reference: #6913
Reference: #7333
Reference: #9236
Reference: #9869
Reference: #9898
Reference: #9962
Reference: #9986
Reference: #10507
Reference: #11429
Reference: #12236
Reference: #12727
Reference: #12815
Reference: #13057

Changes:

```
NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default
```

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)
```

* docs/provider: Add authentication changes section to version 3 upgrade guide and remove pre-3.0 notes

Co-authored-by: Renovate Bot <bot@renovateapp.com>
@bflad
Copy link
Contributor

bflad commented Jul 13, 2020

Hi folks 👋 Version 3.0 of the Terraform AWS Provider will include a few authentication changes that should help in this case including ensuring the EKS pod roles (via the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables) are read before falling back to the EC2 Instance Metadata Service. Similar fixes were applied to the Terraform S3 Backend (part of Terraform CLI) in version 0.13.0-beta2.

The Terraform AWS Provider major version update will release in the next two weeks or so. Please follow the v3.0.0 milestone for tracking the progress of that release. If you are still having trouble after updating when its released, please file a new issue. Thanks!

@ghost
Copy link
Author

ghost commented Jul 31, 2020

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link
Author

ghost commented Aug 12, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 12, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
provider Pertains to the provider itself, rather than any interaction with AWS.
Projects
None yet
Milestone
v3.0.0
Development

Successfully merging a pull request may close this issue.

provider: Authentication updates for Terraform AWS Provider v3.0.0 hashicorp/terraform-provider-aws
6 participants
@bflad @ewbankkit @mbelang @guidoffm @maheshmadpathi @eaterm