-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to assume role with a specified STS endpoint #14435
Comments
Is there a planned date to deliver a fix for this issue? We are bound by security to use VPC endpoints and so this causes us many problems. Just to add further detail with Debug enabled the terraform run just hangs on the line "Setting custom STS endpoint" |
@Danny-Cooke Are you using a similar cross-region setup where the region specified in the provider "aws" {
region = "us-west-2"
sts_endpoint = "https://sts.eu-central-1.amazonaws.com"
} |
Actually no we are not using cross region but we are using cross account roles. this is the layout of our provider file.and we are trying to have a "shared services" account which can provision into all other accounts. I have left in (but commented out) our other attemps to use regional endpoints for STS too but alas, we have no success with it. provider "aws" { endpoints {
} |
@Danny-Cooke Yes, I can reproduce this with a same-region scenario: provider "aws" {
region = "us-west-2"
assume_role {
role_arn = "arn:aws:iam::111111111111:role/test"
}
endpoints {
sts = "https://sts.us-west-2.amazonaws.com"
}
}
which is the error called out in #14873. If I make the equivalent call using the CLI $ aws --debug --region us-west-2 --endpoint https://sts.us-west-2.amazonaws.com sts assume-role --role-arn arn:aws:iam::111111111111:role/test --role-session-name testing it succeeds:
The difference is that the credential signing region ( |
@Danny-Cooke Could you try setting the |
@ewaltman We did try that but with no positive impact. we also use Aviatrix Filters and whitelisting to access the internet where endpoints are not available. When trying to hit the VPC endpoint weather its with AWS_STS_REGIONAL_ENDPOINTS or not we check the filter to find terraform has still tried to access the same global address of "sts.amazonaws.com" every time. It seems like regardless, terraform still wants to go external. For the time being we are having to whitelist that address until a fix is delivered? |
@xlz-jgoutin
Which region are you specifying or have set for the successful |
Hmm, when I set provider "aws" {
region = "us-west-2"
assume_role {
role_arn = "arn:aws:iam::111111111111:role/test"
}
# endpoints {
# sts = "https://sts.us-west-2.amazonaws.com"
# }
} then $ AWS_STS_REGIONAL_ENDPOINTS=regional terraform plan succeeds via the correct regional endpoint:
|
@ewaltman That's interesting. we haven't tried the combination of NOT specifying the sts endpoint. Basically as you should be specifying them all the time. I'll get the network guys to remove the whitelist tomorrow and we will test too. Definitely some strange results going on |
@ewaltman i can confirm the same results. provider "aws" { endpoints { export AWS_STS_REGIONAL_ENDPOINTS=regional we can then successfuly assume role into another account and deploy |
Would an attribute something like provider "aws" {
region = "us-west-2"
assume_role {
role_arn = "arn:aws:iam::111111111111:role/test"
sts_regional_endpoints = "regional"
}
} be of use so that the The cross-region case is more complex and will require specifying a signing region for the STS AssumeRole request (else the signing region is either |
us-east-1. |
Same issue here Terraform CLI and Terraform AWS Provider VersionTerraform v0.12.28
|
Hi, I have the same needs. Based on the documentation about Global STS and Regional STS, the provider should do the action in two-step: If sts endpoints (a regional one), meaning sts..amazonaws.com, the provider needs to do the sts:assumerole in that region regardless of the "region" parameter. Then as the credentials can now be used in whatever region, the provider should now switch to that region. Benoit, |
See https://github.com/boto/botocore/blob/04d1fae43b657952e49b21d16daa86378ddb4253/botocore/args.py#L84-L93 for an example of signing region. |
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v0.12.29
provider.aws v3.0.0
Affected Resource(s)
Terraform Configuration Files
Debug Output
https://gist.github.com/xlz-jgoutin/f2d8e56f8ff179e8dc67dced38f15196
Panic Output
Expected Behavior
Assume role with success
Actual Behavior
Assume role fail due to VPC condition (Like when the endpoint is not specified).
Steps to Reproduce
terraform apply
Important Factoids
References
AssumeRole
API calls"The text was updated successfully, but these errors were encountered: