Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix web id assume role #25681

Merged
merged 4 commits into from
Jul 5, 2022
Merged

Conversation

VictorCovalski
Copy link

@VictorCovalski VictorCovalski commented Jul 4, 2022

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Output from acceptance testing:

Fixes #25680.
Relates hashicorp/aws-sdk-go-base#178.
Relates #24441.

@github-actions github-actions bot added client-connections Pertains to the AWS Client and service connections. size/XS Managed by automation to categorize the size of a PR. needs-triage Waiting for first response or review from a maintainer. labels Jul 4, 2022
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @VictorCovalski 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

@ewbankkit ewbankkit added bug Addresses a defect in current functionality. authentication Pertains to authentication; to the provider itself of otherwise. and removed needs-triage Waiting for first response or review from a maintainer. client-connections Pertains to the AWS Client and service connections. labels Jul 5, 2022
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

@ewbankkit
Copy link
Contributor

@VictorCovalski Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit requested a review from gdavison July 5, 2022 14:55
@github-actions github-actions bot added the client-connections Pertains to the AWS Client and service connections. label Jul 5, 2022
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, @VictorCovalski! 🚀

@ewbankkit ewbankkit merged commit ff51ed7 into hashicorp:main Jul 5, 2022
@github-actions github-actions bot added this to the v4.22.0 milestone Jul 5, 2022
@github-actions
Copy link

github-actions bot commented Jul 8, 2022

This functionality has been released in v4.22.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@azec-pdx
Copy link

@VictorCovalski, I believe that there has been regression with v4.22.0 of the provider in terms of how credentials chain behaves when assume_role_with_web_identity{} is present in provider config.

Behavior before v4.22.0

I have a Terraform module with these files:

versions.tf

terraform {
  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

providers.tf

provider "aws" {
  region              = var.region
  allowed_account_ids = [var.account_id]
  # Web Identity Role Federation only used in CI/CD
  assume_role_with_web_identity {
    role_arn           = var.ci_cd_role_ARN
    session_name       = var.ci_cd_sts_session_name
    duration           = var.ci_cd_sts_session_duration
    web_identity_token = var.ci_cd_web_identity_token
  }

  default_tags {
    tags = {
      # redacted
    }
  }
}

devops-account-globals.yaml (this is my top level YAML config that feeds TF root module variables)

terraform:
  vars:
    # Defines the order of labels which constitute name for all resources stacked:
    # {namespace}-{tenant}-{environment}-{stage}-{name}-{attributes}
    label_order:
     - "namespace"
     - "tenant"
     - "environment"
     - "stage"
     - "name"
     - "attributes"
    account_id: "REDACTED"
    ci_cd_role_ARN: "REDACTED"
    ci_cd_sts_session_name: "Terraform-CI-CD"
    ci_cd_sts_session_duration: "1h"
    # To be provided as TF_VAR_ci_cd_web_identity_token through CI/CD.
    # Setting empty string value breaks credentials chain lookup when OIDC IdP is not used (e.g.engineer workstations and
    # using Administrator SAML-federated IAM Role)
    ci_cd_web_identity_token: "FAILSAFE"

Before v4.22.0 with having ci_cd_web_identity_token set to value FAILSAFE, provider would attempt to 1st get STS session using STS: AssumeRoleWithWebIdentity and once that fails (because obviously "FAILSAFE" is not valid JWT token, intentionally), provider would proceed with other mechanisms to get AWS credentials. In scenario where I run terraform commands from my developer workstation, it would use my already persisted STS session saved in AWS_ environment variables.

Behavior after v4.22.0

All files above unchanged.
After upgrade to v4.22.0, with having ci_cd_web_identity_token set to value FAILSAFE, provider would attempt to 1st get STS session using STS: AssumeRoleWithWebIdentity and once that fails, provider doesn't even attempt further to continue with other methods to find AWS credentials (credentials chain stops).
I get the error:

Error: error configuring Terraform AWS Provider: IAM Role (REDACTED) cannot be assumed with web identity token.
│
│ There are a number of possible causes of this - the most common are:
│   * The web identity token used in order to assume the role is invalid
│   * The web identity token does not have appropriate permission to assume the role
│   * The role ARN is not valid
│
│ Error: failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded maximum number of attempts, 1, https response error StatusCode: 400, RequestID: 78672982-935a-4758-bd50-0f8a4c96f301, InvalidIdentityToken: The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)

@azec-pdx
Copy link

I have just locked down my provider version with version = "~> 4.21.0" and confirmed above is true, just to double verify.

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
authentication Pertains to authentication; to the provider itself of otherwise. bug Addresses a defect in current functionality. client-connections Pertains to the AWS Client and service connections. size/XS Managed by automation to categorize the size of a PR.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Assume Role With Web Identity configuration is not being passed during Client creation
4 participants