Assume role doesn't work via VPC #9869
Comments
github-actions
bot
added
the
needs-triage
|
@szemlyanoy Configuration for the Terraform S3 Backend is done independently of the configuration for the Terraform AWS Provider and it looks like your error is occurring during initialization of the S3 Backend. |
|
Thanks for reply @ewbankkit terraform{ And here is my Assuming role trust policy { The weird thing is that if I set proxies - role is assumed and backed can be initialized. `Initializing the backend... Error: The role "arn:aws:iam::763331026866:role/lsm_terraform_init" cannot be assumed. There are a number of possible causes of this - the most common are: I do not see anything in IAM role preventing access from VPC. |
|
Ok I put aside this backend issue for awhile and skipped assume role usage in S3 backend by setting s3 bucket persmissions explicitly in policy. main.tf backend.tf Why it does not try to connect to provided STS endpoint? |
|
regarding backend issue: and set proxy to let TF connect via internet then returns if I unset proxies then |
|
@szemlyanoy Have you verified that the arn:aws:iam::7633xxxxxxx:role/lsm_terraform_init role has the correct trust relationship with the base calling role? |
|
Yes trust is correct I was able to past this issue using workaround now I can set VPC STS endpoint in both backend and provider One question I am trying to figure out - would appreciate advice. Bellow module where I want to assume role from another module which exported ARN: but it bails telling that I need to provide all required attributes(region etc) for S3 provider. Is there any way to overwrite only single attribute of root provider resource on child module level? Thanks! |
|
@szemlyanoy It's always the proxy 😄. From the documentation:
So you will be unable to refer to the newly created role/policy when configuring the 2nd provider if you keep everything in one pass of |
|
It seems the problem with S3 provider attributes in child module 'route53_resolver' is caused by order of resources creation. It is seen from log that new role 'lsm_terraform_resourcers' was assumed by S3 provider inside 'route53_resolver' module. The main issue is that policy was not created yet. Any advice how to realize this order policy->role(vice versa) -> other modules ? Thanks in advance |
|
can I export role arn from 'aws_iam_role_policy_attachment' resource type? It is not clear from doc what exactly can be output for this resource but if it's possible then this might be workaround |
|
I even tried to implement such workaround to enforce policy<->role->other modules order in such way So it means by the time module 'iam_role_resources' is finished role and policy should be created and attached. I am getting assume role arn using data source and supplying it to route53_resolver module provider. But it still fails on first apply: Interesting from trace log that after resolver's failure TF uploads state to s3 backend I see both role and policy resources are sent in PUT request. Next apply would succeed with resolver module. I am not sure if this backend upload can cause the issue with resolver module not being able to assume role. Any advice on that? |
…t customization bugs (#32) Reference: #2 Reference: hashicorp/terraform-provider-aws#9869 Reference: hashicorp/terraform#25056 Practitioner facing changes: - Properly use custom STS endpoint during AssumeRole API calls triggered by Terraform AWS Provider and S3 Backend configurations - Properly use custom EC2 metadata endpoint during API calls triggered by fallback credentials lookup Other changes: - Use Go 1.13 wrapped error handling - Introduce centralized endpoints.Resolver for custom endpoint handling - Introduce mock ECS credentials server - Introduce STS AssumeRole valid and invalid API responses
bflad
added
bug
Reference: #5018 Reference: #6913 Reference: #7333 Reference: #9236 Reference: #9869 Reference: #9898 Reference: #9962 Reference: #9986 Reference: #10507 Reference: #11429 Reference: #12236 Reference: #12727 Reference: #12815 Reference: #13057 Changes: ``` NOTES * provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) * provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries ENHANCEMENTS * provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable) * provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments BUG FIXES * provider: Ensure configured STS endpoint is used during `AssumeRole` API calls * provider: Prefer AWS shared configuration over EC2 metadata credentials by default * provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default ``` Output from acceptance testing: ``` --- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s) --- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s) --- PASS: TestAccAWSProvider_Region_AwsChina (3.99s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s) --- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s) --- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s) --- PASS: TestAccAWSProvider_Endpoints (4.53s) --- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s) ```
…14077) * Update module hashicorp/aws-sdk-go-base to v0.5.0 * provider: Authentication updates for Terraform AWS Provider v3.0.0 Reference: #5018 Reference: #6913 Reference: #7333 Reference: #9236 Reference: #9869 Reference: #9898 Reference: #9962 Reference: #9986 Reference: #10507 Reference: #11429 Reference: #12236 Reference: #12727 Reference: #12815 Reference: #13057 Changes: ``` NOTES * provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) * provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries ENHANCEMENTS * provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable) * provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments BUG FIXES * provider: Ensure configured STS endpoint is used during `AssumeRole` API calls * provider: Prefer AWS shared configuration over EC2 metadata credentials by default * provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default ``` Output from acceptance testing: ``` --- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s) --- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s) --- PASS: TestAccAWSProvider_Region_AwsChina (3.99s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s) --- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s) --- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s) --- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s) --- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s) --- PASS: TestAccAWSProvider_Endpoints (4.53s) --- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s) ``` * docs/provider: Add authentication changes section to version 3 upgrade guide and remove pre-3.0 notes Co-authored-by: Renovate Bot <bot@renovateapp.com>
|
Hi folks 👋 Version 3.0 of the Terraform AWS Provider will include a few authentication changes that should help in this case. Similar enhancements and fixes were applied to the Terraform S3 Backend (part of Terraform CLI) in version 0.13.0-beta2. The Terraform AWS Provider major version update will release in the next two weeks or so. Please follow the v3.0.0 milestone for tracking the progress of that release. If you are still having trouble after updating when its released, please file a new issue. Thanks! |
|
This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Community Note
Terraform Version
Terraform v0.12.6
Affected Resource(s)
aws_iam_role
aws_iam_role_policy
Terraform Configuration Files
`provider "aws" {
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
region = "${var.region}"
endpoints {
sts = "https://vpce-xxxxxxx.sts.us-east-1.vpce.amazonaws.com"
}
assume_role {
role_arn = "${var.role_arn}"
session_name = "${var.session_name}"
external_id = "${var.external_id}"
}
}
module "iam_role_resources" {
source = "../../modules/iam_role_resources"
}`
Debug Output
Error: The role "arn:aws:iam::7633xxxxxxx:role/lsm_terraform_init" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Expected Behavior
Terraform should connect to AWS STS endpoint via VPC private connection
Actual Behavior
Terraform bails on attempt to assume role.
Steps to Reproduce
Create any AWS IAM role
Attach some policy to let Terraform to interact with AWS resources
Add Terraform user into Trusted principals
Create VPC STS enpoint
Add assume role and STS endpoint into Terraform AWS provider:
`provider "aws" {
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
region = "${var.region}"
endpoints {
sts = "https://vpce-xxxxxxx.sts.us-east-1.vpce.amazonaws.com"
}
assume_role {
role_arn = "${var.role_arn}"
session_name = "${var.session_name}"
external_id = "${var.external_id}"
}
}
`
unset proxies
unset http_proxy https_proxyrun apply
`$ ../../terraform init -reconfigure -backend-config="../../globals.tfvars" -backend-config="terraform.tfvars" -backend-config="secrets.tfvars"
Initializing the backend...
Error: The role "arn:aws:iam::7633xxxxxx:role/lsm_terraform_init" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid`
If I set proxy then init/plan/apply work fine. So it suggests that TF goes via internet which is a huge breach for us. It looks like Terraform does not pick up STS endpoint url.
STS url is accessible via proxy using
$ curl -I https://vpce-xxxxxxx.sts.us-east-1.vpce.amazonaws.com HTTP/1.1 302 Found x-amzn-RequestId: ded33b46-c5d2-11e9-9627-13da8f46d40c Location: https://aws.amazon.com/iam Content-Length: 0 Date: Fri, 23 Aug 2019 18:21:48 GMTSo how can I let TF connect to AWS using VPC Endpoint to assume IAM role?
Thanks in advance,
Sergii
The text was updated successfully, but these errors were encountered: