Invalid security token issue on EC2 that has an IAM instance profile #2693
Comments
|
@killercentury that's definitely odd! We have been working on improving the credentials detection code recently - so it's definitely possible there's a bug there. From reading your description, it's hard to tell exactly the steps to reproduce the unexpected behavior. Can you lay them out for me? |
|
+1 Seeing the same issue on EC2 when using Terraform. As @killercentury suggested, setting the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to random values allows terraform to pickup the correct values from the provider file. |
|
I am really glad I came across this. I am also having this issue. I'm working on automation to drive terraform and recently ran into this issue w/ running terraform on an AWS EC2 instance. I was able to run terraform plan from my local dev machine just fine with the same keys I was trying to use on the EC2 instance, but on EC2 I kept getting: I finally ended up running tcpdump to try to figure out what the issue was: I noticed terraform was contacting After finding this issue, I tried setting I am not working on this alone, so the next piece of information could be erroneous, but I believe we only recently added an EC2 instance profile (IAM role) to the instance, so perhaps this has something to do with terraform trying to use the metadata service. EDIT: To clarify, I found this to be true with both version 0.6.3 and 0.6.6 |
|
I have experienced identical behavior: #3243 |
|
Hello friends – Sorry for the late response here. Can you confirm this is still an issue? On an EC2 instance, I'm able to The plan executes successfully. Editing any of those variables causes the plan to fail to auth, as expected. What am I missing here? Am I not reproducing this correctly? |
catsby
added
the
waiting-response
|
@catsby - Would this change be in the latest binary I can install, or will I need to build from source? |
|
Hey @artburkart – the change I referenced is in v0.6.8, the current binary. |
|
@catsby - okay good, cuz I only just installed go on my test machine 😉 If that's the case, then it appears to still be there. Allow me to double check. |
|
@artburkart to confirm, this is your issue, specifically, correct? |
|
@catsby, yes that is my issue. It's identical to that defined by @ckelner above terraform -v
Terraform v0.6.8Then I run Error refreshing state: 1 error(s) occurred:
* 1 error(s) occurred:
* InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: abc123Then I run AWS_ACCESS_KEY_ID=123 AWS_SECRET_ACCESS_KEY=567 terraform planAnd bingo! |
|
@catsby maybe I can help add a little more color, I'm recalling from memory, but if need be I'll be happy to dig in and get real data/examples.
Hopefully this is helpful in your testing. I will try |
|
I also have an IAM role associated with my instance. But allow me to try it without one. |
|
Thanks all for the additional info! I have some kind of idea, but probably won't get to it until tomorrow. |
|
Okay, here's my steps to repro:
provider "aws" {
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
region = "us-east-1"
}
resource "aws_instance" "web" {
ami = "ami-d05e75b8"
instance_type = "m1.small"
tags {
Name = "HelloWorld"
}
}
variable "access_key" {
description = "Access key to provider (AWS, openstack, etc)"
}
variable "secret_key" {
description = "Secret key to provider (AWS, openstack, etc)"
}
access_key="some_valid_key"
secret_key="some_other_valid_key"
aws_key_name="some_pem_file"
Error refreshing state: 1 error(s) occurred:
* 1 error(s) occurred:
* InvalidClientTokenId: The security token included in the request is invalid
status code: 403, request id: abc123I have verified that if you do the exact same thing without associating an IAM role, you can successfully execute |
|
Great work @artburkart ! 💃 Glad you were able to pinpoint that it was the IAM role. |
|
Hello Friends! Thanks to all of your help, we've identified the issue here. The fix however will take some time to work out and test. The crux of it is here: specifically, the If you specify We believe we can fix this by dumbing down the logic in Thanks again for the help |
|
Awesome work @catsby thanks for the update! |
|
+1 facing same issue with aws ec2 instance launched with IAM role. Waiting for fix :) |
|
@avdhoot Not sure if you noticed the work around, but setting EDIT: Not that it should be accepted as a long term fix, but in the event it was blocking you :) |
|
@ckelner This behavior is not straightforward. If we export aws keys before Note: ec2 instance is launched with empty instance role. |
Can you elaborate on what an "empty" instance role is? In your previous message you mention "launched with IAM role". |
|
An update: a rough version of the patch has been pushed and a PR sent. I've tested the scenario(s) above but am still testing and adjusting: |
|
"empty" means ec2 instance launched with IAM role but no permission On Sat, Dec 12, 2015 at 12:07 AM, Clint notifications@github.com wrote:
|
|
@avdhoot ah, thanks for clarifying |
|
Hello friends! Thank you for your patience here. I just merged #4254 to address this, if you have the ability to make Terraform from source and could be so kind, please do so and let me know how it goes. Otherwise it will be out in the next release (soonish). Thanks for all the help here! |
|
Is anyone still experiencing this? I have an IAM user with full EC2 access and running the basic example causes the following error: This is v0.6.16 on OSX 10.11 (El Capitan). I tried the workarounds mentioned above, to no avail. |
|
This is also a problem for my desired workflow. In a multi-account setup we wish to assume a role in the target account, we do this from machine with an IAM role in the "source" account. We assume the role and then populate the environment variables ( As far as I can tell this is still broken in 0.7.0-rc3. |
|
@agarstang , sorry, I know this has been closed, but just wondering did this work for you in the new version terraform? we are using the latest terraform 0.9.11, but we hitting the same issue. We actually have multi-account setup, and create an IAM role from the source account and let another account to assume the role then grab the temporary credentials,,,but we are still hitting this Get Caller Identity 403 error. |
|
Hi @rico-spaceship, iirc our attempt to use environment variables was to get around the lack of role assumption within Terraform (I believe it may have been a GO SDK limitation at the time). We now use the |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
When I run plan and apply on my Mac for creating a ECS cluster, everything seems fine. But when I run the exact same thing on a EC2 instance which has an IAM instance profile, it will complain following error:
I actually want to use the "access_key" and "secret_key" specified in my terraform configs instead of inheriting these from the IAM role. But it seems those variables in terraform configs weren't used properly, and the credentials from IAM role as well, since both have full permission for the operation.
So I tried a few different combinations as follows.
So without looking into the code, I guess it has to do with some credentials detection logic for the IAM role and it overrides the value specified in the terraform.tfvars file.
The text was updated successfully, but these errors were encountered: