Using EC2 IAM Role to assume role in another account

[agarstang]

Hi,

We cannot assume a role in another account while the running from an instance in EC2 with an IAM role.

We wish to be able to use our EC2 role to assume the IAM role in the target account and then populate the require environment variable to have Terraform use that role.

At no point do we wish to be storing access keys in the configuration. We wish to use implicit roles.

Terraform Version

• Terraform v0.6.16 (Windows)
• Terraform v0.7.0-rc3 (Windows)

Affected Resource(s)

• provider AWS

Terraform Configuration Files

provider "aws" {
  region     = "eu-west-1"
}

provider "aws" {
    alias = "ireland"
    region = "eu-west-1"
}

provider "aws" {
    alias = "virginia"
    region = "us-east-1"
}

resource "aws_security_group" "BLAH_EU-WEST-1_ELB" {
  provider = "aws.ireland"
  name = "BLAH_ELB"
  description = "Allow traffic to BLAH ELBs"

  vpc_id = "vpc-xxxxxx"

  tags {
    Name = "BLAH_ELB"
  }
}

resource "aws_security_group_rule" "BLAH_EU-WEST-1_ELB_inbound_80" {
    provider = "aws.ireland"
    type = "ingress"
    from_port = 80
    to_port = 80
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]

    security_group_id = "${aws_security_group.BLAH_EU-WEST-1_ELB.id}"
}

resource "aws_security_group_rule" "BLAH_EU-WEST-1_ELB_outbound_80" {
    provider = "aws.ireland"
    type = "egress"
    from_port = 80
    to_port = 80
    protocol = "tcp"
    source_security_group_id = "${aws_security_group.BLAH_EU-WEST-1_WEB.id}"

    security_group_id = "${aws_security_group.BLAH_EU-WEST-1_ELB.id}"
}

Debug Output

https://gist.github.com/agarstang/1aa8189af5b15ce864d2b02de2ec7fb8

Expected Behavior

We should be able to, using our EC2 role, get temporary credentials for the role we are assuming. Then when we populate the following environment variables Terraform should run as the target role.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SECURITY_TOKEN

Actual Behavior

When your instance has an EC2 role Terraform ignores AWS_SECURITY_TOKEN and attempts to use the Token from the Metadata service. This obviously doesn't work with AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY.

Steps to Reproduce

To reproduce this you need to AWS accounts.

1. Create a EC2 role in the source account
2. Launch and instance with that role and install Terraform
3. Create a role in the target account that has the permissions Terraform requires
4. Create a trust relationship with the role in the source account
5. On the source EC2 instance use your preferred method to call the assume-role API
6. Populate the environment variables with the assumed credentials
7. terrform apply

References

• Invalid security token issue on EC2 that has an IAM instance profile #2693

[reppard]

@agarstang this use case is exactly why we wrote https://github.com/manheim/awssume. I referenced it in #2693 as well. I don't know that it solves everyone in that threads use case but it definitely works for this one. You need only supply an arn for the role you want to assume and the command you want to execute.

Example:

  $ AWS_ROLE_ARN=arn::aws::iam::123456789012:role/RoletoAssume \
      awssume terraform apply

[agarstang]

@reppard the drawback of this is the additional dependency on Ruby (as well as the certificate bundle on Windows required to talk to the AWS API).

I'd would still consider this a bug as it is counter-intuitive behavior that goes against the credential search order described in the documentation.

[stack72]

Hi @agarstang

This has been added as a new feature in Terraform 0.7.3 which was released yesterday

Paul

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.