Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error getting creds when assuming role and using fallback credentials #4

Closed
YakDriver opened this issue Apr 30, 2019 · 5 comments · Fixed by #5
Closed

Error getting creds when assuming role and using fallback credentials #4

YakDriver opened this issue Apr 30, 2019 · 5 comments · Fixed by #5

Comments

@YakDriver
Copy link
Member

YakDriver commented Apr 30, 2019
edited
Loading

Related issues:

Currently, session-derived credentials are obtained after execution has passed the assume role logic.

Currently Session-derived creds without profile:

GetSession()
    |
    |---> GetSessionOptions()
            |
            |---> GetCredentials()
            |       |
            |       |---> ASSUME ROLE (starting awsauth.go:233)
            |
            |--- SESSION-DERIVED CREDS OBTAINED, if no profile (session.go:49)

Currently Session-derived creds with profile:

GetSession()
    |
    |---> GetSessionOptions()
    |       |
    |       |---> GetCredentials()
    |       |       |
    |       |       |---> ASSUME ROLE (starting awsauth.go:233)
    |       |
    |       |--- Profile set (session.go:59)
    |       
    |--- SESSION-DERIVED CREDS OBTAINED, if profile (session.go:94)

Specific resultant issue:

  • On the awsauth.go path, you cannot assume a role if your credentials come from a credential process. However, you can assume a role if your credentials come from a shared credentials profile.

The error that you can expect to see:

Error: Error refreshing state: 1 error(s) occurred:

* provider.aws: No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider
@YakDriver
Copy link
Member Author

YakDriver commented May 1, 2019
edited
Loading

Testing Results

👍 credential_process credentials without assume_role

This works:

provider "aws" {
  profile = "credproc"
  region  = "us-east-1"
}

Here the shared credentials file has something along these lines:

[credproc]
credential_process = /some/process/that/returns/creds

👍 Regular credentials with assume_role

This works:

provider "aws" {
  profile = "default"
  region  = "us-east-1"

  assume_role {
    role_arn     = "arn:aws:iam::<ACCOUNT ID>:role/<ROLE NAME>"
    session_name = "<SESSION NAME>"
    external_id  = "<EXTERNAL ID>"
  }
}

👎 Credential process with assume role

This fails:

provider "aws" {
  profile = "credproc"
  region  = "us-east-1"

  assume_role {
    role_arn     = "arn:aws:iam::<ACCOUNT ID>:role/<ROLE NAME>"
    session_name = "<SESSION NAME>"
    external_id  = "<EXTERNAL ID>"
  }
}

The error:

$ terraform apply

Error: Error refreshing state: 1 error(s) occurred:

* provider.aws: No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider

The corresponding AWS CLI command does work:

$ aws sts assume-role --role-arn arn:aws:iam::<ACCOUNT ID>:role/<ROLE NAME> --external-id <EXTERNAL ID> --role-session-name <SESSION NAME> --profile credproc

👍 Temporary security credentials with assume role

This works:

provider "aws" {
  profile = "temp"
  region  = "us-east-1"

  assume_role {
    role_arn     = "arn:aws:iam::<ACCOUNT ID>:role/<ROLE NAME>"
    session_name = "<SESSION NAME>"
    external_id  = "<EXTERNAL ID>"
  }
}

Role associated with temporary security credentials must have this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::*:role/<ROLE NAME>"
            ]
        }
    ]
}

The corresponding AWS CLI command also works:

$ aws sts assume-role --role-arn arn:aws:iam::<ACCOUNT ID>:role/<ROLE NAME> --external-id <EXTERNAL ID> --role-session-name <SESSION NAME> --profile temp

@YakDriver YakDriver mentioned this issue May 3, 2019
Merged
@YakDriver YakDriver changed the title Credentials handled differently depending on path Session-derived creds cannot be used when assuming role May 3, 2019
@YakDriver YakDriver mentioned this issue May 9, 2019
Closed
@YakDriver YakDriver changed the title Session-derived creds cannot be used when assuming role Obtaining valid credentials fails May 14, 2019
@YakDriver YakDriver changed the title Obtaining valid credentials fails Failure to use valid credentials May 14, 2019
@YakDriver YakDriver changed the title Failure to use valid credentials Error getting creds when assuming role and using fallback credentials May 24, 2019
@nywilken nywilken mentioned this issue Aug 2, 2019
Merged
3 tasks
@YakDriver
Copy link
Member Author

I'm making an effort to collect the credential tests in a quick and dirty repo. I think this will help inform an eventual solution. If you have something that's not working, it's easy to add a new test based on the existing set: https://github.com/YakDriver/terraform-cred-tests

@ewbankkit ewbankkit mentioned this issue Sep 5, 2019
Closed
@scalp42
Copy link

scalp42 commented Sep 6, 2019

I can confirm @YakDriver seeing the same situation regarding all the scenarios you showed.

@scalp42 scalp42 mentioned this issue Sep 7, 2019
Closed
@evandam
Copy link

evandam commented Sep 9, 2019

Confirming the same as @YakDriver and @scalp42 here.

@ysgard ysgard mentioned this issue Sep 11, 2019
Closed
@aeschright aeschright mentioned this issue Oct 22, 2019
Closed
@Freyert Freyert mentioned this issue Jan 2, 2020
Closed
@danielov1
Copy link

Is this issue resolved?

@joeguaneri joeguaneri mentioned this issue Sep 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@scalp42 @evandam @YakDriver @danielov1