-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 backend config role_arn can't be assumed when running dockerized #13690
Comments
I've also tried just launching the terraform container interactively e.g.
ensuring the backend config is available, setting the credentials and running |
I'm wondering whether there is a time-based aspect to this issue? I restarted Docker for Mac, rebooted Mac, and the problem was still apparent. It disappeared the next day. It intermittently reappears. |
Same issue with Terraform v0.10.8 |
getting the same issue even when running non-dockerized
I have my ~/.aws/credentials file setup with several profiles. I use the
From the aws cli it works and I get my temporary credentials:
The only
My terraform backend configuration looks like:
When trying to run a
My policy does not require MFA
I tried removing the The weird thing is that it did work yesterday. I have setup and tore down my environment repeatedly the last few days... The code is in version control, and I haven't changed my ~/.aws/credentials and today it just stopped working I did play around with installing Any insights into this issue would be much appreciated |
it turned out to be a network issue.. the strange thing is that the aws cli did work, while terraform didn't.. guess it's using a different network stack to do DNS resolving or something |
Hi, I have the same problem, did you find any solutions ? it seems like, sometimes it worked and sometimes it's doesn't. It randomly works. Regards, |
Having the same issue - appears to be intermittent. Is there a known resolution for this issue |
Hi, I'm experiencing the same issue |
It works great with Terraform version v0.13.3. Here is how I am doing it terraform { profile "terraform" user has permission to just assume the terraform role |
@yogeshdass Setting the profile corresponding to the role defined under .aws/config helped in my case. thanks for the pointer!! |
Please check your docker local time file if AWS Cli might have some time get will also not work...It fixed for me after changing my local time on my VM |
Greetings, I actually experienced this issue locally outside of docker as well. I had initialized the backend state as an IAM role (Role A) provisioned in the same AWS account as where the resources were deployed (Account A). No role_arn was specified in the terraform s3 backend. There was a role_arn set on the Next step was to set a role on the terraform backend, so that an "admin" account (Account B) IAM role (Role B) that had permissions to assume Role A, could execute the terraform module. I started to experience the error after adding the role_arn to the backend. When enbabling TRACE logging with TF_LOG, I noticed that there were multiple attempts to assume Role A as a part of the terraform execution. The fix for me was removing the role_arn from the Maybe this might help someone. |
I also experienced this issue outside of docker. I can |
Going through the logs led me to look at this: hashicorp/aws-sdk-go-base#4. When I compared the issues, they seem to behave similar to me. It looks like it's the credential process WITH assume role that is the issue. If the backend credentials use the default provider, the issue goes away. It looks like there is a built in assumption some place with the default credentials. |
Stumbling across this a bit late... but I've encountered the same issue and found this helpful: https://support.hashicorp.com/hc/en-us/articles/1500005343862-Required-Additional-Configuration-When-Using-IMDSv2 |
Thanks for the additional info, @csbain. That setting is vital when running in a container in AWS. The original error reported looks like they were running locally. In @antonosmond's original examples, it looks like the value of the environment variables passed to the We have made many changes to authentication since this issue was reported, and many more are coming in v1.6. I'm going to close this issue. If you are still encountering this problem, please create a new issue |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform Version
Terraform v0.9.3
Affected Resource(s)
Terraform Configuration Files
Debug Output
Initializing the backend...
Error configuring the backend "s3": The role "arn:aws:iam::000000000000:role/terraform" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Please update the configuration in your Terraform files to fix this error
then run this command again.
Expected Behavior
The backend role_arn is assumed and the backend is successfully initialized
Actual Behavior
The backend role_arn can't be assumed
Steps to Reproduce
Set AWS credentials ensuring they have access to assume the role e.g.
export AWS_ACCESS_KEY_ID=**************
export AWS_SECRET_ACCESS_KEY=**************************
cd
to directory with backend configrun
terraform init
(NOT dockerized) to ensure the credentials are set correctly and can assume the specified role - backend should be initialized successfully.run the same initialization but dockerized, ensuring the same credentials are passed to the container and the backend config in the current directory is available e.g.
The text was updated successfully, but these errors were encountered: