Packer: Packer should handle assume role like Terraform does

Created on 26 Jul 2019 · 8Comments · Source: hashicorp/packer

I would like to be able to configure credentials similar to how hashicorp allows it in terraform

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

ATM assuming roles or using other credentials has to be done as a separate step.
When running in a ci/cd scenario this requires having aws cli installed on the ci/cd runners or having a separate step and image for aws credentials.

With terraform we can apply using just the terraform
image: name: hashicorp/terraform:0.12.5
and the preconfigured role_arn

buildeamazon enhancement track-internal

Source

h3adache

👍5 ❤1 🎉1

Most helpful comment

@SwampDragons

Hi Megan

Although Tim was happy with the option you provided, for me, I'd still like to be able to operate Packer in the same way as Terraform. I'll elaborate...

We use an AWS EC2 instance as a build agent which resides in a secure account. That EC2 runs using a Role which has almost no permissions. The Role does however have permissions to assume elevated roles in all the other AWS accounts we want to deploy Terraform into. So for each Terraform solution we have, we specify the provider as per Tim's first post i.e. with the assume_role construct. We don't need to give any other credentials as the Role that build agent is running as has permissions to switch to the elevated role in whatever account we choose. The actual ARN is set by Azure DevOps (our deployment pipeline) as a variable at deploy time.

We'd like to use Packer in the same way to be able to use that same build agent to create AMIs in a number of different AWS accounts without needing to create Access Keys/Secret Access Keys all over the place and then store them on a build agent. Even though the build agent is secure enough, the assume_role mechanism used by Terraform is even more secure as there's no need to store any credentials at all. Far more favourable from our Security Team's point of view :)

Is there any scope for having this same assume_role ability in Packer?

Andy

andydix on 25 Nov 2019

👍5

All 8 comments

I think the https://www.packer.io/docs/builders/amazon-ebs.html#profile option should allow you to switch between roles as long as you have an aws credentials file. Is that insufficient for you?

SwampDragons on 27 Jul 2019

Thanks for the quick reply @SwampDragons! I'll give it a try using Ec2InstanceMetadata in the shared credentials and let you know.

h3adache on 29 Jul 2019

@SwampDragons this does seem to work thank you!

h3adache on 29 Jul 2019

@SwampDragons

Hi Megan

Although Tim was happy with the option you provided, for me, I'd still like to be able to operate Packer in the same way as Terraform. I'll elaborate...

Is there any scope for having this same assume_role ability in Packer?

Andy

andydix on 25 Nov 2019

👍5

It's probably possible, but I'm not sure when we'll have a chance to implement it.

SwampDragons on 25 Nov 2019

👎1 👍1

Thanks for reopening @SwampDragons
One interesting thing I ran into here is that your solution won't work with gitlab ci because the packer image doesn't bundle aws cli. using your method requires aws cli on the host as well

h3adache on 5 Feb 2020

@SwampDragons, is there any update on this functionality? I think it's very important to have it to use the tool in the best way possible. I'm sure it's not a big deal to implement this.

universalvishwa on 8 Aug 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.