Packer: aws_secretsmanager error calling aws_secretsmanager: Error getting secret: MissingRegion

Created on 15 May 2020 · 13Comments · Source: hashicorp/packer

HI, i have that error:

2020-05-15T01:49:05.9443153Z ##[section]Starting: Packer build
2020-05-15T01:49:05.9455589Z ==============================================================================
2020-05-15T01:49:05.9456168Z Task         : Packer
2020-05-15T01:49:05.9456652Z Description  : Build Automated Machine Images
2020-05-15T01:49:05.9457125Z Version      : 1.185.1444
2020-05-15T01:49:05.9457565Z Author       : Manuel Riezebosch
2020-05-15T01:49:05.9458127Z Help         : [More information](https://packer.io)
2020-05-15T01:49:05.9458783Z ==============================================================================
2020-05-15T01:49:06.1006801Z [command]/vsts_agent/agent/_work/_tool/packer/1.5.6/x64/packer build -var OWNER_SOURCE=763669947983 -var AMI_OWNER=813024095984 -var passwortest=*** -var region="us-east-1" -var 'region=us-east-1' -color=false /vsts_agent/agent/_work/r4/a/_aw0499001_bb7_aws_packer/pipeline/linux_base_was_release-testsc.json
2020-05-15T01:49:06.1625263Z Error initializing core: template: root:1:3: executing "root" at <aws_secretsmanager `bb4certificados`>: error calling aws_secretsmanager: Error getting secret: MissingRegion: could not find region configuration
2020-05-15T01:49:06.1626590Z 
2020-05-15T01:49:06.1630922Z ==> Builds finished but no artifacts were created.
2020-05-15T01:49:06.2854915Z 
2020-05-15T01:49:06.2989345Z ##[error]Error: The process '/vsts_agent/agent/_work/_tool/packer/1.5.6/x64/packer' failed with exit code 1
2020-05-15T01:49:06.3005843Z ##[section]Finishing: Packer build

i anex the json template

{
  "variables": {
    "access_key": "",
    "security_token": "",
    "aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
    "aws_iam_profile_name": "PackerProfile",
    "aws_region": "{{env `AWS_DEFAULT_REGION`}}",
    "region":"{{env `AWS_DEFAULT_REGION`}}",
    "vpc_id": "vpc-079d901fef225a775",
    "subnet_id": "subnet-0b03aefb2c7d4046b",
    "password": "{{ aws_secretsmanager `bb4certificados` }}"
  },
  "sensitive-variables": [
    "aws_access_key",
    "aws_secret_key",
    "passwortest",
    "password"
  ],
  "builders": [
    {
      "type": "amazon-ebs",
      "access_key": "{{user `access_key`}}",
      "secret_key": "{{user `secret_key`}}",
      "iam_instance_profile": "{{user `aws_iam_profile_name`}}",
      "region": "{{user `aws_region`}}",
      "vpc_id": "{{user `vpc_id`}}",
      "subnet_id": "{{user `subnet_id`}}",
      "associate_public_ip_address": true,
      "source_ami_filter": {
        "filters": {
          "name": "IBM-WAS-FULL-P-Rhel7.7-*"
        },
        "owners": [
          "{{user `OWNER_SOURCE`}}"
        ],
        "most_recent": true
      },
      "instance_type": "t2.2xlarge",
      "ssh_username": "ec2-user",
      "ami_name": "BB7-APP-WAS-RELEASE-test-{{user `AMBIENTE`}}-{{timestamp}}",
      "ami_users": [       
        "{{user `AMI_OWNER`}}"       
      ],


  ],
  "provisioners": [
    {
      "type": "file",
      "source": "{{ template_dir }}/assets/was/packer_deploy1.sh",
      "destination": "/tmp/assets/"
    },
    {
      "type": "shell",
      "pause_before": "5s",
      "environment_vars": [
        "AWS_ACCESS_KEY_ID={{user `access_key`}}",
        "AWS_SECRET_ACCESS_KEY={{user `secret_key`}}",
        "AWS_DEFAULT_REGION={{user `aws_region`}}",
        "AWS_DEFAULT_REGION={{user `AWS_DEFAULT_REGION`}}",
        "AWS_IAM_PROFILE_NAME={{user `AWS_IAM_PROFILE_NAME`}}",
        "AWS_VPC_ID={{user `AWS_VPC_ID`}}",
        "AWS_SUBNET_ID={{user `AWS_SUBNET_ID`}}",
        "testpwd={{user `passwortest`}}",
        "testpwdSM={{user password``}}"
      ],

      "inline": [     
        "echo $testpwd > /var/tmp/passAWS",
        "echo $testpwdSM > /var/tmp/passAWSSM",
        "sudo bash -x /tmp/assets/packer_deploy1.sh $testpwd $testpwdSM"
      ]
    } 
  ],
  "post-processors": [
    [
      {
        "output": "manifest.json",
        "strip_path": true,
        "type": "manifest"
      }
    ]
  ]
}

bug buildeamazon

Source

cjcs19

All 13 comments

Thanks for reaching out! We’ll take a look when we get a chance.
I updated the issue description to fix the json markdown.

sylviamoss on 15 May 2020

I was analyzing your logs and I noticed that you set region variable two times in your build command

-var region="us-east-1" -var 'region=us-east-1'

Besides that, your template doesn't use this variable to set the actual region config, it is using aws_region instead:

"region": "{{user `aws_region`}}",

In this case, the variable region is not being used and if AWS_DEFAULT_REGION is not properly set then you will have a missing region, because this is the variable setting aws_region.
Could you remove one of the region variables, make sure AWS_DEFAULT_REGION is set and/or set the right variable in the build command?
After doing this, let me know if you're still facing the issue?

sylviamoss on 15 May 2020

I have the same issue on packer 1.5.6.

The problem is that packer is using this library: https://github.com/overdrive3000/secretsmanager/commit/bcdff577c37aff214c9e75eaa3f6ff689acbb750

And it does 0 configuration. Packer completely misses the point of ensuring that the calls to the SecretsManager will use the same configuration as packer is using. There's a newer version of the library that allows passing in a configuration but this has not been reflected upstream.

The workaround is to set the AWS_REGION environment variable. Not AWS_DEFAULT_REGION, not any packer variables and not any region for the profile in use. The template above is perfectly fine.

I am pretty sure that any complex aws credential setting (like assuming roles etc) is broken too.

cc. @overdrive3000

hsanjuan on 18 May 2020

Hello @cjcs19 as @hsanjuan points out in order to get aws_secretsmanager variables working you must set the AWS_REGION environment variable, at the moment aws_secretsmanager interpolation function only works if the proper AWS configuration is set in your environment as stated in https://www.packer.io/docs/templates/user-variables/#aws-secrets-manager-variables

Please, take into account that interpolation function aws_secretsmanager works out of the context of the AWS builder so at this moment is not using any of the variables used by the builder, but I agree that would be good idea to have aws_secretsmanager checking if credentials or region configuration is set via user variables, I will take a look on it.

@hsanjuan you're right about the AWS_DEFAULT_REGION environment variable. I just found out that it is looking for AWS_REGION environment variable instead, looks like it is the default behaviour of the AWS SDK for Go. Maybe we can override this behaviour by looking for AWS_DEFAULT_REGION environment variable too.

I will take a look into this after getting the new version of the secretsmanager package merged into Packer.

Thanks.

overdrive3000 on 19 May 2020

👍1

It should probably receive the Config from packer directly, using whatever packer is using (the region may be defined per AWS_PROFILE for example, and the credentials may need and "AssumeRole" operation before-hand. Maybe the limitation of only having it on the default variable declaration section is a problem for this?

hsanjuan on 19 May 2020

Hi @hsanjuan thanks for your feedback I will look into it, I need to figure out how to reuse current Packer AWS client in the aws_secretsmanager function. But I think this might be an improvement on how aws_secretsmanager works and not an actual bug as it is already stated that current implementation only works if proper AWS CLI configuration is in place.

I will open another issue to work on this as soon PR #9202 gets merged into upstream.

overdrive3000 on 19 May 2020

One thing to keep in mind here -- users may not be using this template feature in conjunction with the AWS builder. They could be using it with any builder. Also, the credentials used to access the aws builder may not be the same credentials a user needs to access their secrets manager. So a direct 1:1 mapping doesn't work.

SwampDragons on 21 May 2020

@SwampDragons based on your last comment, do you think it is a good idea to refactor current aws_secretsmanager to use the AWS builder client, or should we keep them separated?

overdrive3000 on 9 Jun 2020

I think they need to remain separate. The secrets manager could benefit from more thorough credential-loading like we do in the AWS builders, but it can't depend on a client created in the builder to do its work.

SwampDragons on 9 Jun 2020

I am experiencing the same issue. I export AWS_REGION and AWS_DEFAULT_REGION.
I created two files in .aws/: credentials and config. Region is set in config. They define the configuration for the default profile. When I call for aws configure list the values are set as expected.
But aws_secretsmanager still says it's missing. Any clue ?

EDIT :
Found the solution, sorry for the inconvenience. Above solution with AWS_REGION work but it needs to be run like this AWS_REGION=aws-region-1 packer build -var-file=".env.json" packer.runner.dev.json

HolyNoodle on 26 Jun 2020

You can use export AWS_SDK_LOAD_CONFIG=true and it will pick the region from the profile.

hsanjuan on 26 Jun 2020

Hey there :wave: I created a PR updating the secrets manager integration to use the AWS configuration file as default if no environment variable information is available, which should resolve this issue. There are test binaries available at https://app.circleci.com/pipelines/github/hashicorp/packer/6719/workflows/1e258eef-6bc2-4740-a9b6-9dddd406d9af/jobs/75036/artifacts

Can you please give the binaries a try and let us know if you run into any issues. Thanks!

nywilken on 17 Aug 2020

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.