Packer: Use AWS profiles for credentials?

This should already work given the proper env vars, is it not?

Ah, forgive me! I wasn't aware you can specify a default profile using an environment variable (AWS_DEFAULT_PROFILE for those interested). My bad!

Well, shoot. Just tested that and it's not working. As long as the variable is unset and there is a default profile, it works fine, but if I change AWS_DEFAULT_PROFILE, it fails to work.

Edit: more information.

@nathanielks I think we're just using the upstream env and static behavior

Implementing logic around resolving AWS_DEFAULT_PROFILE is out of scope for packer, but I think it would be reasonable to support if upstream includes it. (I don't think they do, now, though.)

The problem is here. >>> https://github.com/aws/aws-sdk-go/blob/master/aws/credentials/shared_credentials_provider.go#L126-L132

The 'magic' variable is AWS_PROFILE, not the AWS standard as documented 'AWS_DEFAULT_PROFILE'.

Fundamentally the Packer documentation is so bad, it's a sick joke.

PLEASE DOCUMENT!

Thanks for the heads up, @tb3088! I'm sure PR's accepted.

I have a branch all ready to go but can't push. (not on committer's list)
Do I need to fork and then?

Ahhh, brilliant! Not a problem. You'll have to fork the original repo, apply the changes you made on the clone of the original repo, than submit a PR based on your fork.

If I did it right (rank newbie at git)
https://github.com/mitchellh/packer/pull/2482

Hello,
Would it be possible to have a profile using assumerole/MFA working with packer ?
I have the following credentials file :

[myprofile]
aws_access_key_id = <accesskey>
aws_secret_access_key = <secretaccesskey>

[myprofile2]
role_arn = arn:aws:iam::<accountid>:role/<rolename>
source_profile = myprofile
mfa_serial = arn:aws:iam::<accountid>:mfa/<userid>

If i do export AWS_PROFILE=myprofile2
and then packer build
it hangs at :

Debug mode enabled. Builds will not be parallelized.
amazon-ebs output will be in this color.

==> amazon-ebs: Prevalidating AMI Name...

and then timeouts with

==> amazon-ebs: Error querying AMI: NoCredentialProviders: no valid providers in chain
Build 'amazon-ebs' errored: Error querying AMI: NoCredentialProviders: no valid providers in chain

Same problem as @EmFl reported ... Any ideas ? ...

@drajcan if it can help, in the meantime I'm doing this and exporting the temp keys to env var :
aws sts assume-role --role-session-name -role-arn arn:aws:iam:::role/ --serial-number arn:aws:iam:::mfa/
--token-code --profile myprofile

Also would love to get profiles with assumed roles working.

@EmFl See comment here: https://github.com/mitchellh/packer/issues/3070#issuecomment-174659483

The key name in the builder must be "token" and the value must be {{user aws_session_token}} or else it won't find it.

Does anyone know the current status of this issue?

This is working as intended, see https://www.packer.io/docs/builders/amazon.html

I'm sorry to say, if this is working as intended, the intention is bad.
The easiest way to use roles is using profiles. So I define a profile "admin" in my ~/.aws/config file. This profile is based on my credentials in ~/.aws/credentials.
So I call packer as I would call any other tool with aws access (e.g. ansible):

AWS_PROFILE=admin packer build packer.json

But this does not work. If the documentation is correct, packer looks first in ~/.aws/credentials, then at AWS_PROFILE. This is wrong, it must be the other way around.

@telepath You should be able to specify a config profile with "profile". It's not documented (for some reason, probably my fault), but you can see the setup for it here: https://github.com/mitchellh/packer/blob/master/builder/amazon/common/access_config.go#L38

@ThatGerber One major advantage of using profiles is that I can set the AWS_PROFILE environment variable to make boto use a specific role (with mfa, even), giving me the much same result on my pc as I would get on an ec2 instance with an instance profile.
I do not want to define the role inside the script, since:

• I'd need different configs between local dev and ec2 with profile
• The profile name is not part of the repository and can differ from client to client.

I'm sorry to say, if this is working as intended, the intention is bad.

@telepath it's not. But unfortunately the docs are a bit vague and incorrect on the exact order. See #4553. The only missing features I know about is that we don't support MFA/assume role in Packer. If you need to have that you have to solve that outside of packer and pass in the access key and sts token. And packer don't support ecs task roles either.

For everyone who needs this, I've found an acceptable way to do it:

{
  "variables": {
    "aws_profile": "{{env `AWS_PROFILE`}}"
  },
  "builders": [{
    "type": "amazon-ebs",
    "region": "eu-central-1",
    "profile": "{{ user `aws_profile`}}"
[...]

This should work if AWS_PROFILE is set, and if it is not, use default credentials.

Also, this works correctly if no default credentials are defined in ~/.aws/credentials

@telepath's solution worked for my use case. I'll comment further on the documentation in #4553.

also, for everyone struggling to find a way to use profiles with mfa for all tools I recommend https://github.com/trek10inc/awsume

@rickard-von-essen @telepath Assume role should be supported, but it isn't written to automatically pull the profile from the ENV variable. A possible reason being that for years, AWS has always maintained that config files are not something standard to all SDKs. They were implemented originally only for the CLI (i.e. Boto and the Python SDK). However, they've become ubiquitous and support is being rolled out to more official SDKs. Particularly, functionality around assuming roles from a central config file were originally specific only to the CLI. The intent was that the application would do the work to assume roles and/or write to a central credentials file that the SDK could read from.

Here's one example of an SDK maintainer confirming it on Jan 15, 2016: https://github.com/aws/aws-sdk-ruby/issues/1045#issuecomment-169068829

@ThatGerber I think that makes a lot of sense. I would have probably taken the same stance then–not relying on undocumented behavior. It looks like things change!

Thanks for clearing this up a little, @ThatGerber.
The answer that the SDK does not support this completely acceptable to me.
As I wrote, I found a way to solve this for all tools, but it was really frustrating to figure out what packer can do and what not. Comments like "This is working as intended" didn't really help, either.

Locking this since there is a lot of vague/confusing/incorrect info here.

_If someone think there is a bug around using AWS Profiles, open a new issue, supplying all requested info._ Or open a feature request if there is a missing feature you need.