Terraform-provider-aws: Terraform does not use IAM Role for ECS Task as credential provider
_This issue was originally opened by @iwat as hashicorp/terraform#8746. It was migrated here as part of the provider split. The original body of the issue is below._
Terraform Version
Terraform v0.7.3
Affected Resource(s)
- aws_alb_target_group
- aws_security_group
- a lot
This affects all AWS related command.
Terraform Configuration Files
resource "aws_security_group_rule" "demo_pri_ingress_vpn_service" {
security_group_id = "${aws_security_group.demo_pri.id}"
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["${data.terraform_remote_state.infra.vpn-cidr_block}"]
}
Debug Output
https://gist.github.com/iwat/df0b0ebfe2f8db62adfd5953bfd6b92c
Panic Output
None
Expected Behavior
It should work by using IAM Role for ECS Task.
awscli works
Actual Behavior
It was using EC2 Instance Role which does not allow this action.
Error retrieving Target Group: AccessDenied: User: arn:aws:sts::872767853649:assumed-role/myrole/i-0223aeb98c19f2d0d
Steps to Reproduce
- Setup an EC2, do not provide any critical IAM action.
- Setup ECS task, provide required IAM action for testing.
- Try AWSCLI inside the running ECS task, it should work fine.
- Run terraform on AWS ECS Task.
Important Factoids
None
References
- http://docs.aws.amazon.com/de_de/AmazonECS/latest/developerguide/task-iam-roles.html
- https://github.com/hashicorp/terraform/blob/v0.7.3/builtin/providers/aws/auth_helpers.go#L97
- https://github.com/hashicorp/terraform/blob/v0.7.3/builtin/providers/aws/auth_helpers.go#L128
- https://github.com/aws/aws-sdk-go/blob/v1.4.8/aws/defaults/defaults.go#L100
hashibot
All 5 comments
@stack72 This is still an issue on 0.9.10. Any hope of fixing this in the near future? terraform should try getting the ECS credentials before the instance-profile credentials.
http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
fabienrenaud
on 1 Jul 2017
I hope Terraform will be able to get these credentials for use in CodeBuild. For now I am doing the following:
export AWS_ACCESS_KEY_ID=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.AccessKeyId'`
export AWS_SECRET_ACCESS_KEY=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.SecretAccessKey'`
export AWS_SESSION_TOKEN=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.Token'`
Cheers!
jch254
on 1 Jul 2017
This was implemented in #1425 which was just merged.
radeksimko
on 11 Sep 2017
Here's a similar workaround to the one above for CodeBuild which may be useful in a python container with minimal bash utilities. Placed in the buildspec file.
- export AWS_ACCESS_KEY_ID=$(python -c 'import json,sys,urllib2;i=json.load(urllib2.urlopen(urllib2.Request(sys.argv[1])));print(i["AccessKeyId"]);' "http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
- export AWS_SECRET_ACCESS_KEY=$(python -c 'import json,sys,urllib2;i=json.load(urllib2.urlopen(urllib2.Request(sys.argv[1])));print(i["SecretAccessKey"]);' "http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
- export AWS_SESSION_TOKEN=$(python -c 'import json,sys,urllib2;i=json.load(urllib2.urlopen(urllib2.Request(sys.argv[1])));print(i["Token"]);' "http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
benrobinsonsonos
on 9 Dec 2017
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 10 Apr 2020
Related issues
hashibot
ยท
3Comments
hashibot
ยท
3Comments
hashibot
ยท
3Comments
ccslamstack
ยท
3Comments
hashibot
ยท
3Comments
Most helpful comment
This was implemented in #1425 which was just merged.