Terraform: Using EC2 IAM Role to assume role in another account
Hi,
We cannot assume a role in another account while the running from an instance in EC2 with an IAM role.
We wish to be able to use our EC2 role to assume the IAM role in the target account and then populate the require environment variable to have Terraform use that role.
At no point do we wish to be storing access keys in the configuration. We wish to use implicit roles.
Terraform Version
- Terraform v0.6.16 (Windows)
Terraform v0.7.0-rc3 (Windows)
Affected Resource(s)
provider AWS
Terraform Configuration Files
provider "aws" {
region = "eu-west-1"
}
provider "aws" {
alias = "ireland"
region = "eu-west-1"
}
provider "aws" {
alias = "virginia"
region = "us-east-1"
}
resource "aws_security_group" "BLAH_EU-WEST-1_ELB" {
provider = "aws.ireland"
name = "BLAH_ELB"
description = "Allow traffic to BLAH ELBs"
vpc_id = "vpc-xxxxxx"
tags {
Name = "BLAH_ELB"
}
}
resource "aws_security_group_rule" "BLAH_EU-WEST-1_ELB_inbound_80" {
provider = "aws.ireland"
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.BLAH_EU-WEST-1_ELB.id}"
}
resource "aws_security_group_rule" "BLAH_EU-WEST-1_ELB_outbound_80" {
provider = "aws.ireland"
type = "egress"
from_port = 80
to_port = 80
protocol = "tcp"
source_security_group_id = "${aws_security_group.BLAH_EU-WEST-1_WEB.id}"
security_group_id = "${aws_security_group.BLAH_EU-WEST-1_ELB.id}"
}
Debug Output
https://gist.github.com/agarstang/1aa8189af5b15ce864d2b02de2ec7fb8
Expected Behavior
We should be able to, using our EC2 role, get temporary credentials for the role we are assuming. Then when we populate the following environment variables Terraform should run as the target role.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SECURITY_TOKEN
Actual Behavior
When your instance has an EC2 role Terraform ignores AWS_SECURITY_TOKEN and attempts to use the Token from the Metadata service. This obviously doesn't work with AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY.
Steps to Reproduce
To reproduce this you need to AWS accounts.
- Create a EC2 role in the source account
- Launch and instance with that role and install Terraform
- Create a role in the target account that has the permissions Terraform requires
- Create a trust relationship with the role in the source account
- On the source EC2 instance use your preferred method to call the assume-role API
- Populate the environment variables with the assumed credentials
terrform apply
References
- #2693
agarstang
All 4 comments
@agarstang this use case is exactly why we wrote https://github.com/manheim/awssume. I referenced it in https://github.com/hashicorp/terraform/issues/2693 as well. I don't know that it solves everyone in that threads use case but it definitely works for this one. You need only supply an arn for the role you want to assume and the command you want to execute.
Example:
$ AWS_ROLE_ARN=arn::aws::iam::123456789012:role/RoletoAssume \
awssume terraform apply
reppard
on 22 Jul 2016
@reppard the drawback of this is the additional dependency on Ruby (as well as the certificate bundle on Windows required to talk to the AWS API).
I'd would still consider this a bug as it is counter-intuitive behavior that goes against the credential search order described in the documentation.
agarstang
on 22 Jul 2016
Hi @agarstang
This has been added as a new feature in Terraform 0.7.3 which was released yesterday
Paul
stack72
on 6 Sep 2016
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 22 Apr 2020
Related issues
zeninfinity
ยท
3Comments
Seraf
ยท
3Comments
ronnix
ยท
3Comments
rnowosielski
ยท
3Comments
rjinski
ยท
3Comments