Terraform: S3 backend config role_arn can't be assumed when running dockerized
Terraform Version
Terraform v0.9.3
Affected Resource(s)
- backend
Terraform Configuration Files
terraform = {
required_version = "~> 0.9.3"
backend "s3" {
region = "eu-west-1"
bucket = "anto-terraform-state"
key = "platform/network.tfstate"
role_arn = "arn:aws:iam::000000000000:role/terraform"
}
}
Debug Output
Initializing the backend...
Error configuring the backend "s3": The role "arn:aws:iam::000000000000:role/terraform" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Please update the configuration in your Terraform files to fix this error
then run this command again.
Expected Behavior
The backend role_arn is assumed and the backend is successfully initialized
Actual Behavior
The backend role_arn can't be assumed
Steps to Reproduce
Set AWS credentials ensuring they have access to assume the role e.g.
export AWS_ACCESS_KEY_ID=**************
export AWS_SECRET_ACCESS_KEY=**************************cdto directory with backend configrun
terraform init(NOT dockerized) to ensure the credentials are set correctly and can assume the specified role - backend should be initialized successfully.run the same initialization but dockerized, ensuring the same credentials are passed to the container and the backend config in the current directory is available e.g.
docker run -ti --rm \
--volume "$(pwd):/terraform" \
--workdir "/terraform" \
-e "AWS_ACCESS_KEY_ID" \
-e "AWS_SECRET_ACCESS_KEY" \
"hashicorp/terraform:0.9.3" \
init
antonosmond
All 10 comments
I've also tried just launching the terraform container interactively e.g.
docker run -ti --rm \
--volume "$(pwd):/terraform" \
--workdir "/terraform" \
-e "AWS_ACCESS_KEY_ID" \
-e "AWS_SECRET_ACCESS_KEY" \
--entrypoint sh \
"hashicorp/terraform:0.9.3"
ensuring the backend config is available, setting the credentials and running terraform init and get the same error.
antonosmond
on 16 Apr 2017
I'm wondering whether there is a time-based aspect to this issue?
I restarted Docker for Mac, rebooted Mac, and the problem was still apparent.
It disappeared the next day.
It intermittently reappears.
jabley
on 27 Jun 2017
Same issue with Terraform v0.10.8
xakraz
on 15 Nov 2017
getting the same issue even when running non-dockerized
$ terraform version
Terraform v0.11.0
I have my ~/.aws/credentials file setup with several profiles. I use the default profile to assume roles on other accounts
[default]
aws_access_key_id = MY_KEY
aws_secret_access_key = MY_SECRET
region = eu-west-1
From the aws cli it works and I get my temporary credentials:
$ aws --profile default sts assume-role --role-arn arn:aws:iam::111111111111:role/terraform --role-session-name terraform
{
"Credentials": {
"AccessKeyId": "TEMP_KEY",
"SecretAccessKey": "TEMP_SECRET",
"SessionToken": "SESSION_TOKEN",
"Expiration": "2017-11-30T10:13:15Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "ID:terraform",
"Arn": "arn:aws:sts::111111111111:assumed-role/terraform/terraform"
}
}
The only AWS_ variables set in my environment is:
$ env | grep AWS
AWS_PROFILE=default
My terraform backend configuration looks like:
terraform {
required_version = ">= 0.11.0"
backend "s3" {
region = "eu-west-1"
bucket = "terraform"
key = "dev/vpc.tfstate"
encrypt = "true"
profile = "default"
role_arn = "arn:aws:iam::111111111111:role/terraform"
session_name = "terraform"
}
}
When trying to run a $ terraform init I get the "role cannot be assumed" error. Trace output for terraform init:
...
2017/11/30 10:15:04 [INFO] Building AWS region structure
2017/11/30 10:15:04 [INFO] Building AWS auth structure
2017/11/30 10:15:04 [INFO] Setting AWS metadata API timeout to 100ms
2017/11/30 10:15:04 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2017/11/30 10:15:04 [INFO] Attempting to AssumeRole arn:aws:iam::111111111111:role/terraform (SessionName: "terraform", ExternalId: "", Policy: "")
2017/11/30 10:15:04 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
Error initializing new backend:
2017/11/30 10:15:24 [DEBUG] plugin: waiting for all plugin processes to complete...
Error configuring the backend "s3": The role "arn:aws:iam::111111111111:role/terraform" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Please update the configuration in your Terraform files to fix this error
then run this command again.
My policy does not require MFA
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::111111111111:role/terraform"
]
}
}
I tried removing the .terraform subdirectory, and re-running $ terraform init but no change..
The weird thing is that it did work yesterday. I have setup and tore down my environment repeatedly the last few days... The code is in version control, and I haven't changed my ~/.aws/credentials and today it just stopped working
I did play around with installing boto3 and boto through pip, but am assuming this won't impact behaviour of terraform since it's a go application
Any insights into this issue would be much appreciated
ggermis
on 30 Nov 2017
it turned out to be a network issue.. the strange thing is that the aws cli did work, while terraform didn't.. guess it's using a different network stack to do DNS resolving or something
ggermis
on 30 Nov 2017
Hi,
I have the same problem, did you find any solutions ?
it seems like, sometimes it worked and sometimes it's doesn't. It randomly works.
Regards,
jsthibault
on 20 Mar 2020
Having the same issue - appears to be intermittent. Is there a known resolution for this issue
jvanwygerden
on 30 May 2020
Hi, I'm experiencing the same issue
ken5scal
on 25 Jun 2020
It works great with Terraform version v0.13.3. Here is how I am doing it
terraform {
backend "s3" {
bucket = "terraform-states"
region = "ap-south-1"
profile = "terraform"
key = "prod/terraform.tfstate"
role_arn = "arn:aws:iam::037912942455:role/terraform"
session_name = "terraform"
}
}
profile "terraform" user has permission to just assume the terraform role
yogeshdass
on 8 Oct 2020
@yogeshdass Setting the profile corresponding to the role defined under .aws/config helped in my case. thanks for the pointer!!
ashkv92
on 27 Oct 2020
Related issues
Seraf
路
3Comments
rnowosielski
路
3Comments
carl-youngblood
路
3Comments
c4milo
路
3Comments
rjinski
路
3Comments
Most helpful comment
getting the same issue even when running non-dockerized
I have my ~/.aws/credentials file setup with several profiles. I use the
defaultprofile to assume roles on other accountsFrom the aws cli it works and I get my temporary credentials:
The only
AWS_variables set in my environment is:My terraform backend configuration looks like:
When trying to run a
$ terraform initI get the "role cannot be assumed" error. Trace output for terraform init:My policy does not require MFA
I tried removing the
.terraformsubdirectory, and re-running$ terraform initbut no change..The weird thing is that it did work yesterday. I have setup and tore down my environment repeatedly the last few days... The code is in version control, and I haven't changed my ~/.aws/credentials and today it just stopped working
I did play around with installing
boto3andbotothroughpip, but am assuming this won't impact behaviour of terraform since it's a go applicationAny insights into this issue would be much appreciated