inline credentials without files for AWS

[chrisgallivan]

Is there a way to set AWS credentials inline without the usage of the file system?

I exported AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID

and then I run:

terraformer import aws --resources=lambda --filter= --regions=us-east-1 --compact=true -p=./deployment/dev/

I am getting:

2020/07/12 13:45:32 aws importing region us-east-1 2020/07/12 13:45:32 aws importing... lambda 2020/07/12 13:45:36 EC2RoleRequestError: no EC2 instance role found caused by: exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: connection refused

the only way I can get it to work is if I set the --profile parameter using the config and credentials file.

[chenrui333]

Interesting, I actually dont have issue running your command against my aws account.

[syswipe]

I have the same issue. I don't use the .aws/credentials file because our company uses SSO authentification. I exported the next variables: AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN. And i'm getting the next:

terraformer import aws --regions=eu-central-1 -r subnet,vpc 2020/08/17 15:40:57 aws importing region eu-central-1 2020/08/17 15:40:57 aws importing... subnet 2020/08/17 15:41:04 EC2RoleRequestError: no EC2 instance role found

Any suggestion?

[syswipe]

@chrisgallivan have you solved this problem?

[szEvEz]

I am receiving the exact same error:

$ terraformer plan aws --resources=s3 --bucket gs://$bucketurl
 -s bucket --profile default
2020/09/14 09:27:33 aws importing default region
2020/09/14 09:27:33 aws importing... s3
2020/09/14 09:27:53 EC2RoleRequestError: no EC2 instance role found
caused by: request canceled, context deadline exceeded

But I can not get it working via exporting the env vars NOR by setting the --profile flag using the aws config and credential file.

[sergeylanzman]

@meshuga any Ideas?

[schollii]

You can get the context deadline exceeded if you have wrong credentials

[Maks3w]

In my case this issue is due AWS SSO credentials. They are supported from SDK 1.37 but this repo is stuck in 1.36

[meshuga]

We use SDK V2, which recently went GA and had major refactoring before the release with changes in authentication mechanism. I started refactoring the code but can try to make sure it'll work with SSO too.

[bcorner13]

It also understands AWS_PROFILE, if your looking for an environment variable approach. Though I personally use the --profile as approach.

[meshuga]

It also understands AWS_PROFILE, if your looking for an environment variable approach. Though I personally use the --profile as approach.

Go SDK V2 has a logic to retrieve profile to be used from environmental variables, the default providers are implemented and it is also little bit easier to provide e.g. MFA support. I tried to provide multiple ways to make use of what's available through SDK as much as possible. I remember some time ago, it was very hard to support multiple authentication mechanisms within same tool.

@Maks3w It seems SSO support was added recently in https://github.com/aws/aws-sdk-go-v2/pull/1072. Will switch to latest version and see how it can support SSO :)

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 7 days with no activity.

[rafaela-soares]

I am getting the same error.

AWS provider version: 3.72.0 Terraformer version: v0.8.21

I exported the AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_SESSION_TOKEN.

exec command: terraformer import aws --resources=vpc --regions=eu-west-2 --profile="" --verbose

Error: 2022/08/18 09:58:09 aws error initializing resources in service vpc, err: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: connection refused

@chrisgallivan, did you solve it?

@sergeylanzman, can you help me, please?

[rafaela-soares]

@syswipe, did you solve it?

[tetienne]

This request seems yet legit. Any of you have a workaround?

[ypresto]

TL;DR: To workaround, just add --profile="" to your command. If error still exists, check your credential in environment variables.

---

Note that actual error message may vary by configuration (like ~/.aws/credentials). For me api error AuthFailure: AWS was not able to validate the provided access credentials.

I'm using aws-vault which exports credentials to env vars, and the default profile in ~/.aws/credentials was already invalidated credential.

Why it can workaround by --profile="":

--profile option is set to "default" here if omitted: https://github.com/GoogleCloudPlatform/terraformer/blob/1fde02dd7cb230b9d89f8fe0084f03b908d39236/cmd/provider_cmd_aws.go#L76

--profile option is passed to aws sdk using WithSharedConfigProfile(), if it is not empty string (while "default" if omitted): https://github.com/GoogleCloudPlatform/terraformer/blob/1fde02dd7cb230b9d89f8fe0084f03b908d39236/providers/aws/aws_service.go#L75-L76

It seems that when WithSharedConfigProfile() is specified, aws sdk of course does not read credential env var.