Closed chrisgallivan closed 3 years ago
Interesting, I actually dont have issue running your command against my aws account.
I have the same issue. I don't use the .aws/credentials file because our company uses SSO authentification. I exported the next variables: AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN. And i'm getting the next:
terraformer import aws --regions=eu-central-1 -r subnet,vpc 2020/08/17 15:40:57 aws importing region eu-central-1 2020/08/17 15:40:57 aws importing... subnet 2020/08/17 15:41:04 EC2RoleRequestError: no EC2 instance role found
Any suggestion?
@chrisgallivan have you solved this problem?
I am receiving the exact same error:
$ terraformer plan aws --resources=s3 --bucket gs://$bucketurl
-s bucket --profile default
2020/09/14 09:27:33 aws importing default region
2020/09/14 09:27:33 aws importing... s3
2020/09/14 09:27:53 EC2RoleRequestError: no EC2 instance role found
caused by: request canceled, context deadline exceeded
But I can not get it working via exporting the env vars NOR by setting the --profile flag using the aws config and credential file.
@meshuga any Ideas?
You can get the context deadline exceeded if you have wrong credentials
In my case this issue is due AWS SSO credentials. They are supported from SDK 1.37 but this repo is stuck in 1.36
We use SDK V2, which recently went GA and had major refactoring before the release with changes in authentication mechanism. I started refactoring the code but can try to make sure it'll work with SSO too.
It also understands AWS_PROFILE, if your looking for an environment variable approach. Though I personally use the --profile as approach.
It also understands AWS_PROFILE, if your looking for an environment variable approach. Though I personally use the --profile as approach.
Go SDK V2 has a logic to retrieve profile to be used from environmental variables, the default providers are implemented and it is also little bit easier to provide e.g. MFA support. I tried to provide multiple ways to make use of what's available through SDK as much as possible. I remember some time ago, it was very hard to support multiple authentication mechanisms within same tool.
@Maks3w It seems SSO support was added recently in https://github.com/aws/aws-sdk-go-v2/pull/1072. Will switch to latest version and see how it can support SSO :)
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.
This issue was closed because it has been stalled for 7 days with no activity.
I am getting the same error.
AWS provider version: 3.72.0 Terraformer version: v0.8.21
I exported the AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_SESSION_TOKEN.
exec command: terraformer import aws --resources=vpc --regions=eu-west-2 --profile="" --verbose
Error: 2022/08/18 09:58:09 aws error initializing resources in service vpc, err: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: connection refused
@chrisgallivan, did you solve it?
@sergeylanzman, can you help me, please?
@syswipe, did you solve it?
This request seems yet legit. Any of you have a workaround?
TL;DR: To workaround, just add --profile=""
to your command.
If error still exists, check your credential in environment variables.
Note that actual error message may vary by configuration (like ~/.aws/credentials). For me api error AuthFailure: AWS was not able to validate the provided access credentials
.
I'm using aws-vault which exports credentials to env vars, and the default profile in ~/.aws/credentials was already invalidated credential.
--profile=""
:--profile
option is set to "default"
here if omitted:
https://github.com/GoogleCloudPlatform/terraformer/blob/1fde02dd7cb230b9d89f8fe0084f03b908d39236/cmd/provider_cmd_aws.go#L76
--profile
option is passed to aws sdk using WithSharedConfigProfile()
, if it is not empty string (while "default"
if omitted):
https://github.com/GoogleCloudPlatform/terraformer/blob/1fde02dd7cb230b9d89f8fe0084f03b908d39236/providers/aws/aws_service.go#L75-L76
It seems that when WithSharedConfigProfile()
is specified, aws sdk of course does not read credential env var.
Is there a way to set AWS credentials inline without the usage of the file system?
I exported AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID
and then I run:
terraformer import aws --resources=lambda --filter= --regions=us-east-1 --compact=true -p=./deployment/dev/
I am getting:
2020/07/12 13:45:32 aws importing region us-east-1 2020/07/12 13:45:32 aws importing... lambda 2020/07/12 13:45:36 EC2RoleRequestError: no EC2 instance role found caused by: exceeded maximum number of attempts, 3, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: connection refused
the only way I can get it to work is if I set the --profile parameter using the config and credentials file.