Breaks with session credentials in credentials file

raymondbutcher commented 4 years ago

Running Pretf on an EC2 instance with instance credentials raises an exception. Uninstalling this package fixes it.

Traceback (most recent call last):
  File "/var/lib/jenkins/.local/bin/terraform", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/pretf/cli.py", line 12, in main
    result = run()
  File "/usr/local/lib/python3.7/site-packages/pretf/cli.py", line 52, in run
    return workflow.custom(workflow_path)
  File "/usr/local/lib/python3.7/site-packages/pretf/workflow.py", line 116, in custom
    result = call_pretf_function(func=module.pretf_workflow)  # type: ignore
  File "/usr/local/lib/python3.7/site-packages/pretf/render.py", line 270, in call_pretf_function
    return func(**kwargs)
  File "/var/lib/jenkins/workspace/Terraform_Plan/terraform/environments/apps/pretf.workflow.py", line 28, in pretf_workflow
    return workflow.default(created=created)
  File "/usr/local/lib/python3.7/site-packages/pretf/workflow.py", line 141, in default
    created = created + create_files(verbose=verbose)
  File "/usr/local/lib/python3.7/site-packages/pretf/workflow.py", line 81, in create_files
    file_contents = Renderer(files_to_create).render()
  File "/usr/local/lib/python3.7/site-packages/pretf/render.py", line 156, in render
    self.process_jobs()
  File "/usr/local/lib/python3.7/site-packages/pretf/render.py", line 146, in process_jobs
    done = job.run()
  File "/usr/local/lib/python3.7/site-packages/pretf/render.py", line 226, in run
    yielded = self.gen.send(self.return_value)
  File "terraform.tf.py", line 29, in pretf_blocks
    region=var.aws_region,
  File "/usr/local/lib/python3.7/site-packages/pretf/aws.py", line 245, in terraform_backend_s3
    session=session, region_name=region, bucket=bucket, table=dynamodb_table
  File "/usr/local/lib/python3.7/site-packages/pretf/aws.py", line 109, in _get_s3_backend_status
    response = s3_client.get_bucket_versioning(Bucket=bucket)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 648, in _make_api_call
    operation_model, request_dict, request_context)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 667, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 116, in create_request
    operation_name=operation_model.name)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 149, in sign
    auth = self.get_auth_instance(**kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 229, in get_auth_instance
    frozen_credentials = self._credentials.get_frozen_credentials()
  File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 591, in get_frozen_credentials
    self._refresh()
  File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 486, in _refresh
    self._protected_refresh(is_mandatory=is_mandatory_refresh)
  File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 502, in _protected_refresh
    metadata = self._refresh_using()
  File "/usr/local/lib/python3.7/site-packages/boto_source_profile_mfa/__init__.py", line 131, in assume_role_refresher
    creds = refresher()
  File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 643, in fetch_credentials
    return self._get_cached_credentials()
  File "/usr/local/lib/python3.7/site-packages/botocore/credentials.py", line 653, in _get_cached_credentials
    response = self._get_credentials()
  File "/usr/local/lib/python3.7/site-packages/boto_source_profile_mfa/__init__.py", line 51, in _get_credentials
    return sts.get_session_token(**params)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

This package should not call sts.get_session_token() when the credentials are EC2 instance credentials.

raymondbutcher commented 4 years ago

This is a slightly unusual case. It's not using regular EC2 instance credentials. There is an .aws/credentials file where the profile is defined with temporary session credentials.

raymondbutcher commented 4 years ago

This is probably fixed by 7b5ada56c2f33bb87f64ff97f6c27f221161d88d

claranet / boto-source-profile-mfa

Breaks with session credentials in credentials file #1