Open yuji-tamai opened 12 months ago
Hi 👋 thanks for reaching out.
For general questions we recommend reaching out to the [community forum](https://discuss.hashicorp.com/c/packer) for greater visibility.
As the GitHub issue tracker is only watched by a small subset of maintainers and is really reserved for bugs and enhancements, you'll have a better chance of finding someone who can help you in the forum.
We'll mark this issue as needs-reply to help inform maintainers that this question is awaiting a response.
If no activity is taken on this question within 30 days it will be automatically closed.
If you find the forum to be more helpful or if you've found the answer to your question elsewhere please feel free to post a response and close the issue.
Hi @yuji-tamai thanks for reaching out. This sounds like a bug on with the Amazon integration. Do you know the version of the AWS version you are using?
If you could provided a redacted Packer log that would be helpful. You can generate one by running
PACKER_LOG=1 packer build tempalte.json
.
@nywilken Thank you for your reply. The aws version and packer log are written below.
$ aws --version
aws-cli/2.13.28 Python/3.11.6 Darwin/23.1.0 source/arm64 prompt/off
$ PACKER_LOG=1 packer build -var 'mfa_code=559697' sample.json
2023/12/18 11:16:18 [INFO] Packer version: 1.9.4 [go1.21.1 darwin arm64]
2023/12/18 11:16:18 [TRACE] discovering plugins in
2023/12/18 11:16:18 [TRACE] discovering plugins in /opt/homebrew/bin
2023/12/18 11:16:18 [INFO] Discovered potential plugin: amazon = /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64
2023/12/18 11:16:18 [INFO] found external [chroot ebs ebssurrogate ebsvolume instance] builders from amazon plugin
2023/12/18 11:16:18 [INFO] found external [import] post-processors from amazon plugin
2023/12/18 11:16:18 found external [ami parameterstore secretsmanager] datasource from amazon plugin
2023/12/18 11:16:18 [INFO] PACKER_CONFIG env var not set; checking the default config file path
2023/12/18 11:16:18 [INFO] PACKER_CONFIG env var set; attempting to open config file: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 [WARN] Config file doesn't exist: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 [INFO] Setting cache directory: /Users/yuji.tamai/.cache/packer
2023/12/18 11:16:18 [INFO] Starting external plugin /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 start builder ebs
2023/12/18 11:16:18 Starting plugin: /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 []string{"/opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64", "start", "builder", "ebs"}
2023/12/18 11:16:18 Waiting for RPC address for: /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 Plugin address: unix /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3887406117
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 Waiting for connection...
2023/12/18 11:16:18 Received unix RPC address for /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64: addr is /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3887406117
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 Serving a plugin connection...
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 [TRACE] starting builder ebs
2023/12/18 11:16:18 [INFO] Starting internal plugin packer-provisioner-shell
2023/12/18 11:16:18 Starting plugin: /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer []string{"/opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer", "plugin", "packer-provisioner-shell"}
2023/12/18 11:16:18 Waiting for RPC address for: /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] Packer version: 1.9.4 [go1.21.1 darwin arm64]
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var not set; checking the default config file path
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] PACKER_CONFIG env var set; attempting to open config file: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 packer-provisioner-shell plugin: [WARN] Config file doesn't exist: /Users/yuji.tamai/.packerconfig
2023/12/18 11:16:18 packer-provisioner-shell plugin: [INFO] Setting cache directory: /Users/yuji.tamai/.cache/packer
2023/12/18 11:16:18 packer-provisioner-shell plugin: args: []string{"packer-provisioner-shell"}
2023/12/18 11:16:18 packer-provisioner-shell plugin: Plugin address: unix /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3160410359
2023/12/18 11:16:18 packer-provisioner-shell plugin: Waiting for connection...
2023/12/18 11:16:18 Received unix RPC address for /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer: addr is /var/folders/p5/fg5_30ss749_dr23hbrg1np00000gq/T/packer-plugin3160410359
2023/12/18 11:16:18 packer-provisioner-shell plugin: Serving a plugin connection...
2023/12/18 11:16:18 Preparing build: amazon-ebs
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 [INFO] (aws): No AWS timeout and polling overrides have been set. Packer will default to waiter-specific delays and timeouts. If you would like to customize the length of time between retries and max number of retries you may do so by setting the environment variables AWS_POLL_DELAY_SECONDS and AWS_MAX_ATTEMPTS or the configuration options aws_polling_delay_seconds and aws_polling_max_attempts to your desired values.
2023/12/18 11:16:18 Build debug mode: false
2023/12/18 11:16:18 Force build: false
2023/12/18 11:16:18 On error:
2023/12/18 11:16:18 Waiting on builds to complete...
2023/12/18 11:16:18 Starting build run: amazon-ebs
2023/12/18 11:16:18 Running builder: amazon-ebs
amazon-ebs: output will be in this color.
2023/12/18 11:16:18 [INFO] (telemetry) Starting builder amazon-ebs
2023/12/18 11:16:18 packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64 plugin: 2023/12/18 11:16:18 [INFO] Attempting to use session-derived credentials
2023/12/18 11:16:18 [INFO] (telemetry) ending amazon-ebs
==> Wait completed after 1 millisecond 940 microseconds
2023/12/18 11:16:18 machine readable: error-count []string{"1"}
==> Some builds didn't complete successfully and had errors:
2023/12/18 11:16:18 machine readable: amazon-ebs,error []string{"Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set."}
==> Builds finished but no artifacts were created.
2023/12/18 11:16:18 [INFO] (telemetry) Finalizing.
Build 'amazon-ebs' errored after 1 millisecond 900 microseconds: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
==> Wait completed after 1 millisecond 940 microseconds
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
==> Builds finished but no artifacts were created.
2023/12/18 11:16:18 waiting for all plugin processes to complete...
2023/12/18 11:16:18 /opt/homebrew/bin/github.com/hashicorp/amazon/packer-plugin-amazon_v1.2.8_x5.0_darwin_arm64: plugin process exited
2023/12/18 11:16:18 /opt/homebrew/Cellar/packer/1.9.4/libexec/bin/packer: plugin process exited
I can confirm this has been a problem for a number of months now: assume role + MFA does not work. Any combination of configurations we've tried: using profile
with mfa_code
or assume_role
with mfa_code
, neither works correctly. Assuming a role without MFA works fine.
Workaround we have found for this, is to use aws configure export-credentials --profile your_profile --format env
and them source the values that pop up instead. It's annoying and causes problems if the credentials expire when packer is still running, but so far it's the only way to run packer with a role requiring MFA.
I'm trying to use Packer with AssumeRoke configured with MFA.
~/.aws/config
~/.aws/credentials
It works fine with AWS CLI.
How ever, an error occurs in packer, probably bacause the mfa_code attribute isn't effective.
sample.json
command
This error occurs whether the mfa_code attribute is present or not, and whether the value of mfa_code is correct or incorrect.
How can I make the mfa_code attribute effective?