search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
69 stars 104 forks source link

Instance profile unable to locate credentials #460

Open Ptipiak opened 4 months ago

Ptipiak commented 4 months ago

When filing a bug, please include the following headings if possible. Any example text in this template can be deleted.

Overview

Hello, in order to modify some caracteristics of my instance during build I'm relying on calls with aws-cli from within the instance. When using the iam_instance_profile parameter I'm expecting to not have to use hardcoded credentials, whenever it's through environement var or parameters. Expect it's not the case, if the credentials are not explicitly pass through environement var or through the aws-cli parameters, the specified instance profile seems to not be able to catch the credentials.

Reproduction Steps

Using an aws-ebs source such as:

source "amazon-ebs" "amz2arm64" {
  ami_name      = "ami-name"
  force_deregister = true
  instance_type = "t4g.small"
  region        = "my-region-id"
  source_ami = "${data.amazon-ami.al2023-arm64.id}"
  ssh_username = "${var.username}"
  ssh_timeout = "1m"
  profile = "${var.profile}"
  iam_instance_profile = "instance-profile-id"
}

Running any aws-cli commands which require credentials such as :

provisioner "shell" {
    inline = [
      # "echo 'Running arbitrary aws-cli command'",
      "aws iam list-instance-profiles"
    ]
  }

Run a regular packer build using the above configuration lines.

Expected issue

Issue :

==> nat-instance.amazon-ebs.amz2arm64: Provisioning with shell script: /var/folders/76/jlvbjwjs15z0x9g1ywd4qns00000gq/T/packer-shell4084365834
==> nat-instance.amazon-ebs.amz2arm64:
==> nat-instance.amazon-ebs.amz2arm64: Unable to locate credentials. You can configure credentials by running "aws configure".
==> nat-instance.amazon-ebs.amz2arm64: Provisioning step had errors: Running the cleanup provisioner, if present...

Plugin and Packer version

Packer version: 1.9.4 Amazon plugin: packer-plugin-amazon_v1.3.0_x5.0_darwin_arm64 OS: Macos sonoma 13.3.1

Workaround

Passing the variables directly through environement var seems to satisfyed the requirement of the cli and present a valid workaround without exposing the credentials too much (I expect once packer as finished it's work, the environement variables to disappear along side the ssh session).

provisioner "shell" {
    inline = [
      "export AWS_ACCESS_KEY_ID='XXXXXXMYACCESSKEY'",
      "export AWS_SECRET_ACCESS_KEY='xXxXxXxXxXxXSECRETACCESSKEY'",
      "export AWS_DEFAULT_REGION='my-region-id'",
      "aws iam list-instance-profiles"
    ]
  }

Disclaimer

I'm new to Packer and AWS in general, maybe this is an expected outcome and using instance profile do require to pass the credentials in a more obvious for the aws-cli to find them. Although this seems to go against the AWS policy of using roles and profile rather than hardcoded values.

Log Fragments and crash.log files

Log extract:

2024/02/26 13:22:38 packer-plugin-amazon_v1.3.0_x5.0_darwin_arm64 plugin: 2024/02/26 13:22:38 [DEBUG] starting remote command: chmod +x /tmp/script_1905.sh; PACKER_BUILDER_TYPE='amazon-ebs' PACKER_BUILD_NAME='amz2arm64'  /tmp/script_1905.sh
2024/02/26 13:22:39 ui error: ==> nat-instance.amazon-ebs.amz2arm64:
2024/02/26 13:22:39 ui error: ==> nat-instance.amazon-ebs.amz2arm64: Unable to locate credentials. You can configure credentials by running "aws configure".
2024/02/26 13:22:40 packer-plugin-amazon_v1.3.0_x5.0_darwin_arm64 plugin: 2024/02/26 13:22:40 [ERROR] Remote command exited with '253': chmod +x /tmp/script_1905.sh; PACKER_BUILDER_TYPE='amazon-ebs' PACKER_BUILD_NAME='amz2arm64'  /tmp/script_1905.sh