Open paololazzari opened 1 year ago
Same here
This issue has been synced to JIRA for planning.
JIRA ID: HPR-983
Hi,
packer --version
1.9.1
What is the status of this issue, there is no way to check linked Jira ticket.
aws-vault exec <profile>
packer init <src>
packer build <src>
sources.pkr.hcl
source "amazon-ebs" "arm_al2023_no_swap" {
ami_name = "${local.prefix}-{{timestamp}}"
iam_instance_profile = "packer-instance-role"
instance_type = var.build_instance_type
region = var.region
skip_region_validation = true
ssh_username = "ec2-user"
source_ami_filter {
filters = {
name = var.source_ami_pattern
architecture = "arm64"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["amazon"]
}
assume_role {
role_arn = local.assume_role_arn
session_name = "packer-build-session"
}
tags = {
Name = "${local.prefix}-{{timestamp}}"
commit = var.source_commit
}
}
Error output:
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
==> Builds finished but no artifacts were created.
Thanks, Oleg
Any workaround or fix for this in 2024? We are facing the exact same issue
Packer version
Description
I created an IAM role (
packer-role
) with the following trust relationship:I then assumed the role and set the credentials:
and confirmed that the new credentials were correctly set:
I then tried to run the following Packer build:
this errors out:
Use Case(s)
My actual use case is a bit more complex.
I have a time consuming Packer build (>1 hour) which is being executed from a Gitlab CI pipeline. The job in the pipeline runs in another account (account B) and has a role associated to it. To run the Packer build in my account, I configured the job to assume the role in my account (account A). This would work fine if it wasn't for the fact that the build is longer than an hour. The sts assume role session chaining is in fact limited to one hour, which means that I can't use this workflow for my build.
I then tried to use the
assume_role
functionality, because my understanding is that by using it Packer would be able to refresh the credentials during the build, which would resolve my problem. The issue however, as illustrated above, is that Packer tries to assume the role even though the role is already assumed.Should Packer be smart enough to understand that it is running under the assumed role that I specified in the
assume_role
config, and avoid trying to assume it when the build starts?