Closed adriananeci closed 4 years ago
credential_source
was fixed in v1.4.3. Before that it didn't work because the aws-go-sdk didn't support this.
Our ~/.aws/credentials
That should be your ~/.aws/config
and named profiles should be like:
[profile packer]
region = eu-central-1
credential_source was fixed in v1.4.3. Before that it didn't work because the aws-go-sdk didn't support this.
@rickard-von-essen are you sure? Because based on the packer changelog _credentialsource support was added in v1.3.2 (https://github.com/hashicorp/packer/blob/master/CHANGELOG.md#132-october-29-2018) when aws-sdk-go was updated to v1.15.54(https://github.com/aws/aws-sdk-go/blob/master/CHANGELOG.md#release-v11554-2018-10-12).
Also I can confirm that the same config used to work with an earlier packer version.
I think that didn't fully worked until #7967
I think this might be related to #8036. Can you test the build at https://circleci.com/gh/hashicorp/packer/13335#artifacts/containers/0 and let me know if this is still an issue for you?
@SwampDragons, sorry for late reply.
I've tested with the mentioned build but also with the latest(v1.4.4) packer release, but with no luck. I'm getting the same error:
CredentialRequiresARNError: credential type credential_source requires role_arn, profile default
Can we reopen this issue?
I'm able to reproduce, and have traced it upstream to the AWS sdk and opened an issue (linked above) because it is definitely confusing that this gets an error where your CLI call doesn't.
However, I think the underlying issue is that your profile is misconfigured.
according to the CLI docs
credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile.
In your "default" profile example, you aren't assuming a role. The SDK is smart enough to just use the metadata credentials without you setting a credential_source.
If I delete the line credential_source=Ec2InstanceMetadata
from the default profile and use the ~/aws/config
[default]
region = eu-central-1
[packer]
region = eu-central-1
credential_source=Ec2InstanceMetadata
role_arn=arn:aws:iam::xxx:role/packer_access
everything works as expected.
I'm going to close this because I think it's a non-urgent upstream behavior that only crops up when a user profile is misconfigured. There's nothing to solve on Packer's end.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
We use different aws profiles and iam_roles to build AMI images using packer. We noted that with latest update(v1.4.3) we are not able anymore to build aws AMIs when using a profile that has credential_source=Ec2InstanceMetadata and no role_arn configured. With earlier packer versions we didn't encountered any similar issues.
Our ~/.aws/credentials file looks like:
Describe the problem and include the following information:
The error we get right now when running
packer build template.json
isCredentialRequiresARNError: credential type credential_source requires role_arn, profile default
where template.json content isWhen using the aws-cli command(e.g aws ec2 describe-instances --profile default or aws ec2 describe-instances --profile packer) we don't encounter any issues even if we use the same aws credentials file. Maybe there are some major differences between boto3(python sdk) and aws-go-sdk in terms of config loading order. Or maybe the aws-go-sdk used in the last version of packer is a bit old since it use v1.22.2 and the latest one at the moment of writing was v1.23.14.
Below you can find more details
packer version
Packer v1.4.3PACKER_LOG=1 packer build template.json
. https://gist.github.com/adriananeci/48689ed9b2d4fbdce812ecfcfc98456c