search

hashicorp / packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
http://www.packer.io
Other
15.06k stars 3.33k forks source link

Release v1.4.3 fail when AWS profile is used #8066

Closed adriananeci closed 4 years ago

adriananeci commented 5 years ago

We use different aws profiles and iam_roles to build AMI images using packer. We noted that with latest update(v1.4.3) we are not able anymore to build aws AMIs when using a profile that has credential_source=Ec2InstanceMetadata and no role_arn configured. With earlier packer versions we didn't encountered any similar issues.

Our ~/.aws/credentials file looks like:

[default]
region = eu-central-1
credential_source=Ec2InstanceMetadata

[packer]
region = eu-central-1
credential_source=Ec2InstanceMetadata
role_arn=arn:aws:iam::xxx:role/packer_access

Describe the problem and include the following information:

The error we get right now when running packer build template.json is CredentialRequiresARNError: credential type credential_source requires role_arn, profile default where template.json content is

{
  "min_packer_version": "0.12.0",
  "variables": {
    "aws_region": "eu-central-1",
    "aws_profile": "default"
  },
  "builders": [{
    "name": "xxx-ami",
    "ami_name": "xxx-{{isotime | clean_resource_name}}",
    "ami_description": "xxx",
    "instance_type": "t2.micro",
    "region": "{{user `aws_region`}}",
    "profile": "{{user `aws_profile`}}",
    "type": "amazon-ebs",
    "source_ami": "ami-xxx",
    "ssh_username": "xxx",
    "tags": {
      "Name": "xxx"
    }
  }]
}

When using the aws-cli command(e.g aws ec2 describe-instances --profile default or aws ec2 describe-instances --profile packer) we don't encounter any issues even if we use the same aws credentials file. Maybe there are some major differences between boto3(python sdk) and aws-go-sdk in terms of config loading order. Or maybe the aws-go-sdk used in the last version of packer is a bit old since it use v1.22.2 and the latest one at the moment of writing was v1.23.14.

Below you can find more details

rickard-von-essen commented 5 years ago

credential_source was fixed in v1.4.3. Before that it didn't work because the aws-go-sdk didn't support this.

rickard-von-essen commented 5 years ago

Our ~/.aws/credentials

That should be your ~/.aws/config and named profiles should be like:

[profile packer]
region = eu-central-1
adriananeci commented 5 years ago

credential_source was fixed in v1.4.3. Before that it didn't work because the aws-go-sdk didn't support this.

@rickard-von-essen are you sure? Because based on the packer changelog _credentialsource support was added in v1.3.2 (https://github.com/hashicorp/packer/blob/master/CHANGELOG.md#132-october-29-2018) when aws-sdk-go was updated to v1.15.54(https://github.com/aws/aws-sdk-go/blob/master/CHANGELOG.md#release-v11554-2018-10-12).

Also I can confirm that the same config used to work with an earlier packer version.

rickard-von-essen commented 5 years ago

I think that didn't fully worked until #7967

SwampDragons commented 5 years ago

I think this might be related to #8036. Can you test the build at https://circleci.com/gh/hashicorp/packer/13335#artifacts/containers/0 and let me know if this is still an issue for you?

adriananeci commented 5 years ago

@SwampDragons, sorry for late reply. I've tested with the mentioned build but also with the latest(v1.4.4) packer release, but with no luck. I'm getting the same error: CredentialRequiresARNError: credential type credential_source requires role_arn, profile default Can we reopen this issue?

SwampDragons commented 4 years ago

I'm able to reproduce, and have traced it upstream to the AWS sdk and opened an issue (linked above) because it is definitely confusing that this gets an error where your CLI call doesn't.

However, I think the underlying issue is that your profile is misconfigured.

according to the CLI docs

credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile.

In your "default" profile example, you aren't assuming a role. The SDK is smart enough to just use the metadata credentials without you setting a credential_source.

If I delete the line credential_source=Ec2InstanceMetadata from the default profile and use the ~/aws/config

[default]
region = eu-central-1

[packer]
region = eu-central-1
credential_source=Ec2InstanceMetadata
role_arn=arn:aws:iam::xxx:role/packer_access

everything works as expected.

SwampDragons commented 4 years ago

I'm going to close this because I think it's a non-urgent upstream behavior that only crops up when a user profile is misconfigured. There's nothing to solve on Packer's end.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.