Closed marian-gheorghe closed 2 years ago
For the sake of it I have manually attempted assume-role via cli successfully, parsed the credentials and exported corresponding AWS env vars. However, terraform init
still fails, complaining about wrong session token. How is that even possible?
Log Output
+ aws sts assume-role --role-arn arn:aws:iam::***:role/devops --role-session-name codebuild
+ cat creds
{
"Credentials": {
"AccessKeyId": "***",
"SecretAccessKey": "***",
"SessionToken": "***",
"Expiration": "2022-08-23T21:47:47+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "***:codebuild",
"Arn": "arn:aws:sts::***:assumed-role/devops/codebuild"
}
}
++ jq .Credentials.AccessKeyId
+ export 'AWS_ACCESS_KEY_ID="*"'
+ AWS_ACCESS_KEY_ID='"*"'
++ jq .Credentials.SecretAccessKey
+ export 'AWS_SECRET_ACCESS_KEY="*"'
+ AWS_SECRET_ACCESS_KEY='"*"'
++ jq .Credentials.SessionToken
+ export 'AWS_SESSION_TOKEN="*"'
+ AWS_SESSION_TOKEN='"*"'
+ terraform init
Initializing modules...
- aws_appautoscaling_ecs_consumer_target in tfmodules/autoscaling
- aws_appautoscaling_ecs_server_target in tfmodules/autoscaling
- aws_appautoscaling_ecs_websocket_server_target in tfmodules/autoscaling
Initializing the backend...
╷
│ Error: error configuring S3 Backend: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
│ status code: 403, request id: 87aedbae-938c-4019-a82a-47a53dfe06f5
│
Associated code with the above output
aws sts assume-role --role-arn arn:aws:iam::***:role/devops --role-session-name codebuild > creds
cat creds
export AWS_ACCESS_KEY_ID=$(cat creds | jq '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(cat creds | jq '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(cat creds | jq '.Credentials.SessionToken')
I've managed to find the mystery. Internally aws sdk is querying the credentials endpoint 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
for credentials. Because my CodeBuild instance was configured to run in private VPC, it had to go through corporate proxy for external resources. In no_proxy/NO_PROXY only the instance metadata IP (169.254.169.254
) was whitelisted. Whitelisting 169.254.170.2
in my proxy configuration solved the problem.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform 1.2.7 AWS Provider 3.75.2
Affected Resource(s)
S3 Backend Config
Terraform Configuration Files
I have AWS CodeBuild which is assuming role devops
codebuild.tf
devops
role has a policy that allows to be assumed by codebuild service and comes with admin privilegesAdmin privileges
Terraform backend config
Ohter configs
Buildspec.yaml
install_tools.sh
prebuild.sh
Expected Behavior
terraform init
should succeedActual Behavior
DEBUG LOG
Debug Log Gist
Steps to Reproduce
terraform init
Important Factoids
It works fine on local machine after successfully assuming the
devops
role. It doesn't work on CodeBuild CodeBuild is configured in a private VPC (VPC with only private subnets)References
0000