Open andrejvanderzee opened 11 months ago
The same holds for using the aws_assume_role_arn
with environment variables AWS_ACCESS_KEY_ID
and AWS_ACCES_KEY
. Only via the ~/.aws/credentials file
it works.
@prudhvigodithi to take a look on this.
@massimob76 @ekirmayer can you please add your thoughts ? Thank you
@prudhvigodithi @andrejvanderzee that should be fixed by #87
Hi @prudhvigodithi I just tried release 2.1.0 and unfortunately am still getting this error:
[INFO] Failed to put role mapping: NoCredentialProviders: no valid providers in chain. Deprecated.
This is my current provider setup.
provider "opensearch" {
url = var.opensearch_url
aws_assume_role_arn = var.iam_role_to_assume
aws_region = var.region
healthcheck = false
sign_aws_requests = true
}
Thanks @estebane-frb for the feedback, adding @massimob76 @rblcoder to please take a look and help @estebane-frb to fix the issue.
I am able to specify AWS profile both using
provider "opensearch" {
url = "url"
healthcheck = "false"
aws_region = "region"
aws_profile = "dev"
aws_assume_role_arn = "role arn"
aws_assume_role_external_id = "external id"
version_ping_timeout = "10"
}
as well as
export AWS_PROFILE=dev
and
provider "opensearch" {
url = "url"
healthcheck = "false"
aws_region = "region"
aws_assume_role_arn = "role arn"
aws_assume_role_external_id = "external id"
version_ping_timeout = "10"
}
can't get it to work, i'm getting the following error :
│ Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.
I can make it work using access_keys or basic auth but it doesn't meet our security requirements, which are, using IAM identity center.
Any idea what's wrong here ? Either it is isn't using the profile, or there's a missing link somewhere behind that (i'm thinking of the application layer of IAM identity center)
@falcocoris could you please share the terraform Opensearch provider configuration you are using?
provider "opensearch" {
url = "https://vpc-blabla.eu-west-1.es.amazonaws.com"
aws_region = "eu-west-1"
healthcheck = false
version_ping_timeout = "10"
}
and my aws config file is like this :
[default]
sso_session = mycompany
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess
region = eu-west-1
[sso-session mycompany]
sso_start_url = https://blabla.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
[profile dev]
region = eu-west-1
sso_session = enlaps
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess
[dev]
region = eu-west-1
sso_session = enlaps
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess
There are some duplicates here as I was trying to force using an explicit profile etc, anyways, nothing worked.
@falcocoris Using SSO works when OpenSearch allows access to the role ARN created by IAM Identity Center
arn:aws:iam::aws-account-ID:role/aws-reserved/sso.amazonaws.com/aws-region/AWSReservedSSO_permission-set-name_unique-suffix
https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html
ARN
that's exactly what i was missing, thx !
Do you think it's worth mentioning in the provider configuration section ?
It's got nothing to do with the provider in the end, but wondering if it's relevent
Thanks @rblcoder. Also @falcocoris this is more related to how the AWS OpenSearch is created with proper working SSO settings, adding it in terraform provider docs seems to me like its deviating the scope of the terraform provider. The provider is is cloud-agnostic it targets to work for OpenSearch for any given endpoint. Also I feel that SSO configuration with AWS OpenSearch should be part of AWS docs, WDYT @falcocoris @rblcoder @bbarani ?
Also @falcocoris if you still think its better to add a one liner about this SSO setup (when used AWS OpenSearch), please feel free to raise a PR.
Thanks
@falcocoris, adding it to the OpenSearch Terraform provider documentation would deviate from its scope as it is something we are configuring in AWS. Do contribute a line on SSO configuration for AWS OpenSearch by submitting a PR, if you believe it should be there.
What is the bug?
The provider does not take into account
AWS_PROFILE
environment variable when usingaws_assume_role_arn
. Instead, we must explicitly set it in the provider config like this:How can one reproduce the bug?
Remove
aws_profile
from the configuration above and do aexport AWS_PROFILE=management
. That will result in:What is the expected behavior?
Override the
aws_profile
setting in the provider configuration, if any.What is your host/environment?
Ubuntu 22.04