search

opensearch-project / terraform-provider-opensearch

https://registry.terraform.io/providers/opensearch-project/opensearch
Apache License 2.0
74 stars 57 forks source link

[BUG] Environment variable AWS_PROFILE, AWS_ACCESS_KEY_ID and AWS_ACCES_KEY not respected with aws_assume_role_arn #99

Open andrejvanderzee opened 11 months ago

andrejvanderzee commented 11 months ago

What is the bug?

The provider does not take into account AWS_PROFILE environment variable when using aws_assume_role_arn. Instead, we must explicitly set it in the provider config like this:

provider "opensearch" {
  url                         = var.opensearch_url
  healthcheck        = "false"
  aws_region          = "eu-west-1"
  aws_assume_role_arn = "arn:aws:iam::****:role/opensearch-master"
  aws_profile         = "management"
}

How can one reproduce the bug?

Remove aws_profile from the configuration above and do a export AWS_PROFILE=management. That will result in: 

│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│   For verbose messaging see aws.Config.CredentialsChainVerboseErrors

What is the expected behavior?

Override the aws_profile setting in the provider configuration, if any.

What is your host/environment?

Ubuntu 22.04

andrejvanderzee commented 11 months ago

The same holds for using the aws_assume_role_arn with environment variables AWS_ACCESS_KEY_ID and AWS_ACCES_KEY. Only via the ~/.aws/credentials file it works.

peterzhuamazon commented 10 months ago

@prudhvigodithi to take a look on this.

prudhvigodithi commented 10 months ago

@massimob76 @ekirmayer can you please add your thoughts ? Thank you

massimob76 commented 10 months ago

@prudhvigodithi @andrejvanderzee that should be fixed by #87

estebane-frb commented 10 months ago

Hi @prudhvigodithi I just tried release 2.1.0 and unfortunately am still getting this error:

[INFO] Failed to put role mapping: NoCredentialProviders: no valid providers in chain. Deprecated.

This is my current provider setup.

provider "opensearch" {
  url                         = var.opensearch_url
  aws_assume_role_arn         = var.iam_role_to_assume
  aws_region                  = var.region
  healthcheck                 = false
  sign_aws_requests           = true
}
prudhvigodithi commented 10 months ago

Thanks @estebane-frb for the feedback, adding @massimob76 @rblcoder to please take a look and help @estebane-frb to fix the issue.

rblcoder commented 10 months ago

I am able to specify AWS profile both using 

provider "opensearch" {
  url = "url"
  healthcheck        = "false"
  aws_region          = "region"
  aws_profile = "dev"
  aws_assume_role_arn = "role arn"
  aws_assume_role_external_id = "external id"
  version_ping_timeout = "10"

}

as well as 

export AWS_PROFILE=dev

and 

provider "opensearch" {
  url = "url"
  healthcheck        = "false"
  aws_region          = "region"
  aws_assume_role_arn = "role arn"
  aws_assume_role_external_id = "external id"
  version_ping_timeout = "10"
}
falcocoris commented 5 months ago

can't get it to work, i'm getting the following error :

│ Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

I can make it work using access_keys or basic auth but it doesn't meet our security requirements, which are, using IAM identity center.

Any idea what's wrong here ? Either it is isn't using the profile, or there's a missing link somewhere behind that (i'm thinking of the application layer of IAM identity center)

rblcoder commented 5 months ago

@falcocoris could you please share the terraform Opensearch provider configuration you are using?

falcocoris commented 5 months ago 
provider "opensearch" {
  url                        = "https://vpc-blabla.eu-west-1.es.amazonaws.com"
  aws_region                 = "eu-west-1"
  healthcheck                = false
  version_ping_timeout       = "10"
}

and my aws config file is like this : 

[default]
sso_session = mycompany
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess
region = eu-west-1
[sso-session mycompany]
sso_start_url = https://blabla.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
[profile dev]
region = eu-west-1
sso_session = enlaps
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess
[dev]
region = eu-west-1
sso_session = enlaps
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess

There are some duplicates here as I was trying to force using an explicit profile etc, anyways, nothing worked.

rblcoder commented 5 months ago

@falcocoris Using SSO works when OpenSearch allows access to the role ARN created by IAM Identity Center 

arn:aws:iam::aws-account-ID:role/aws-reserved/sso.amazonaws.com/aws-region/AWSReservedSSO_permission-set-name_unique-suffix

https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html

falcocoris commented 5 months ago

ARN

that's exactly what i was missing, thx !

Do you think it's worth mentioning in the provider configuration section ?

It's got nothing to do with the provider in the end, but wondering if it's relevent

prudhvigodithi commented 5 months ago

Thanks @rblcoder. Also @falcocoris this is more related to how the AWS OpenSearch is created with proper working SSO settings, adding it in terraform provider docs seems to me like its deviating the scope of the terraform provider. The provider is is cloud-agnostic it targets to work for OpenSearch for any given endpoint. Also I feel that SSO configuration with AWS OpenSearch should be part of AWS docs, WDYT @falcocoris @rblcoder @bbarani ?

Also @falcocoris if you still think its better to add a one liner about this SSO setup (when used AWS OpenSearch), please feel free to raise a PR.

Thanks

rblcoder commented 5 months ago

@falcocoris, adding it to the OpenSearch Terraform provider documentation would deviate from its scope as it is something we are configuring in AWS. Do contribute a line on SSO configuration for AWS OpenSearch by submitting a PR, if you believe it should be there.