search

wata727 / packer-plugin-amazon-ami-management

Packer post-processor plugin for Amazon AMI management
Mozilla Public License 2.0
102 stars 26 forks source link

Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials #347

Open choonming opened 1 year ago

choonming commented 1 year ago

I've been trying to get the plugin to work on with my packer template. I'm using the Amazon EBS provider for my build and it works successfully with the assume role. However, when it comes to the post-provisioner stage, I get the following error saying invalid credentials when it is working on the builder.

source "amazon-ebs" "amazon-linux" {
  ami_name            = "${var.ami_prefix}-${var.type}-{{ timestamp }}"
  ami_regions         = var.ami_regions
  instance_type       = var.instance_type
  region              = var.primary_region
  source_ami          = data.amazon-ami.amazon-linux.id
  ebs_optimized       = true
  ena_support         = true
  enable_t2_unlimited = false

  ssh_interface        = "session_manager"
  ssh_username         = "ec2-user"
  pause_before_ssm     = "30s"
  iam_instance_profile = "packer-imagebuilder-ssm"

  vpc_filter {
    filters = {
      "tag:Name" : "packer-imagebuilder",
      "isDefault" : "false",
    }
  }

  subnet_filter {
    filters = {
      "tag:Name" = "packer-imagebuilder-private-${var.primary_region}a"
    }
    most_free = true
    random    = true
  }

  assume_role {
    role_arn     = var.deployment_role_arn
    session_name = "packer-imagebuilder"
  }
}

build {
  sources = [
    "source.amazon-ebs.amazon-linux"
  ]

  post-processor "amazon-ami-management" {
    regions       = concat([var.primary_region], var.ami_regions)
    identifier    = "${var.ami_prefix}-${var.type}-"
    keep_releases = 3

    assume_role {
      role_arn     = var.deployment_role_arn
      session_name = "packer-imagebuilder"
    }
  }
2023/01/04 12:39:50 [INFO] (telemetry) ending amazon-ebs.amazon-linux
2023/01/04 12:39:50 [INFO] (telemetry) Starting post-processor amazon-ami-management
==> amazon-ebs.amazon-linux: Running post-processor:  (type amazon-ami-management)
    amazon-ebs.amazon-linux (amazon-ami-management): Processing in af-south-1
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 Running the post-processor
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 [INFO] AWS Auth provider used: "EnvProvider"
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 [INFO] Attempting to AssumeRole arn:aws:iam::xxxxxx:role/packer (SessionName: "packer-imagebuilder", ExternalId: "")
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 Found region eu-west-1
2023/01/04 12:39:51 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:51 [INFO] AWS Auth provider used: "AssumeRoleProvider"
2023/01/04 12:39:53 [INFO] (telemetry) ending amazon-ami-management
2023/01/04 12:39:53 Deleting original artifact for build 'amazon-ebs.amazon-linux'
2023/01/04 12:39:53 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:53 error: AuthFailure: AWS was not able to validate the provided access credentials
2023/01/04 12:39:53 packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64 plugin:    status code: 401, request id: d36201a0-eded-457c-815c-af2f417870e4
2023/01/04 12:39:53 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:53 Deregistering image ID (ami-04bc46ae4f51f43db) from region (af-south-1)
2023/01/04 12:39:58 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:58 Deregistered AMI id: ami-04bc46ae4f51f43db
2023/01/04 12:39:59 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:59 Deleted snapshot: snap-00c57b2db9bc56025
2023/01/04 12:39:59 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:39:59 Deregistering image ID (ami-008353bfaf323c514) from region (ap-southeast-1)
2023/01/04 12:40:04 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:04 Deregistered AMI id: ami-008353bfaf323c514
2023/01/04 12:40:06 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:06 Deleted snapshot: snap-0bec51acca6efcde6
2023/01/04 12:40:06 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:06 Deregistering image ID (ami-0bdf2163907803ea4) from region (eu-west-1)
2023/01/04 12:40:09 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:09 Deregistered AMI id: ami-0bdf2163907803ea4
Build 'amazon-ebs.amazon-linux' errored after 11 minutes 38 seconds: 1 error(s) occurred:

* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials
    status code: 401, request id: xxxxx

==> Wait completed after 11 minutes 38 seconds

==> Some builds didn't complete successfully and had errors:

--> amazon-ebs.amazon-linux: 1 error(s) occurred:
* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials

    status code: 401, request id: xxxxxxx
==> Wait completed after 11 minutes 38 seconds
2023/01/04 12:40:10 machine readable: error-count []string{"1"}
==> Some builds didn't complete successfully and had errors:
2023/01/04 12:40:10 machine readable: amazon-ebs.amazon-linux,error []string{"1 error(s) occurred:\n\n* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials\n\tstatus code: 401, request id: * Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials
    status code: 401, request id: xxxxxxx

==> Builds finished but no artifacts were created.
xxxxxxx"}

* Post-processor failed: AuthFailure: AWS was not able to validate the provided access credentials
    status code: 401, request id: xxxxxx
==> Builds finished but no artifacts were created.
2023/01/04 12:40:10 packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64 plugin: 2023/01/04 12:40:10 Deleted snapshot: snap-013963d646f90692f
2023/01/04 12:40:10 [INFO] (telemetry) Finalizing.
2023/01/04 12:40:11 waiting for all plugin processes to complete...
2023/01/04 12:40:11 /Users/choon_ming_goh/.config/packer/plugins/github.com/wata727/amazon-ami-management/packer-plugin-amazon-ami-management_v1.2.0_x5.0_darwin_arm64: plugin process exited
2023/01/04 12:40:11 /Users/choon_ming_goh/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64: plugin process exited
2023/01/04 12:40:11 /Users/choon_ming_goh/.config/packer/plugins/github.com/hashicorp/amazon/packer-plugin-amazon_v1.1.6_x5.0_darwin_arm64: plugin process exited
wata727 commented 1 year ago

This error seems to occur when using an old STS token. https://aws.amazon.com/premiumsupport/knowledge-center/iam-validate-access-credentials

The last release was over a year ago, so it's possible that only tokens issued by the post processor are still version 1.

wata727 commented 1 year ago

v1.3.1 has been released. Please try this version. https://github.com/wata727/packer-plugin-amazon-ami-management/releases/tag/v1.3.1