New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
InvalidClientTokenId error when creating IAM role with vault credentials and terraform #266
Comments
Sounds like you are missing MFA |
Ok I added MFA and a role according to the Usage documentation. Now my .tf file looks like this:
And my ~/.aws/config file:
I added the "deployment_user" access key and secret to the vault. What policy does the "deployment_user" need to assume the "deployment" Role? I tried this:
But get an error:
I copied role ARN from the "deployment" role via the AWS console, and I just added the AWS secret and key for "deployment_user" to the vault in a fresh bash session. So the user credentials must not have the right permissions. Any ideas? |
You seem to be miss understanding how aws-vault works. |
I get that. I'm trying to use the "deployment_user" IAM account to assume
the "deployment" role. But I am not defining the "deployment_user" with the
right credentials to assume the "deployment" role.
…On Mon, Jul 9, 2018 at 11:53 PM Fernando Miguel ***@***.***> wrote:
You seem to be miss understanding how aws-vault works.
Aws-vault assumes a role using an IAM account.
Your terraform then has a provider that runs under that role, or has a
provider (or alias) to assume yet another role.
Here's an example
https://github.com/FernandoMiguel/kb/blob/master/PortoLinux/ET-2017Dez/terraform/main.tf
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#266 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFQFAtjfJ9rGYPsNDhEz0RUhf5ud8feuks5uFE9RgaJpZM4VIzNo>
.
|
AWS requires to use an MFA to perform IAM operation with an assume-role and you should not specify the profile in the TF file. |
I'm using MFA. I tried again without the profile in the TF file
and still get the error.
|
What does this give:
Make sure to remove the creds when posting 😉 |
@skeller88 I just saw your
|
Can we DM? I'm on gmail at skeller88[at]gmail[dot]com |
What's the difference between "source_profile" and the first line of the ~/.aws/config file that has "profile" in it? I'm referring to
Should I be giving the profile name a different name? I executed the sts command:
I'm copying the format of the tf file in #262. Once the file content is right and I can properly assume the role with aws-vault, I'll want Terraform to assume that role as well. Here's my understanding of the aws-vault process from the documentation:
Do you see anything I'm doing wrong? |
All your understanding is perfectly right. The source profile is the profile credentials used or assuming the role. Sorry email is real hard to follow up |
Ok. How about telegram or discord? I'm pretty stuck on this and would love
to use the aws- vault as a tool.
…On Tue, Jul 10, 2018 at 11:55 AM Noel Georgi ***@***.***> wrote:
All your understanding is perfectly right. The source profile is the
profile credentials used or assuming the role. Sorry email is real hard to
follow up
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#266 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFQFAgDNdKszs4HBX9XC63DZr0UDDGklks5uFPiFgaJpZM4VIzNo>
.
|
slack? |
Sure.
…On Tue, Jul 10, 2018 at 10:18 PM Noel Georgi ***@***.***> wrote:
slack?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#266 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFQFAoRcxZTUz25l9H461L3Gads4ufJEks5uFYqsgaJpZM4VIzNo>
.
|
I'm available on the k8s and chef slack channels |
From the error message
you already assumed into a role. Run:
|
I get the following response. The Account matches my account and the Arn
matches the "deployment_user" Arn, but the UserId does not match any of the
access key IDs for "deployment_user".
{
"UserId": "[deployment_user access id]",
"Account": "[account]",
"Arn": "arn:aws:iam::[account]:user/deployment_user"
}
…On Wed, Jul 11, 2018 at 11:31 AM Scott Piper ***@***.***> wrote:
From the error message An error occurred (AccessDenied) when calling the
AssumeRole operation: User:
arn:aws:sts::[account]:assumed-role/deployment/[id] is not authorized to
perform: sts:AssumeRole on resource: arn:aws:iam::[account]:role/deployment
you already assumed into a role.
Run:
aws-vault exec deployment_user -- aws sts get-caller-identity
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#266 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFQFAmKAx4w8Z7El4X0e6z6hukr_TE2eks5uFkSJgaJpZM4VIzNo>
.
|
Don't worry about the |
I would guess the issue is layering of an STS session and then trying to assume a role with that.
AWS has complicated rules about chaining temporary credentials together with assuming roles, or assuming roles from other roles. If you really want, you can disable the session that In terms of your specific problem, I'd suggest troubleshooting it by getting the simplest config you can working and then adding complexity to it. Start without Terraform, get Note that your config should look something like:
The |
Here's what I've tried: Deleted my
Even though I added the "IAMFullAccess" policy to the "test" user permissions, the following command still fails with the same error I saw at the start of this issue:
I debugged all of the requests and looked at what's different between the aws iam request and the other requests. The session token is the same. I don't see any noticeable differences other than the fact that the request is denied in the iam case. I'm able to access iam without aws-vault.
Here's my
Anything else I could try? |
yes that is the expected behaviour. AWS does not allow IAM operations with an assumed role unless it's authenticated with an MFA |
I fixed my issue last week. Thanks everyone for the help. I solved it by authenticating the IAM role with MFA, and taking out the "role_arn" section of the aws provider in my .tf file. |
Just so I better understand -- |
@geoffreywiseman yss, unless you use --no-session |
Ok, thanks. I also found this issue, #455, which also set me on a good path (in case anyone else ends up looking at this issue). I added |
OS: 10.13.4 (High Sierra)
Terraform version: v0.11.7
provider.aws: v1.26.0
The problem:
When I attempt to create an IAM role via terraform while using vault credentials for a user called "terraform", a 403 error occurs.
Here are the terraform debug logs just before the error:
I am able to successfully create the same IAM role via terraform by hardcoding the "terraform" user credentials into the provider definition in the .tf file.
tf file
~/.aws/config file
What I've tried
Creating other resources with the aws-vault credentials and terraform. I'm able to successfully create s3 buckets and a vpc.
It seems like the security token generated by aws-vault has different permissions than I'm expecting. But I'm not sure what additional debugging steps to take.
There's another issue that addresses security tokens, but I don't think the solution applies to me because the poster had two roles: #262
The text was updated successfully, but these errors were encountered: