-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform looks up wrong AWS Credentials in ECS #2700
Comments
@nocode99 related? hashicorp/terraform#8746 |
This is also an issue for me on I've resorted to manually setting the credentials this way: I've just recently upgraded my ECS agent, perhaps this could be a cause? It is only happening now after the upgrade. |
I'm seeing the same behaviour with version
We have the task running with a Task ARN but it's still falling back to the EC2 IAM Role that's on the instance in the ECS cluster that the task is being run on.
We're currently using ECS Agent version |
I'm observing a similar thing: When running terraform on an AWS instance, credentials in ~/.aws/config are ignored in favor of the instance profile. This seems to contradict the "credential provider chain" specified in https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html Unfortunately the workaround of setting the AWS_* environment variables does not work, since we use profiles with assumed roles from ~/.aws/config, and they don't get picked up when the AWS_ credentials are specified. |
Have you tried using the
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html |
It does seem like the provider looks up the value of So perhaps its just a precedence problem? |
Hey folks, we're rolling out a fix in the next release that should take care of the credential precedence issues you were seeing. If there's still a problem after that, please open a new bug issue so we can look into the details. Thanks! |
Closing as #10379 was merged previously and v2.32.0 has been released. 👍 |
This has been released in version 2.32.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
If you look at my issue from Vault, I'm experiencing similar issues with Terraform hashicorp/vault#2979
I'm trying to run terraform on jenkins slave nodes in ECS and I have verified it is trying to get permissions from the host. I use KMS key and kept getting access denied and when I gave my EC2 instance permissions to it as a test, it was able to use the KMS key in the remote state config.
Terraform Version
0.10.5
Providers:
1.4.0
,1.5.0
Affected Resource(s)
Everything :)
Expected Behavior
When using terraform in ECS, it should be looking up the credentials for the ECS Task Role ARN and not the instance profile of the EC2 instance
Actual Behavior
Terraform tries to use the credentials of the EC2 instance profile
Important Factoids
This issue was happening in 0.8.7 and I lazily just set static credentials for the time being and rotated them routinely. Based on the linked Vault issue, this is the way the Go SDK handles environment variables.
References
hashicorp/vault#2979
The text was updated successfully, but these errors were encountered: