-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
terraform backend s3 not working with mfa profile and assume role #17530
Comments
@RaviKumar1209 here is my solution:
~/.aws/credentials:
terraform:
This works. I run the Once the mfa script updates the I backed up my state file with a putting the Hope this helps! |
This is my custom script to issue a STS token using an AWS profile credential that set another AWS profile credential with the result. Exampe of usage #!/bin/bash
script_name=`basename "$0"`
text_bold=$(tput bold)
text_normal=$(tput sgr0)
showHelp() {
echo -e "${script_name}
${text_bold}DESCRIPTION${text_normal}
The aws configure set command can be used to set a single configuration
Script to issue a STS token using an AWS profile credential that set
another AWS profile credential with the result configuration values
from the config file.
See '${script_name} help' for descriptions of global parameters.
${text_bold}SYNOPSIS${text_normal}
${script_name}
[--profile-mfa <value>]
[--profile-set <value>]
[--duration-seconds <value>]
[--serial-number <value>]
[--token-code <mfa-code>]
${text_bold}EXAMPLES${text_normal}
Issue a STS token using example.mfa profile to set the example profile
$ ${script_name} --profile-mfa example.mfa --profile-set example --duration-seconds 129600 --serial-number arn:aws:iam::000000000000:mfa/iam_user
$ ${script_name} --profile-mfa example.mfa --profile-set example --duration-seconds 129600 --serial-number arn:aws:iam::000000000000:mfa/iam_user --token-code 000000
${script_name}" | less
}
if (( ${#@} == 0 )); then
showHelp
exit 1
fi
while [ "$1" != "" ]; do
case $1 in
--profile-mfa )
shift
profile_mfa=$1
;;
--profile-set )
shift
profile_set=$1
;;
--duration-seconds )
shift
duration_seconds=$1
;;
--serial-number )
shift
serial_number=$1
;;
--token-code )
shift
token_code=$1
;;
help | --help | -h )
showHelp
exit 0
;;
* )
showHelp
exit 1
;;
esac
shift
done
if [ -z "${profile_set}" ]; then
profile_set="default"
fi
if [ -z "${token_code}" ]; then
echo -n "Enter token code: "
read -r token_code
if [ -z "${token_code}" ]; then
echo "--token-code is required"
exit 1
fi
fi
command="aws sts get-session-token --output text --query '*.[AccessKeyId,SecretAccessKey,SessionToken]'"
if [ "${profile_mfa}" ]; then
command="${command} --profile ${profile_mfa}"
fi
if [ "${duration_seconds}" ]; then
command="${command} --duration-seconds ${duration_seconds}"
fi
if [ "${serial_number}" ]; then
command="${command} --serial-number ${serial_number}"
fi
if [ "${token_code}" ]; then
command="${command} --token-code ${token_code}"
fi
result=$(eval ${command}) || exit 1;
access_key_id=$(printf '%s' "${result}" | awk '{print $1;}')
secret_access_key=$(printf '%s' "${result}" | awk '{print $2;}')
session_token=$(printf '%s' "${result}" | sed 's/[[:blank:]]$//g' | awk '{print $3;}')
aws configure set profile.${profile_set}.aws_access_key_id $access_key_id
aws configure set profile.${profile_set}.aws_secret_access_key $secret_access_key
aws configure set profile.${profile_set}.aws_session_token $session_token
exit 0
|
I don't know if what I'm about to add is exactly the issue you're seeing here, @RaviKumar1209, but I think there is correlation. If this is the case, then hopefully this is enough to truly fix the underlying issue rather than requiring working around terraform. At my place of business, we use an external MFA / SSO service to acquire a AWS STS token ultimately to assume an AWS role, which is ultimately given to terraform for its use. If the control machine has never been initialized, everything works fine. Otherwise, we get the same 403 errors you mention above. By capturing low-level logging debugging, it seems that MFA provided values:
Versus the ones from the tfstate file
Redacted log from terraform 0.12.28 showing aws / s3 backend failing to merged backend config:
Whenever I modified the execution to include |
I am going to close this issue due to inactivity; there have been many changes to the s3 backend since this was originally opened. If you are still experiencing a problem in v0.13 and there isn't already an issue open that describes it, please open a new issue and fill out the issue template in full. |
@mildwonkey : sorry, are you saying this isn’t an issue in 0.13 or are we just closing this because because Hashicorp is ignoring this? |
Hi @andyfeller ! We're definitely not ignoring it and I will happily re-open this (I went on a bit of an old/duplicate issue closing spree yesterday and figured I'd make some mistakes). I closed this particular issue because:
But again, I can reopen this. My intent was not to ignore this and I am sorry that's what came across. |
Thanks @mildwonkey for the explanation! |
Hi, So I created a dev-backend.conf and prod-backend.conf file with the below content. The main point that fixed this issue is passing the "role_arn" value in S3 backend configuration Defining below content in dev-backend.conf and prod-backend.conf files
Terraform initialise with dev s3 bucket config from local state to s3 state Terraform apply using dev environment variables file Terraform initialise with prod s3 bucket config from local state to s3 state Terraform apply using prod environment variables file |
Hi,
We are trying to use backend s3 to store terraform state file. We have 3 different accounts(each used as prod, dev and staging) .
We have enabled MFA for IAM users. IAM user(s) can login using MFA in one of these accounts and then from their they use switch role to access resources in any of these accounts.
For eg:, we have a s3 bucket (for eg: s3-tfstate-bucket) in dev account, we are trying to store the tf state into the same bucket under different key(path) for each account. we can only use access key and secret key for dev as we do not have IAM users for other 2 accounts, we use switch role to access resources for other accounts.
We use assume role features for the resources that we would like to launch in these accounts. Also for s3, we thought to use assume role but it is not working, hence we thought to use access key and secret access key. We get below error when trying to initialize the backend. Could you please advise how should we fix this?
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Error loading state: AccessDenied: Access Denied
status code: 403, request id: 327D810FBEFCE503
Here is the terraform code that we are using:
terraform {
backend "s3" {
bucket = "s3-tfstate-bucket"
key = "dev/bastion/terraform.tfstate"
dynamodb_table = "dynamodbtable-east-lock"
region = "us-east-1"
encrypt = "true"
access_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
secret_key = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
provider "aws" {
region = "us-east-1"
shared_credentials_file = "~/.aws/credentials"
profile = "dev-mfa"
assume_role {
role_arn = "arn:aws:iam::xxxxxxxxxxxxxxxxx:role/abcd"
}
}
module "bastion" {
source = "../../.../../../modules/core/services/bastion"
vpc_id = "${var.vpc_id}"
asg_subnets = ["${var.asg_subnets}"]
}
Regards,
Ravi
Terraform Version
Terraform Configuration Files
...
Debug Output
Crash Output
Expected Behavior
Actual Behavior
Steps to Reproduce
Additional Context
References
The text was updated successfully, but these errors were encountered: