Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Terraform does not use IAM Role for ECS Task as credential provider #8746
This affects all AWS related command.
Terraform Configuration Files
It should work by using IAM Role for ECS Task.
It was using EC2 Instance Role which does not allow this action.
Error retrieving Target Group: AccessDenied: User: arn:aws:sts::872767853649:assumed-role/myrole/i-0223aeb98c19f2d0d
Steps to Reproduce
A little context to help the enhancement along. I ran into this while trying to run a terraform command from the new AWS CodeBuild service (which is running on an AWS hosted ECS cluster farm it seems).
In the newer versions of the AWS SDK, they've added one more "location" to scan for IAM keys to support IAM roles on docker containers.
The launched docker containers, if they have an IAM role, get passed an extra environment variable like this:
Since all the SDK's have been updated to scan this location as well as the usual paths, it just seems to work like magic when you run AWS commands.
This sample, and all the gory details are from here
Hopefully this is enough to get somebody going on the terraform enhancement. Any takers?
UPDATE: Of course, now that I just typed all that, it seems that if you are using the aws-sdk-go package, you just need to update the dependency version. These seem to be the minimums
I blogged about using Terraform within CodeBuild, which includes a workaround for this problem: https://www.ruempler.eu/2017/02/26/continuous-infrastructure-delivery-pipeline-aws-codepipeline-codebuild-terraform/
This may be a little off-topic, but here's my workaround for use with Jenkins Pipelines (Groovy)
Thanks for this feature request @iwat, and thanks to everyone else for the great info that followed.
Terraform is using the official Go SDK for AWS but is customizing the set of valid credential sources. To implement this I expect we would need to upgrade the SDK (assuming we didn't already do that for some other reason) and add one more credential provider to the list in the Terraform AWS provider.
Since this one is gated on the presence of an environment variable it should be safe to add without any unintended consequences for those not using ECS.
The Terraform team doesn't have any immediate plans to work on this but if someone else had the time or motivation we would love to review a PR!
I can confirm that terraform trying to assume the role of EC2's instead of ECS's
Below are some logs
terraform version: 0.12.21
I'm going to lock this issue because it has been closed for 30 days
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.