Terraform does not use IAM Role for ECS Task as credential provider

[hashibot]

This issue was originally opened by @iwat as hashicorp/terraform#8746. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.7.3

Affected Resource(s)

• aws_alb_target_group
• aws_security_group
• a lot

This affects all AWS related command.

Terraform Configuration Files

resource "aws_security_group_rule" "demo_pri_ingress_vpn_service" {
    security_group_id = "${aws_security_group.demo_pri.id}"
    type = "ingress"

    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["${data.terraform_remote_state.infra.vpn-cidr_block}"]
}

Debug Output

https://gist.github.com/iwat/df0b0ebfe2f8db62adfd5953bfd6b92c

Panic Output

None

Expected Behavior

It should work by using IAM Role for ECS Task.
awscli works

Actual Behavior

It was using EC2 Instance Role which does not allow this action.

Error retrieving Target Group: AccessDenied: User: arn:aws:sts::872767853649:assumed-role/myrole/i-0223aeb98c19f2d0d

Steps to Reproduce

• Setup an EC2, do not provide any critical IAM action.
• Setup ECS task, provide required IAM action for testing.
• Try AWSCLI inside the running ECS task, it should work fine.
• Run terraform on AWS ECS Task.

Important Factoids

None

References

• http://docs.aws.amazon.com/de_de/AmazonECS/latest/developerguide/task-iam-roles.html
• https://github.com/hashicorp/terraform/blob/v0.7.3/builtin/providers/aws/auth_helpers.go#L97
• https://github.com/hashicorp/terraform/blob/v0.7.3/builtin/providers/aws/auth_helpers.go#L128
• https://github.com/aws/aws-sdk-go/blob/v1.4.8/aws/defaults/defaults.go#L100

[fabienrenaud]

@stack72 This is still an issue on 0.9.10. Any hope of fixing this in the near future? terraform should try getting the ECS credentials before the instance-profile credentials.
http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

[jch254]

I hope Terraform will be able to get these credentials for use in CodeBuild. For now I am doing the following:

export AWS_ACCESS_KEY_ID=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.AccessKeyId'`
export AWS_SECRET_ACCESS_KEY=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.SecretAccessKey'`
export AWS_SESSION_TOKEN=`curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.Token'`

Cheers!

[radeksimko]

This was implemented in #1425 which was just merged.

[benrobinsonsonos]

Here's a similar workaround to the one above for CodeBuild which may be useful in a python container with minimal bash utilities. Placed in the buildspec file.

  - export AWS_ACCESS_KEY_ID=$(python -c 'import json,sys,urllib2;i=json.load(urllib2.urlopen(urllib2.Request(sys.argv[1])));print(i["AccessKeyId"]);' "http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
  - export AWS_SECRET_ACCESS_KEY=$(python -c 'import json,sys,urllib2;i=json.load(urllib2.urlopen(urllib2.Request(sys.argv[1])));print(i["SecretAccessKey"]);' "http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
  - export AWS_SESSION_TOKEN=$(python -c 'import json,sys,urllib2;i=json.load(urllib2.urlopen(urllib2.Request(sys.argv[1])));print(i["Token"]);' "http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!