Unable to run packer >1.4.2 for MFA+AssumeRole with amazon-ebs build

[Kurt Knudsen]

Hi all,

I was originally using packer v1.2.4 with our .json and everything was running fine. I wanted to update packer to a newer version and found out that after 1.4.2 I could no longer run my .json as-is like before. My issue is that my main account has forced MFA, so I was using 'aws-mfa' to setup the session/security token in ~/.aws/credentials, all I had in the build.json was the profile and it's "just worked" up until I upgraded. I've tried a lot of different things to no avail and I'm wondering if it's just not possible anymore or what changed in these later versions that would have broken my setup.

{
  "variables": {
    "access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
    "secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}"
  },
  "builders": [{
    "type": "amazon-ebs",
    "profile": "packer-dev",
    "access_key": "{{user `access_key`}}",
    "secret_key": "{{user `secret_key`}}",

...

Here's the credentials for the profile:

[packer-dev]

aws_access_key_id = xxx

aws_secret_access_key = xxx

[packer-dev-long-term]

assumed_role = True

assumed_role_arn = arn:aws:iam::222:role/XXX

aws_access_key_id = xxx

aws_secret_access_key = xxx

aws_session_token = XXX

aws_security_token = XXX

expiration = <date>

role_arn = arn:aws:iam::111:role/XXX

The build would be executed via:

env AWS_PROFILE=packer-dev-long-term packer.1.2.4 build build.json

That's the gist of the original config, the access_key/secret_key were never really used and I don't think they were ever set as environment variables.

If I try to run the same command on v1.6.0 I get:

Build 'amazon-ebs' errored: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.

So I added mfa_code to variables/builders and passed it with the environment:

env AWS_PROFILE=packer-dev-long-term MFA_CODE=12345 packer.1.6.0 build build.json

When I run that I get an invalid subnet ID:

==> amazon-ebs: Describing the subnet: subnet-xxx returned error: InvalidSubnetID.NotFound: The subnet ID 'subnet-xxx' does not exist

The subnet clearly exists because this works fine on 1.4.2. I'm at a loss and I can continue to use 1.4.2 but I really want to know why this won't work anymore.

Please let me know if you need more information.

Thanks,

Kurt

[Kurt Knudsen]

I have also tried to pass the access/secret for the account with and without the session/security token. The only thing I haven't tried at this point is the aws-vault but I am unsure how that's all setup.

[Megan Marsh]

Are you setting the vpc_id?  I think we changed validation to force both to be set in certain situations, to prevent confusing behavior. https://www.packer.io/docs/builders/amazon/ebs#subnet_id

On Sat, Jun 27, 2020 at 2:10 PM Kurt Knudsen <kurt.k...@gmail.com> wrote:

I have also tried to pass the access/secret for the account with and without the session/security token. The only thing I haven't tried at this point is the aws-vault but I am unsure how that's all setup.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/5a5e531c-c43a-4a81-9691-05fa1a33a2d0o%40googlegroups.com.