Packer AWS Multi Factor Auth fails
1,293 views
Skip to first unread message
Alex B
Jul 29, 2015, 5:15:00 PM7/29/15
to Packer
I have MFA setup for my account, have awscli installed, successfully authenticate and can run aws ec2 commands.
Have these env vars set ub my shell:
- AWS_SECRET_ACCESS_KEY
- AWS_ACCESS_KEY_ID
- AWS_SECURITY_TOKEN
Trying to have packer do work and fail. This works (keys and token are hardcoded):
"builders": [
{
"type": "amazon-ebs",
"access_key": "...", <- value of $AWS_ACCESS_KEY_ID
"secret_key": "...", <- value of $AWS_SECRET_ACCESS_KEY
"token": "...", <- value of $AWS_SECURITY_TOKEN
if I remove "access_key" and "secret_key" like this:
"builders": [
{
"type": "amazon-ebs",
"token": "...",
.. doesn't work. I get
==> amazon-ebs: Prevalidating AMI Name...
==> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
==> amazon-ebs: status code: 401, request id: []
Build 'amazon-ebs' errored: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: []
although section Automatic Lookup here https://www.packer.io/docs/builders/amazon.html says that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are looked up.
Have these env vars set ub my shell:
- AWS_SECRET_ACCESS_KEY
- AWS_ACCESS_KEY_ID
- AWS_SECURITY_TOKEN
Trying to have packer do work and fail. This works (keys and token are hardcoded):
"builders": [
{
"type": "amazon-ebs",
"access_key": "...", <- value of $AWS_ACCESS_KEY_ID
"secret_key": "...", <- value of $AWS_SECRET_ACCESS_KEY
"token": "...", <- value of $AWS_SECURITY_TOKEN
if I remove "access_key" and "secret_key" like this:
"builders": [
{
"type": "amazon-ebs",
"token": "...",
.. doesn't work. I get
==> amazon-ebs: Prevalidating AMI Name...
==> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
==> amazon-ebs: status code: 401, request id: []
Build 'amazon-ebs' errored: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: []
although section Automatic Lookup here https://www.packer.io/docs/builders/amazon.html says that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are looked up.
If I try passing env vars like this:
"access_key": " {{env `AWS_ACCESS_KEY` }}",
"secret_key": " {{env `AWS_SECRET_KEY` }}",
"token": "{{ env `AWS_SECURITY_TOKEN` }}",
I get this:
render 'secret_key': template: root:1:2: executing "root" at <env `AWS_SECRET_KEY`>: error calling env: env vars are not allowed here in:
{{ env `AWS_SECRET_KEY` }}
Any ideas?
Thanks,
Alex.
Alex B
Jul 29, 2015, 5:16:53 PM7/29/15
to Packer, aba...@gmail.com
Forgot: packer version 0.8.2 on mac.
Alvaro Miranda Aguilera
Jul 29, 2015, 7:30:39 PM7/29/15
to packe...@googlegroups.com
Hello Alex,
I think you require:
variables block, where you evaluate env into template variables
and inside the builder block you can use this packer variables
an example is better:
https://github.com/hashicorp/atlas-examples/blob/master/metamon/ops/site.json#L2-L10
"variables": {
"aws_access_key": "{{env `AWS_ACCESS_KEY`}}",
"aws_secret_key": "{{env `AWS_SECRET_KEY`}}",
"ssh_username": "ubuntu"
},
"builders": [{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
Thanks
Alvaro.
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/mitchellh/packer/issues
> IRC: #packer-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Packer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to packer-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/packer-tool/f0137e81-3d41-4a14-a8d2-b3e34cb4950d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
I think you require:
variables block, where you evaluate env into template variables
and inside the builder block you can use this packer variables
an example is better:
https://github.com/hashicorp/atlas-examples/blob/master/metamon/ops/site.json#L2-L10
"variables": {
"aws_access_key": "{{env `AWS_ACCESS_KEY`}}",
"aws_secret_key": "{{env `AWS_SECRET_KEY`}}",
"ssh_username": "ubuntu"
},
"builders": [{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
Thanks
Alvaro.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/mitchellh/packer/issues
> IRC: #packer-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Packer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to packer-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/packer-tool/f0137e81-3d41-4a14-a8d2-b3e34cb4950d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Alex Barylo
Jul 29, 2015, 8:53:47 PM7/29/15
to packe...@googlegroups.com
Thank you very much Alvaro - your idea helped me come up with the right solution, which is this:
"variables": {
"aws_access_key" : "{{env `AWS_ACCESS_KEY_ID`}}",
"aws_secret_key" : "{{env `AWS_SECRET_ACCESS_KEY`}}",
"aws_security_token": "{{env `AWS_SECURITY_TOKEN`}}"
},
"builders": [
{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"token" : "{{user `aws_security_token`}}",
You received this message because you are subscribed to a topic in the Google Groups "Packer" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/packer-tool/KaGUqpqCYv4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CAHqq0eyp%2BavCcjqp%3DCu_Xm9Hsv2%2ByVY868EHMKKcMgOK%3DoNrwg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Before the accident, I could not even spell UNIX
Reply all
Reply to author
Forward
0 new messages