Assume role provider in AWS is not working for me
1,665 views
Skip to first unread message
Harish Kalyanaraman
Dec 14, 2016, 7:20:37 AM12/14/16
to Terraform
I have tried using the AWS assume role provider . It is not working for me . I have created a cross region IAM role providing the relevant access and I have keyed in the ARN into the terraform provider config . Then using this I have tried to create a sample script and I find that it is not working . The sample script doesnt work .It is throwing an error "No valid credential sources found". i have tried multiple terraform versions including the latest one . I donno if I am missing anything .
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::Account id:role/role name"
}
}
resource "aws_s3_bucket" "b" {
region = "us-east-1"
bucket = "harish2205test"
acl = "private"
tags {
Name = "My bucket"
Environment = "Dev"
}
}
Lowe Schmidt
Dec 14, 2016, 7:33:29 AM12/14/16
to terrafo...@googlegroups.com
Are the necessary environment variables in place like AWS_PROFILE or AWS_ACCESS_KEY and AWS_SECRET_KEY ?
--
Lowe Schmidt | +46 723 867 157
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/bd16bba2-0e2c-413f-9741-973ece6efdf1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Harish Kalyanaraman
Dec 14, 2016, 7:46:59 AM12/14/16
to terrafo...@googlegroups.com
I dont know if I have misunderstood the documentation but I thought this was an alternative to using access and secret keys .
You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/G0hzRIWiy8Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAC-wWcSo-7SmZz-x06NfYwvFka-eT%2BcPqVnroNcv6xGu2jRc7g%40mail.gmail.com.
Cheers
Harish
Lowe Schmidt
Dec 14, 2016, 8:01:22 AM12/14/16
to terrafo...@googlegroups.com
My understanding is that you log in with your set of credentials and then assume a specific role that allows you to do and/or limit certain things.
If you look at the examples over at AWS http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html you see the "source_profile" is configured to default and a comment saying:
--
Lowe Schmidt | +46 723 867 157
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAFP2KjfHDyJG4vQMuAjP%2BHhaXRaE-FYsYE-MKbtnV1njc805RQ%40mail.gmail.com.
Harish Kalyanaraman
Jan 18, 2017, 11:03:02 AM1/18/17
to Terraform
Thanks Lowe . I have tried setting up this again . I am getting an error now that
The role cannot be assumed
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
But the thing is the switch is working from the console for the same user and I have tested launching the instance .
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/bd16bba2-0e2c-413f-9741-973ece6efdf1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/G0hzRIWiy8Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAC-wWcSo-7SmZz-x06NfYwvFka-eT%2BcPqVnroNcv6xGu2jRc7g%40mail.gmail.com.
--CheersHarish
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
jas....@gmail.com
Jul 11, 2017, 7:15:03 PM7/11/17
to Terraform
Hi Harish,
Were you able to figure this one?
Thanks!
Were you able to figure this one?
Thanks!
Michael Bushey
Jul 17, 2017, 9:01:30 PM7/17/17
to Terraform
Here's what I had to do to assign roles to instances:
resource "aws_s3_bucket" "mysqlbackup" {
bucket = "mysqlbackup.myco"
acl = "private"
tags {
Name = "mysqlbackup"
Environment = "prod"
}
}
data "aws_iam_policy_document" "S3_Full_Access_mysqlbackup" {
statement {
actions = [
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::mysqlbackup.myco"
]
}
statement {
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
resources = [
"arn:aws:s3:::mysqlbackup.myco/*"
]
}
}
resource "aws_iam_policy" "S3_Full_Access_mysqlbackup" {
name = "S3_Full_Access_mysqlbackup"
path = "/"
description = "Full access to the mysqlbackup.myco bucket."
policy = "${data.aws_iam_policy_document.S3_Full_Access_mysqlbackup.json}"
}
resource "aws_iam_role" "s3_mysqlbackup" {
name = "s3_mysqlbackup"
description = "Allow ec2 instances to read/write to s3://mysqlbackup.myco"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "mysqlbackup_role_policy" {
role = "s3_mysqlbackup"
policy_arn = "${aws_iam_policy.S3_Full_Access_mysqlbackup.arn}"
}
resource "aws_iam_instance_profile" "mysqlbackup" {
name = "mysqlbackup"
role = "s3_mysqlbackup"
resource "aws_s3_bucket" "mysqlbackup" {
bucket = "mysqlbackup.myco"
acl = "private"
tags {
Name = "mysqlbackup"
Environment = "prod"
}
}
data "aws_iam_policy_document" "S3_Full_Access_mysqlbackup" {
statement {
actions = [
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::mysqlbackup.myco"
]
}
statement {
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
resources = [
"arn:aws:s3:::mysqlbackup.myco/*"
]
}
}
resource "aws_iam_policy" "S3_Full_Access_mysqlbackup" {
name = "S3_Full_Access_mysqlbackup"
path = "/"
description = "Full access to the mysqlbackup.myco bucket."
policy = "${data.aws_iam_policy_document.S3_Full_Access_mysqlbackup.json}"
}
resource "aws_iam_role" "s3_mysqlbackup" {
name = "s3_mysqlbackup"
description = "Allow ec2 instances to read/write to s3://mysqlbackup.myco"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "mysqlbackup_role_policy" {
role = "s3_mysqlbackup"
policy_arn = "${aws_iam_policy.S3_Full_Access_mysqlbackup.arn}"
}
resource "aws_iam_instance_profile" "mysqlbackup" {
name = "mysqlbackup"
role = "s3_mysqlbackup"
Reply all
Reply to author
Forward
0 new messages