Packer with IAM Assume Role
3,241 views
Skip to first unread message
Justin Fox
Jan 14, 2016, 5:52:03 PM1/14/16
to Packer
Hey guys, I'm hoping someone could give me a hand with this. I've tried the obvious things supplied by Google search.
This is present in packer version 0.8.6.
I'm using IAM assume role to elevate to another role:
````
aws sts assume-role --role-arn "arn:aws:iam::account-id:role/role-name" --role-session-name "Packer" > assume-role-output.txt
export AWS_ACCESS_KEY_ID=`cat assume-role-output.txt | jq -c '.Credentials.AccessKeyId' | tr -d '"' | tr -d ' '`
export AWS_SECRET_ACCESS_KEY=`cat assume-role-output.txt | jq -c '.Credentials.SecretAccessKey' | tr -d '"' | tr -d ' '`
export AWS_SECURITY_TOKEN=`cat assume-role-output.txt | jq -c '.Credentials.SessionToken' | tr -d '"' | tr -d ' '`
````
I'm then using the following packer config:
````
{
"variables": {
"aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
"aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
"aws_security_token": "{{env `AWS_SECURITY_TOKEN`}}"
},
"builders": [
{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"token": "{{user `aws_security_token`}}",
"region": "us-east-1",
"source_ami": "ami-id",
"instance_type": "t2.large",
"ssh_username": "centos",
"iam_instance_profile": "Packer",
"ami_virtualization_type": "hvm",
"security_group_ids": [ "sg-a27be7c6", "sg-a67be7c2" ],
"ami_name": "packer-base-{{timestamp}}",
"ami_description": "Built using Packer on {{timestamp}}."
}
]
}
````
I'm then building the image:
````
packer build -var "aws_access_key=$AWS_ACCESS_KEY_ID" -var "aws_secret_key=$AWS_SECRET_ACCESS_KEY" -var "token=$AWS_SECURITY_TOKEN" -only=$TYPE template.json
```
This results in:
````
[1;32mamazon-ebs output will be in this color. [0m
[1;32m==> amazon-ebs: Prevalidating AMI Name... [0m
[1;31m==> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
==> amazon-ebs: status code: 401, request id: [] [0m
[1;31mBuild 'amazon-ebs' errored: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: [] [0m
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: []
==> Builds finished but no artifacts were created.
````
With PACKER_LOG=1:
````
2016/01/14 22:07:17 [INFO] Packer version: 0.8.6 f8f7b7a34c1be06058f5aca23a51247db12cdbc5+CHANGES
2016/01/14 22:07:17 Packer Target OS/Arch: linux amd64
2016/01/14 22:07:17 Built with Go Version: go1.5
2016/01/14 22:07:17 [DEBUG] Discovered plugin: amazon-chroot = /opt/packer/packer-builder-amazon-chroot
2016/01/14 22:07:17 [DEBUG] Discovered plugin: amazon-ebs = /opt/packer/packer-builder-amazon-ebs
2016/01/14 22:07:17 [DEBUG] Discovered plugin: amazon-instance = /opt/packer/packer-builder-amazon-instance
2016/01/14 22:07:17 [DEBUG] Discovered plugin: digitalocean = /opt/packer/packer-builder-digitalocean
2016/01/14 22:07:17 [DEBUG] Discovered plugin: docker = /opt/packer/packer-builder-docker
2016/01/14 22:07:17 [DEBUG] Discovered plugin: file = /opt/packer/packer-builder-file
2016/01/14 22:07:17 [DEBUG] Discovered plugin: googlecompute = /opt/packer/packer-builder-googlecompute
2016/01/14 22:07:17 [DEBUG] Discovered plugin: null = /opt/packer/packer-builder-null
2016/01/14 22:07:17 [DEBUG] Discovered plugin: openstack = /opt/packer/packer-builder-openstack
2016/01/14 22:07:17 [DEBUG] Discovered plugin: parallels-iso = /opt/packer/packer-builder-parallels-iso
2016/01/14 22:07:17 [DEBUG] Discovered plugin: parallels-pvm = /opt/packer/packer-builder-parallels-pvm
2016/01/14 22:07:17 [DEBUG] Discovered plugin: qemu = /opt/packer/packer-builder-qemu
2016/01/14 22:07:17 [DEBUG] Discovered plugin: virtualbox-iso = /opt/packer/packer-builder-virtualbox-iso
2016/01/14 22:07:17 [DEBUG] Discovered plugin: virtualbox-ovf = /opt/packer/packer-builder-virtualbox-ovf
2016/01/14 22:07:17 [DEBUG] Discovered plugin: vmware-iso = /opt/packer/packer-builder-vmware-iso
2016/01/14 22:07:17 [DEBUG] Discovered plugin: vmware-vmx = /opt/packer/packer-builder-vmware-vmx
2016/01/14 22:07:17 [DEBUG] Discovered plugin: artifice = /opt/packer/packer-post-processor-artifice
2016/01/14 22:07:17 [DEBUG] Discovered plugin: atlas = /opt/packer/packer-post-processor-atlas
2016/01/14 22:07:17 [DEBUG] Discovered plugin: compress = /opt/packer/packer-post-processor-compress
2016/01/14 22:07:17 [DEBUG] Discovered plugin: docker-import = /opt/packer/packer-post-processor-docker-import
2016/01/14 22:07:17 [DEBUG] Discovered plugin: docker-push = /opt/packer/packer-post-processor-docker-push
2016/01/14 22:07:17 [DEBUG] Discovered plugin: docker-save = /opt/packer/packer-post-processor-docker-save
2016/01/14 22:07:17 [DEBUG] Discovered plugin: docker-tag = /opt/packer/packer-post-processor-docker-tag
2016/01/14 22:07:17 [DEBUG] Discovered plugin: vagrant = /opt/packer/packer-post-processor-vagrant
2016/01/14 22:07:17 [DEBUG] Discovered plugin: vagrant-cloud = /opt/packer/packer-post-processor-vagrant-cloud
2016/01/14 22:07:17 [DEBUG] Discovered plugin: vsphere = /opt/packer/packer-post-processor-vsphere
2016/01/14 22:07:17 [DEBUG] Discovered plugin: ansible-local = /opt/packer/packer-provisioner-ansible-local
2016/01/14 22:07:17 [DEBUG] Discovered plugin: chef-client = /opt/packer/packer-provisioner-chef-client
2016/01/14 22:07:17 [DEBUG] Discovered plugin: chef-solo = /opt/packer/packer-provisioner-chef-solo
2016/01/14 22:07:17 [DEBUG] Discovered plugin: file = /opt/packer/packer-provisioner-file
2016/01/14 22:07:17 [DEBUG] Discovered plugin: powershell = /opt/packer/packer-provisioner-powershell
2016/01/14 22:07:17 [DEBUG] Discovered plugin: puppet-masterless = /opt/packer/packer-provisioner-puppet-masterless
2016/01/14 22:07:17 [DEBUG] Discovered plugin: puppet-server = /opt/packer/packer-provisioner-puppet-server
2016/01/14 22:07:17 [DEBUG] Discovered plugin: salt-masterless = /opt/packer/packer-provisioner-salt-masterless
2016/01/14 22:07:17 [DEBUG] Discovered plugin: shell = /opt/packer/packer-provisioner-shell
2016/01/14 22:07:17 [DEBUG] Discovered plugin: shell-local = /opt/packer/packer-provisioner-shell-local
2016/01/14 22:07:17 [DEBUG] Discovered plugin: windows-restart = /opt/packer/packer-provisioner-windows-restart
2016/01/14 22:07:17 [DEBUG] Discovered plugin: windows-shell = /opt/packer/packer-provisioner-windows-shell
2016/01/14 22:07:17 Detected home directory from env var: /home/jenkins
2016/01/14 22:07:17 Detected home directory from env var: /home/jenkins
2016/01/14 22:07:17 Attempting to open config file: /home/jenkins/.packerconfig
2016/01/14 22:07:17 [WARN] Config file doesn't exist: /home/jenkins/.packerconfig
2016/01/14 22:07:17 Packer config: &{DisableCheckpoint:false DisableCheckpointSignature:false PluginMinPort:10000 PluginMaxPort:25000 Builders:map[parallels-iso:/opt/packer/packer-builder-parallels-iso qemu:/opt/packer/packer-builder-qemu vmware-vmx:/opt/packer/packer-builder-vmware-vmx amazon-ebs:/opt/packer/packer-builder-amazon-ebs docker:/opt/packer/packer-builder-docker openstack:/opt/packer/packer-builder-openstack virtualbox-ovf:/opt/packer/packer-builder-virtualbox-ovf digitalocean:/opt/packer/packer-builder-digitalocean googlecompute:/opt/packer/packer-builder-googlecompute null:/opt/packer/packer-builder-null virtualbox-iso:/opt/packer/packer-builder-virtualbox-iso vmware-iso:/opt/packer/packer-builder-vmware-iso amazon-chroot:/opt/packer/packer-builder-amazon-chroot amazon-instance:/opt/packer/packer-builder-amazon-instance file:/opt/packer/packer-builder-file parallels-pvm:/opt/packer/packer-builder-parallels-pvm] PostProcessors:map[artifice:/opt/packer/packer-post-processor-artifice atlas:/opt/packer/packer-post-processor-atlas compress:/opt/packer/packer-post-processor-compress vagrant:/opt/packer/packer-post-processor-vagrant docker-import:/opt/packer/packer-post-processor-docker-import docker-push:/opt/packer/packer-post-processor-docker-push docker-save:/opt/packer/packer-post-processor-docker-save docker-tag:/opt/packer/packer-post-processor-docker-tag vagrant-cloud:/opt/packer/packer-post-processor-vagrant-cloud vsphere:/opt/packer/packer-post-processor-vsphere] Provisioners:map[chef-client:/opt/packer/packer-provisioner-chef-client chef-solo:/opt/packer/packer-provisioner-chef-solo file:/opt/packer/packer-provisioner-file shell:/opt/packer/packer-provisioner-shell windows-restart:/opt/packer/packer-provisioner-windows-restart windows-shell:/opt/packer/packer-provisioner-windows-shell ansible-local:/opt/packer/packer-provisioner-ansible-local powershell:/opt/packer/packer-provisioner-powershell puppet-masterless:/opt/packer/packer-provisioner-puppet-masterless puppet-server:/opt/packer/packer-provisioner-puppet-server salt-masterless:/opt/packer/packer-provisioner-salt-masterless shell-local:/opt/packer/packer-provisioner-shell-local]}
2016/01/14 22:07:17 Setting cache directory: /var/lib/jenkins/jobs/Production_Builds/jobs/Build AMI (Packer)/workspace/packer/packer-base/packer_cache
2016/01/14 22:07:17 Detected home directory from env var: /home/jenkins
2016/01/14 22:07:17 Loading builder: amazon-ebs
2016/01/14 22:07:17 Creating plugin client for path: /opt/packer/packer-builder-amazon-ebs
2016/01/14 22:07:17 Starting plugin: /opt/packer/packer-builder-amazon-ebs []string{"/opt/packer/packer-builder-amazon-ebs"}
2016/01/14 22:07:17 Waiting for RPC address for: /opt/packer/packer-builder-amazon-ebs
2016/01/14 22:07:17 packer-builder-amazon-ebs: 2016/01/14 22:07:17 Plugin minimum port: 10000
2016/01/14 22:07:17 packer-builder-amazon-ebs: 2016/01/14 22:07:17 Plugin maximum port: 25000
2016/01/14 22:07:17 packer-builder-amazon-ebs: 2016/01/14 22:07:17 Plugin address: unix /tmp/packer-plugin678622782
2016/01/14 22:07:17 packer-builder-amazon-ebs: 2016/01/14 22:07:17 Waiting for connection...
2016/01/14 22:07:17 packer-builder-amazon-ebs: 2016/01/14 22:07:17 Serving a plugin connection...
2016/01/14 22:07:17 Loading provisioner: salt-masterless
2016/01/14 22:07:17 Creating plugin client for path: /opt/packer/packer-provisioner-salt-masterless
2016/01/14 22:07:17 Starting plugin: /opt/packer/packer-provisioner-salt-masterless []string{"/opt/packer/packer-provisioner-salt-masterless"}
2016/01/14 22:07:17 Waiting for RPC address for: /opt/packer/packer-provisioner-salt-masterless
2016/01/14 22:07:17 packer-provisioner-salt-masterless: 2016/01/14 22:07:17 Plugin minimum port: 10000
2016/01/14 22:07:17 packer-provisioner-salt-masterless: 2016/01/14 22:07:17 Plugin maximum port: 25000
2016/01/14 22:07:17 packer-provisioner-salt-masterless: 2016/01/14 22:07:17 Plugin address: unix /tmp/packer-plugin786026753
2016/01/14 22:07:17 packer-provisioner-salt-masterless: 2016/01/14 22:07:17 Waiting for connection...
2016/01/14 22:07:17 packer-provisioner-salt-masterless: 2016/01/14 22:07:17 Serving a plugin connection...
2016/01/14 22:07:17 ui: [1;32mamazon-ebs output will be in this color. [0m
2016/01/14 22:07:17 ui:
2016/01/14 22:07:17 Build debug mode: false
2016/01/14 22:07:17 Force build: false
2016/01/14 22:07:17 Preparing build: amazon-ebs
[1;32mamazon-ebs output will be in this color. [0m
2016/01/14 22:07:17 packer-builder-amazon-ebs: 2016/01/14 22:07:17 Config: {PackerConfig:{PackerBuildName:amazon-ebs PackerBuilderType:amazon-ebs PackerDebug:false PackerForce:false PackerUserVars:map[aws_access_key:<Filtered> aws_secret_key:<Filtered> token:{{REDACTED}} aws_security_token:{{REDACTED}}]} AccessConfig:{AccessKey:<Filtered> SecretKey:<Filtered> RawRegion:us-east-1 Token:} AMIConfig:{AMIName:packer-base-1452809237 AMIDescription:Built using Packer on 1452809237. AMIVirtType:hvm AMIUsers:[] AMIGroups:[] AMIProductCodes:[] AMIRegions:[] AMITags:map[] AMIEnhancedNetworking:false AMIForceDeregister:false} BlockDevices:{AMIMappings:[] LaunchMappings:[]} RunConfig:{AssociatePublicIpAddress:false AvailabilityZone: IamInstanceProfile:Packer InstanceType:t2.large RunTags:map[] SourceAmi:{{REDACTED}} SpotPrice: SpotPriceAutoProduct: SecurityGroupId: SecurityGroupIds:[{{REDACTED}}] SubnetId:{{REDACTED}} TemporaryKeyPairName:packer 56981c15-b74d-9a5c-cf4a-990acc23548d UserData: UserDataFile:{{REDACTED}} WindowsPasswordTimeout:10m0s VpcId:{{REDACTED}} Comm:{Type:ssh SSHHost: SSHPort:22 SSHUsername:{{REDACTED}} SSHPassword: SSHPrivateKey: SSHPty:true SSHTimeout:5m0s SSHDisableAgent:false SSHHandshakeAttempts:10 SSHBastionHost: SSHBastionPort:0 SSHBastionUsername: SSHBastionPassword: SSHBastionPrivateKey: WinRMUser: WinRMPassword: WinRMHost: WinRMPort:0 WinRMTimeout:0} SSHKeyPairName: SSHPrivateIp:true} ctx:{Data:<nil> Funcs:map[clean_ami_name:0x51ee50] UserVariables:map[aws_access_key:<Filtered> aws_secret_key:<Filtered> token:{{REDACTED}} aws_security_token:{{REDACTED}}] EnableEnv:false BuildName:amazon-ebs BuildType:amazon-ebs TemplatePath:/var/lib/jenkins/jobs/Production_Builds/jobs/Build AMI (Packer)/workspace/packer/packer-base/template.json}}
2016/01/14 22:07:17 Waiting on builds to complete...
2016/01/14 22:07:17 Starting build run: amazon-ebs
2016/01/14 22:07:17 Running builder: amazon-ebs
2016/01/14 22:07:17 ui: [1;32m==> amazon-ebs: Prevalidating AMI Name... [0m
[1;32m==> amazon-ebs: Prevalidating AMI Name... [0m
2016/01/14 22:07:17 ui error: [1;31m==> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
==> amazon-ebs: status code: 401, request id: [] [0m
[1;31m==> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
2016/01/14 22:07:17 ui error: [1;31mBuild 'amazon-ebs' errored: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: [] [0m
2016/01/14 22:07:17 Builds completed. Waiting on interrupt barrier...
2016/01/14 22:07:17 machine readable: error-count []string{"1"}
2016/01/14 22:07:17 ui error:
==> Some builds didn't complete successfully and had errors:
==> amazon-ebs: status code: 401, request id: [] [0m
2016/01/14 22:07:17 machine readable: amazon-ebs,error []string{"Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials\n\tstatus code: 401, request id: []"}
2016/01/14 22:07:17 ui error: --> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: []
2016/01/14 22:07:17 ui:
==> Builds finished but no artifacts were created.
2016/01/14 22:07:17 waiting for all plugin processes to complete...
[1;31mBuild 'amazon-ebs' errored: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: [] [0m
==> Some builds didn't complete successfully and had errors:
2016/01/14 22:07:17 /opt/packer/packer-provisioner-salt-masterless: plugin process exited
--> amazon-ebs: Error querying AMI: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: []
==> Builds finished but no artifacts were created.
2016/01/14 22:07:17 /opt/packer/packer-builder-amazon-ebs: plugin process exited
````
A few things I've read imply issues with a credentials file or server time. So far I'm stumped. As far as I can tell I should be doing it right. This is cloned from https://github.com/mitchellh/packer/issues/3070 as per cbednarski there.
Thomas Chemineau
Jan 21, 2016, 6:49:38 AM1/21/16
to Packer
Hi Justin,
I have exaclty this same issue when I try to run packer with IAM assume role feature. I also saw your Github issue.
Do you have some news about it ? Do you find a solution ?
Thank you
Thomas.
Thomas Chemineau
Jan 21, 2016, 10:43:33 AM1/21/16
to packe...@googlegroups.com
I tried to reproduce what Packer try to do. It seems to fail into "builder/amazon/common/step_pre_validate.go" around the line 37.
What I understand is that Packer try to use the DescribeImages API of AWS.
So, I try to reproduce it manually with temporary AWS credentials. I also upgrade Packer to the latest stable version (v0.8.6).
Here are steps to reproduce it :
--8<------
$ unset AWS_SESSION_TOKEN AWS_STS
# Set classic credentials
$ export AWS_ACCESS_KEY_ID="original_aws_access_key_id"
$ export AWS_SECRET_ACCESS_KEY="original_aws_secret_access_key"
$ export AWS_DEFAULT_REGION="eu-west-1"
# Get temporary credentials
$ export AWS_STS=($(aws sts assume-role --output text --role-arn arn:aws:iam::12345678901234:role/role_to_assume --role-session-name my_role_session_name --duration-seconds 900 --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken,Credentials.Expiration]'))
# Overwrite classic credentials with temporary credentials
$ export AWS_ACCESS_KEY_ID="${AWS_STS[0]}"
$ export AWS_SECRET_ACCESS_KEY="${AWS_STS[1]}"
$ export AWS_SESSION_TOKEN="${AWS_STS[2]}"
# Call AWS API with cli command
$ aws ec2 describe-images --filters "Name=name,Values=dest_ami_name_set_into_packer_template"
{
"Images": []
}
--8<------
But, with Packer, it fails.
I start packer with the following environment variables:
--8<------
AWS_ACCESS_KEY_ID=ASIAI3IZ3LXXXXX....
AWS_SECRET_ACCESS_KEY=VZK9+QZVl7aXXXXXxxx.....
AWS_SESSION_TOKEN=AQoOISFDEPH//////////wEaoAJDxxxxx....xxxxxx/8wgwfSDtQU=
--8<------
Here is my Packer template configuration:
--8<------
{
"variables": {
...
"aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}",
"aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
"aws_session_token": "{{env `AWS_SESSION_TOKEN`}}",
...
},
"builders": [
{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key_id`}}",
"secret_key": "{{user `aws_secret_access_key`}}",
"token": "{{user `aws_session_token`}}",
...
}
]
...
}
--8<------
Without "token" parameter and classic AWS credentials, Packer works very well and start the EC2 instance.
Any idea ? Is it a bug somewhere ?
Thank for you help,
Cheers
Thomas.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/fc33b8e3-4b50-4138-8db6-7a56a9455009%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Justin Fox
Jan 21, 2016, 11:06:34 AM1/21/16
to Packer
Just as more information for anyone looking to help out with this issue - this seems to only be an issue when assuming a role. I tried this with a regular IAM role on an EC2 instance and it seemed to work fine (or at least it made the calls and failed as expected).
For more details on creating a (cross-account) IAM role to assume: http://docs.aws.amazon.com/IAM/latest/UserGuide/walkthru_cross-account-with-roles.html
Reply all
Reply to author
Forward
0 new messages