AWS access_key & secret_key difficulty

[Young]

Hi,


I'm just trying the simplest example on the Terraform.io website and still having a difficulty overcoming this error.

I created my access_key & secret_key @AWS using the following link:

https://console.aws.amazon.com/iam/home?#security_credential

I created and got them under the following section on the page:

"Access Keys (Access Key ID and Secret Access Key)

Then,


# cat example.tf
provider "aws" {
        access_key = "AKIAJ3MVXVSRFLRAAAAA"
        secret_key = "HKVw5KLrezBD/iHrF6wvZOEglXvTF5mf7sOhhhhh"
        region = "us-west-1"
}

resource "aws_instance" "example" {
        ami     = "ami-0d729a60"
        instance_type = "t2.micro"
}


# terraform plan
Refreshing Terraform state prior to plan...

Error refreshing state: 1 error(s) occurred:

* 1 error(s) occurred:

* Failed authenticating with AWS: please verify credentials



Thanks for the help in advance!



- Young

[Andrew Langhorn]

Hi,

Terraform complies with the typical AWS authentication chain, so you don't need to hardcode your IAM keys in to your Terraform files. In fact, I'd go as far as to say that you certainly should not, and should export them on a per-use basis as environment variables (AWS_ACCESS_KEY_ID for the access key, and AWS_SECRET_ACCESS_KEY for the secret key). This stops the risk of them being committed to Git, for instance, or just generally being available on the file system.

If the keys you sent in your example are legitimate and working keys, please revoke access to them as soon as possible from the Management Console!

On to your question... does the user for whom those keys were generated have any IAM policies granting access? In the above example, you'll need to make sure that they have some level of access to ec2:createInstance (and other related calls). Does revoking and recreating the keys work? It's rare, but I've been given duff keys before which don't work -- rather than debug it, I've just been lazy and regenerated keys. How about using keys from the console with the AWS CLI? Does that fail in a similar fashion? (It should, because Terraform talks to the APIs via the AWS Go SDK, but I use the AWS CLI as a way to garner proof for debugging sometimes).

Andrew

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/743dc27b-7e61-46e0-ae72-5115f6addd1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Andrew Langhorn
Senior Site Reliability Engineer
Email	andrew....@thoughtworks.com
Telephone

[Young]

Hi Andrew,

Thanks for your prompt response.

As for my keys, I had replaced several characters for each before I posted.


I realized that my example.tf file didn't have any parameter to set what my AWS account username is, etc.

Or, "access_key" and "secret_key" will take care of identifying which AWS account to authenticate against?

In my IAM menu, I just have only one user in my IAM setting and have assigned the user to a group that has the AmazonEC2FullAccess privilege.


Thanks.


- Young

[David Maze]

On Monday, June 20, 2016 at 6:45:22 PM UTC-4, Young wrote:

Or, "access_key" and "secret_key" will take care of identifying which AWS account to authenticate against?

They fully identify you.

Terraform will also read $HOME/.aws/credentials, which most other AWS tools do as well.  If you have a current version of the AWS CLI tools installed, "aws sts get-caller-identity" will print out who Amazon thinks you are, which I find handy as a basic connectivity/credential test.  (But you need the pip or Homebrew version of awscli, even the version packaged in Ubuntu 16.04 is too old for this specific call.)

Mostly, my Terraform files just say "provider aws {}" with no information there at all; everything is expected to be in environment variables or that .aws/credentials file.

[Andrew Langhorn]

So, given AmazonEC2FullAccess, you should be able to launch an instance in that way.

I think you're best trying to work out what your credential issue is now -- David's suggestion to use a call to STS from the CLI is a great idea :)

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/df93af24-a9c2-4041-a6bc-c7be0f6c3952%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Andrew Langhorn
Senior Site Reliability Engineer
Email	andrew....@thoughtworks.com

Telephone	+44 7733 339809