Using Terraform with Jenkins and assume-role policy

[Raphael Rabelo de Oliveira]

Hi guys, I hope you are doing well!

To begin, I'll try to explain my cenario as I can, please tell me if you didn't understand anything =)

I'm using a aws ec2 instance with Jenkins to deploy my Terraform files. Everything is gonna be ok, but i'd like to secure this server a little bit.

Thus, my principal idea was to use an IAM Role in the instance with only 'sts:AssumeRole' permission, and create an accross-account role with the permissions needed.

With this configured, i'm able to assume the policy and do what i want.

First, I need to get the temporary AWS credentials, by runs the assume-role command, and exporting for environment variables:

aws sts assume-role --role-arn arn:aws:iam::XXXXXXXXXXXX:role/MyRole --role-session-name 'Terraform' | egrep 'SecretAccessKey|AccessKeyId|SessionToken' | awk -F'\"' '{print $4}' > secret ; export AWS_ACCESS_KEY_ID=`sed  -n '3p' secret` ; export AWS_SECRET_ACCESS_KEY=`sed -n '1p' secret` ; export AWS_SECURITY_TOKEN=`sed -n '2p' secret`

After that i able to call awscli api normally, the default duration time of this credentials is 1 hour.

But, I Terraform I'm receiving an error when i try to initialize remote backed in S3, or run the 'terraform plan'

The error that I receive is:

========

Error configuring the backend "s3": InvalidClientTokenId: The security token included in the request is invalid.

status code: 403, request id: a4b5bc27-6df8-11e7-86b1-9dcb8aa8b419

Please update the configuration in your Terraform files to fix this error

then run this command again.

========

My terraform config is:

terraform.tfvars

--------------------

variable "region" { default = 'us-east-1' }

main.tf

-------------------

provider "aws" {

  region  = "${var.region}"

}

terraform {

  backend "s3" {

    bucket = "myBucket"

    encrypt = "true"

    key    = "PATH/terraform.tfstate"

    region = "us-east-1"

  }

}

I would like to know if someone has this same scenario to give me some ideia how to make it work.

I hope that my explanation was clear to understand =)

Thanks

[ureal frank]

Hi Raphael,

On 21 Jul 2017, at 10:49, Raphael Rabelo de Oliveira <rap...@rabeloo.com.br> wrote:

Hi guys, I hope you are doing well!

To begin, I'll try to explain my cenario as I can, please tell me if you didn't understand anything =)

I'm using a aws ec2 instance with Jenkins to deploy my Terraform files. Everything is gonna be ok, but i'd like to secure this server a little bit.

Thus, my principal idea was to use an IAM Role in the instance with only 'sts:AssumeRole' permission, and create an accross-account role with the permissions needed.

With this configured, i'm able to assume the policy and do what i want.

First, I need to get the temporary AWS credentials, by runs the assume-role command, and exporting for environment variables:

aws sts assume-role --role-arn arn:aws:iam::XXXXXXXXXXXX:role/MyRole --role-session-name 'Terraform' | egrep 'SecretAccessKey|AccessKeyId|SessionToken' | awk -F'\"' '{print $4}' > secret ; export AWS_ACCESS_KEY_ID=`sed  -n '3p' secret` ; export AWS_SECRET_ACCESS_KEY=`sed -n '1p' secret` ; export AWS_SECURITY_TOKEN=`sed -n '2p' secret`

A cleaner alternative using jq is:

aws sts assume-role --role-arn arn:aws:iam::XXX:role/jenkins-boss --role-session-name jenkins --output=json > authorization.json

 

eval $(cat authorization.json | jq -r '"export AWS_ACCESS_KEY_ID=\(.Credentials.AccessKeyId); export AWS_SECRET_ACCESS_KEY=\(.Credentials.SecretAccessKey); export AWS_SECURITY_TOKEN=\(.Credentials.SessionToken)”')

works for me.

Cheers,

F.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/9aa4119b-91d2-4f15-bf6e-d68f4cd3d50a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Phil S]

Have you considered letting terraform assume the role?

Haven't done it myself yet the provider block has an assume_role option:

https://www.terraform.io/docs/providers/aws/#assume_role

Phil

[Raphael Rabelo de Oliveira]

Thank you guys!

I already use terraform with assume_role in provider, and that works fine, but what I want is, hidden the role ARN into Terraform code.

I'll try with this 'jq' comand, acttually I'm using the Jenkins credentials to store AWS_ACCESS_ID, AWS_ACCESS_SECRET_ID and the ROLE ARN.

I don't want to give permissions to any one access the keys neither the role arn. 

Thanks!

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---

You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/L1EkJPn28HM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/d565dc60-4afb-4d25-8f65-6db0de137149%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Raphael Rabelo