Using Terraform with Jenkins and assume-role policy

1,659 views
Skip to first unread message

Raphael Rabelo de Oliveira

unread,
Jul 21, 2017, 5:49:14 AM7/21/17
to Terraform
Hi guys, I hope you are doing well!

To begin, I'll try to explain my cenario as I can, please tell me if you didn't understand anything =)

I'm using a aws ec2 instance with Jenkins to deploy my Terraform files. Everything is gonna be ok, but i'd like to secure this server a little bit.

Thus, my principal idea was to use an IAM Role in the instance with only 'sts:AssumeRole' permission, and create an accross-account role with the permissions needed.
With this configured, i'm able to assume the policy and do what i want.

First, I need to get the temporary AWS credentials, by runs the assume-role command, and exporting for environment variables:

aws sts assume-role --role-arn arn:aws:iam::XXXXXXXXXXXX:role/MyRole --role-session-name 'Terraform' | egrep 'SecretAccessKey|AccessKeyId|SessionToken' | awk -F'\"' '{print $4}' > secret ; export AWS_ACCESS_KEY_ID=`sed  -n '3p' secret` ; export AWS_SECRET_ACCESS_KEY=`sed -n '1p' secret` ; export AWS_SECURITY_TOKEN=`sed -n '2p' secret`

After that i able to call awscli api normally, the default duration time of this credentials is 1 hour.

But, I Terraform I'm receiving an error when i try to initialize remote backed in S3, or run the 'terraform plan'
The error that I receive is:

========
Error configuring the backend "s3": InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: a4b5bc27-6df8-11e7-86b1-9dcb8aa8b419

Please update the configuration in your Terraform files to fix this error
then run this command again.
========

My terraform config is:

terraform.tfvars
--------------------
variable "region" { default = 'us-east-1' }


-------------------
provider "aws" {
  region  = "${var.region}"
}
terraform {
  backend "s3" {
    bucket = "myBucket"
    encrypt = "true"
    key    = "PATH/terraform.tfstate"
    region = "us-east-1"
  }
}


I would like to know if someone has this same scenario to give me some ideia how to make it work.

I hope that my explanation was clear to understand =)

Thanks








ureal frank

unread,
Jul 25, 2017, 11:12:09 AM7/25/17
to terrafo...@googlegroups.com
Hi Raphael,

On 21 Jul 2017, at 10:49, Raphael Rabelo de Oliveira <rap...@rabeloo.com.br> wrote:

Hi guys, I hope you are doing well!

To begin, I'll try to explain my cenario as I can, please tell me if you didn't understand anything =)

I'm using a aws ec2 instance with Jenkins to deploy my Terraform files. Everything is gonna be ok, but i'd like to secure this server a little bit.

Thus, my principal idea was to use an IAM Role in the instance with only 'sts:AssumeRole' permission, and create an accross-account role with the permissions needed.
With this configured, i'm able to assume the policy and do what i want.

First, I need to get the temporary AWS credentials, by runs the assume-role command, and exporting for environment variables:

aws sts assume-role --role-arn arn:aws:iam::XXXXXXXXXXXX:role/MyRole --role-session-name 'Terraform' | egrep 'SecretAccessKey|AccessKeyId|SessionToken' | awk -F'\"' '{print $4}' > secret ; export AWS_ACCESS_KEY_ID=`sed  -n '3p' secret` ; export AWS_SECRET_ACCESS_KEY=`sed -n '1p' secret` ; export AWS_SECURITY_TOKEN=`sed -n '2p' secret`

A cleaner alternative using jq is:

aws sts assume-role --role-arn arn:aws:iam::XXX:role/jenkins-boss --role-session-name jenkins --output=json > authorization.json
 
eval $(cat authorization.json | jq -r '"export AWS_ACCESS_KEY_ID=\(.Credentials.AccessKeyId); export AWS_SECRET_ACCESS_KEY=\(.Credentials.SecretAccessKey); export AWS_SECURITY_TOKEN=\(.Credentials.SessionToken)”')

works for me.

Cheers,
F.


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/9aa4119b-91d2-4f15-bf6e-d68f4cd3d50a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Phil S

unread,
Jul 26, 2017, 7:23:28 AM7/26/17
to Terraform
Have you considered letting terraform assume the role?

Haven't done it myself yet the provider block has an assume_role option:

https://www.terraform.io/docs/providers/aws/#assume_role

Phil

Raphael Rabelo de Oliveira

unread,
Jul 26, 2017, 10:54:51 AM7/26/17
to terrafo...@googlegroups.com
Thank you guys!

I already use terraform with assume_role in provider, and that works fine, but what I want is, hidden the role ARN into Terraform code.

I'll try with this 'jq' comand, acttually I'm using the Jenkins credentials to store AWS_ACCESS_ID, AWS_ACCESS_SECRET_ID and the ROLE ARN.

I don't want to give permissions to any one access the keys neither the role arn. 

Thanks!

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/L1EkJPn28HM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/d565dc60-4afb-4d25-8f65-6db0de137149%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Raphael Rabelo
Raphael Rabelo's profile on LinkedIn
Reply all
Reply to author
Forward
0 new messages