Support for AWS access via IAM - AssumeRole #1275
Comments
|
I'm currently working on #1049 which is providing IAM support via the The only use-case for the IAM authorisation at the moment is to call the metadata API from inside a running EC2 instance: https://github.com/awslabs/aws-sdk-go/blob/440f9da54cf714e7c27b5b4ffa789793a5fbd658/aws/auth.go#L203-228 To fully understand the suggested solution, would you expect the provider config to have following options? provider "aws" {
credentials_provider = "iam"
iam_role_arn = "arn:aws:iam::account-of-role-to-assume:role/name-of-role"
}How do you expect to provide the initial pair of Related: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-usingrole-switchapi.html |
|
Also if you use MFA for the AssumeRole, it would require some other changes in the whole TF CLI workflow as well, e.g. Terraform interactively asking for the TOTP and providing it in that API request to STS. |
|
btw. there's a lot more use-cases = workflows for this... http://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html Ain't saying it should all be covered in the first implementation, just thinking loudly about it... |
|
Adding an
I would expect to provide them the same way I'm not sure if the |
|
So, to clarify, I'd expect this to be enough for the cross-account |
|
I admit the other role workflows and MFA would add a lot of scope. I'm primarily interested in this for the cross-account use case I described, because it seems to be the only method AWS supports for accessing a consolidated billing sub-account from the parent account, other than creating a new set of IAM users for each sub-account. |
|
Ah, looking at PR #1049, it does look like you've added support for more complex AWS credential provider configurations? Sorry, I don't actually know the Terraform codebase or goamz, aws-go-sdk, etc very well. Currently I don't know Go (though Terraform may motivate me to learn), so my issues and comments are largely from the point-of-view of someone using Terraform and using AWS's own tools and API. |
|
Another use case for IAM roles is when you are running Terraform from an EC2 instance with an IAM role in its instance profile. In this case the temporary access credentials (access, secret & token) for the account can be obtained directly from the EC2 instance metadata. This relieves you from the need to manage these credentials manually if you are willing to run terraform in an EC2 instance and would make things very easy for the use case of deploying into the same account. For the cross-account access you would only need to specify the IAM role to assume in the other account and Terraform would call AssumeRole using the credentials from the instance profile to get a new set of access credentials for the other account. These temporary credentials from the instance profile can expire so some logic would need to be implemented to renew from the instance metadata when necessary, although it is unlikely that a terraform invocation would run longer than the minimum lifetime a set of credentials obtained from the instance metadata. |
Yes, that's already included in the linked #1049
Good point with cross-account access in general. I'd personally say that it's actually a reason to implement the whole
The renewing logic is already part of the go library we use: The expiration period though is unfortunately currently hardcoded. I will have a look if there's any way we can find the expiration period automatically, if not, I will probably expose it as another variable, that user will need to set or overwrite. |
|
Ah... thanks for the code pointers. Agreed on splitting to another PR... significant scope creep :-) The expiration time is available in the EC2 metadata along with the temporary credentials: http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE/Expiration |
👓 read the code more carefully, before you post, Radek... 😑 My bad, the hard-coded time period actually only applies to token provided from a config file: The IAM provider already reads the expiration period from the API: All of the above means that for the basic implementation we're IMO good to go with #1049 😃 |
|
@ncraike would you mind modifying the issue title to "Support for AWS access via IAM - AssumeRole" or something along those lines? |
ncraike
changed the title
|
Done. I feel I've opened a can of worms here, though. |
|
+1 as cross-account access is a desire of ours too. 😍 |
|
Some news about this feature? |
|
It's not as clean as a proper solution in terraform would be, but in the short term if you're using the fish shell you can use the credentials file and this function to handle setting up environment variables to authenticate with. It doesn't have support for using AssumeRole (yet) but you can change up the sts arguments pretty easily to manage that. |
|
While this is a little late for this ticket, here is the solution I worked out to work with AssumeRole for the time being: https://gist.github.com/mlrobinson/944fd0e2ad4926ba71c9. It works with the latest version of terraform, and also with the aws cli tools as well as anything that respects the environment variables used here. |
|
Cross-account deployments via IAM is definitely preferred over using API keys for our use cases. Any more news about this feature? |
|
So much this.. +1 |
|
+1 |
1 similar comment
|
+1 |
|
+1 yes right now it is not possible to set up AWS instances with Terraform and variabilize the account that they use to do the setup in any automated way. I tried for a day to make this work. |
|
Given the description of how this mechanism works from @ncraike in the initial issue description, I wonder if this could instead be implemented via a separate tool outside Terraform that would be able to wrap any command that uses the standard AWS environment variables. For example: Here's how I'd expect that to work:
Splitting the problem up into these two steps means that That might be a good thing to include in the AWS CLI. 😀 Not to say that Terraform couldn't have explicit support for this to make things simpler, but if such a tool were to exist it could be a reasonable alternative. Edit: reading the thread again, I see that this is actually pretty similar to the script that @mlrobinson shared, except that script outputs environment variables to help you update your shell environment for future commands rather than just running one command as I'd suggested. Maybe that script could be adapted to support what I described above as an extra utility, but as-is it basically addresses this use-case. |
|
It seems possible to variabilize aws instances with user_data field from terraform resources. -- On October 16, 2015 at 12:51:55 PM, Spencer Brown (notifications@github.com) wrote: +1 yes right now it is not possible to set up AWS instances with Terraform and variabilize the account that they use to do the setup in any automated way. I tried for a day to make this work. — |
|
As a temporary workaround, is there anything preventing us from wrapping |
|
IMHO it’s just a trick. Terraform must be isolated from 3rd parties but custom providers. -- On October 31, 2015 at 4:58:45 AM, Alexandr Kurilin (notifications@github.com) wrote: As a temporary workaround, is there anything preventing us from wrapping terraform calls in a script that will use AWS cli to obtain temporary assumed role credentials, set those in the environment and then call terraform itself? — |
|
For now, I'm using https://github.com/jbuck/assume-aws-role to solve this problem, but it would really be great to be able to specify within a provider block. With assume-aws-role, |
|
The wrapper idea is a neat workaround, but how are people handling expiring API tokens mid terraform run? |
|
Normally the STS token will be expired in 1 hour, should be enough for a terraform run. |
|
That's a good question ...
|
|
Any implementation to come?
|
|
+1 |
|
Would love to have this as well. |
|
Very soon? Julien Lavergne
|
|
Any updates on this issue ? |
|
This issue is so important Good implementation is needed
|
|
A solution to this is needed. Writing a wrapper to populate environment variables (which would be the most elegant solution) is broken on instances with EC2 roles. See #7768. |
|
Here's the wrapper I use it anyone find it useful: https://gist.github.com/dbrandt/b440f3be67897222cdc4650db510e262 |
|
I ported the aws-profile python script to pure bash if anyones interested. It caches the creds in the same file your CLI uses, so you only have to MFA once if it's enabled. It requires the python aws cli tools. https://github.com/zoltrain/aws-profile |
|
These wrappers will not work when the instance is using an EC2 IAM role (standard procedure when inside AWS) as it will always use the token from the EC2 IAM role (see #7768). |
|
I think this change made upstream would address this problem. It looks like the upstream aws-go-sdk library now supports this as of version 1.3.0. If I'm right that this addresses that problem, hopefully we'll see this being brought into terraform soon-ish then. |
|
Not sure if this is related: I want to use the Account A: Account B: Would any of the suggestions in this issue allow me to achieve this? At the moment I get the following error when trying to apply the terraform script for Account B: |
|
That error looks like the user you are running terraform with for account B doesn't have access to create route53 zones. |
|
Added a potential solution for this over in the PR at #8506 It adds support for specifying a roleArn in the provider block. It will use any valid credentials it finds in the credentials chain to execute the assume role. I'm a Golang newbie so would love people to jump in to get it across the line and merged. |
|
When will this issue be resolved? Julien Lavergne
|
|
@julienlavergne, it'll be resolved when there's resolution. |
|
There is always a solution. Any AWS engineer wants to help us? Julien Lavergne
|
This commit enables terraform to utilise the assume role functionality of sts to execute commands with different privileges than the API keys specified. Signed-off-by: Ian Duffy <ian@ianduffy.ie>
|
Hey, @jen20 and @imduffy15. Is it supposed to work in latest master? |
|
I did @jen20. Not sure why is it complaining. With Quick question - support for mfa wasn't implemented in that PR, right? |
|
We just released a tool assume-role (https://github.com/coinbase/assume-role) that can export the credentials without using a profile. This means we don't have to use |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
and others
I get it's probably a lot of complexity to add, but it'd be great if Terraform supported using IAM roles in its AWS provider authentication.
This adds a few steps to how API credentials are used – you use your normal AWS access key and secret key to call
sts assume-rolein the API, and this responds with a temporary access key, secret key and session token which you use for the rest of the session. An example with AWS's own CLI is here.The big use case for this is cross-account access. We have lots of AWS accounts to isolate billing to individual projects, and we link these to one parent account with AWS's consolidated billing. The cross-account roles let us have one set of IAM users in the parent account (eg one IAM user for each actual developer using AWS), and then just a single IAM role in each sub-account, which the developers can assume when needed. This saves having to create a new set of IAM users in each sub-account.
I imagine this would involve adding extra AWS provider config fields to describe the role to assume (using an AWS ARN like
arn:aws:iam::account-of-role-to-assume:role/name-of-role), and would also involve changing the AWS API access layer to use the temporary role access/secret keys and a session token.This should be linked to the AWS meta-issue. I felt the explanation was long enough to warrant a full issue.
The text was updated successfully, but these errors were encountered: