Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make S3 backend work with credential_process w/out ENV variable #22161

Closed
OJFord opened this issue Jul 22, 2019 · 5 comments · Fixed by #25134
Closed

Make S3 backend work with credential_process w/out ENV variable #22161

OJFord opened this issue Jul 22, 2019 · 5 comments · Fixed by #25134
Assignees
@bflad
Labels
backend/s3 enhancement
Milestone
v0.13.0

Comments

@OJFord
Copy link
Contributor

OJFord commented Jul 22, 2019

Terraform Version

Tested each of:

v0.11.14
v0.12.5

Terraform Configuration Files

provider "aws" {
  version = ">=2.3.0"
  region  = "${var.region}"
  profile = "<name>" # tested with and without this line
}

terraform {
   required_version = ">= 0.11.8"

   backend "s3" {
     encrypt = true
     bucket  = "<bucket>"
     region  = "${var.region}"
     key     = "<key>"
   }
 }

Debug Output

2019/07/22 12:59:19 [INFO] Terraform version: 0.11.14
2019/07/22 12:59:19 [INFO] Go runtime version: go1.12.5
[...]
Initializing the backend...
2019/07/22 12:59:20 [TRACE] Preserving existing state lineage "[...]"
2019/07/22 12:59:20 [TRACE] Preserving existing state lineage "[...]"
2019/07/22 12:59:20 [INFO] Setting AWS metadata API timeout to 100ms
2019/07/22 12:59:20 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id

2019/07/22 12:59:25 [DEBUG] plugin: waiting for all plugin processes to complete...
Error configuring the backend "s3": No valid credential sources found for AWS Provider.
	Please see https://terraform.io/docs/providers/aws/index.html for more information on
	providing credentials for the AWS Provider

Please update the configuration in your Terraform files to fix this error.
If you'd like to update the configuration interactively without storing
the values in your configuration, run "terraform init".

and

2019/07/22 13:03:49 [INFO] Terraform version: 0.12.5
2019/07/22 13:03:49 [INFO] Go runtime version: go1.12.7
[...]
Initializing the backend...
2019/07/22 13:04:01 [TRACE] Meta.Backend: built configuration for "s3" backend with hash value [...]
2019/07/22 13:04:01 [TRACE] Meta.Backend: backend has not previously been initialized in this working directory
2019/07/22 13:04:01 [DEBUG] New state was assigned lineage "[...]"
2019/07/22 13:04:01 [TRACE] Meta.Backend: moving from default local state only to "s3" backend
2019/07/22 13:04:01 [INFO] Setting AWS metadata API timeout to 100ms
2019/07/22 13:04:01 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id

Error: No valid credential sources found for AWS Provider.
	Please see https://terraform.io/docs/providers/aws/index.html for more information on
	providing credentials for the AWS Provider

Expected Behavior

Connects to S3

Actual Behavior

Error as above, but aws configure list shows correct configuration, as above with either $AWS_DEFAULT_PROFILE set, or the profile marked default in $AWS_CONFIG_FILE, and with or without profile = in the provider.

Steps to Reproduce

  1. terraform init

Additional Context

# $AWS_CONFIG_FILE
[profile <name>]
credential_process=<cmd that spits out creds>
region=<region>

References

#21120 claims this support for credential_process is implemented and working in 0.11.14
@OJFord
Copy link
Contributor Author

OJFord commented Jul 22, 2019

Oh there's some fantastically thorough testing in hashicorp/terraform-provider-aws#6913 (comment)

@OJFord
Copy link
Contributor Author

OJFord commented Jul 22, 2019
edited
Loading

Workaround: export AWS_SDK_LOAD_CONFIG=1

From: hashicorp/terraform-provider-aws#6913 (comment)

@lorengordon comments:

It would be nice if terraform setup the session so that it was not necessary to use AWS_SDK_LOAD_CONFIG (it is supported it the SDK, just need to pass the config option when creating the session).

@teamterraform teamterraform changed the title S3 backend not working with credential_process Make S3 backend work with credential_process w/out ENV variable Jul 22, 2019
@bflad bflad self-assigned this Jun 2, 2020
@bflad bflad added this to the v0.13.0 milestone Jun 2, 2020
@bflad bflad mentioned this issue Jun 2, 2020
Closed
bflad added a commit that referenced this issue Jun 4, 2020
@bflad
backend/s3: Updates for Terraform v0.13.0
2c3b0fa 
Reference: #13410
Reference: #18774
Reference: #19482
Reference: #20062
Reference: #20599
Reference: #22103
Reference: #22161
Reference: #22601
Reference: #22992
Reference: #24252
Reference: #24253
Reference: #24480
Reference: #25056

Changes:

```
NOTES

* backend/s3: Deprecated `lock_table`, `skip_get_ec2_platforms`, `skip_requesting_account_id` arguments have been removed
* backend/s3: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* backend/s3: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* backend/s3: Automatically expand `~` prefix for home directories in `shared_credentials_file` argument
* backend/s3: Add `assume_role_duration_seconds`, `assume_role_policy_arns`, `assume_role_tags`, and `assume_role_transitive_tag_keys` arguments

BUG FIXES

* backend/s3: Ensure configured profile is used
* backend/s3: Ensure configured STS endpoint is used during AssumeRole API calls
* backend/s3: Prefer AWS shared configuration over EC2 metadata credentials
* backend/s3: Prefer ECS credentials over EC2 metadata credentials
* backend/s3: Remove hardcoded AWS Provider messaging
```

Output from acceptance testing:

```
--- PASS: TestBackend (16.32s)
--- PASS: TestBackendConfig (0.58s)
--- PASS: TestBackendConfig_AssumeRole (0.02s)
--- PASS: TestBackendConfig_conflictingEncryptionSchema (0.00s)
--- PASS: TestBackendConfig_invalidKey (0.00s)
--- PASS: TestBackendConfig_invalidSSECustomerKeyEncoding (0.00s)
--- PASS: TestBackendConfig_invalidSSECustomerKeyLength (0.00s)
--- PASS: TestBackendExtraPaths (13.21s)
--- PASS: TestBackendLocked (28.98s)
--- PASS: TestBackendPrefixInWorkspace (5.65s)
--- PASS: TestBackendSSECustomerKey (17.60s)
--- PASS: TestBackend_impl (0.00s)
--- PASS: TestForceUnlock (17.50s)
--- PASS: TestKeyEnv (50.25s)
--- PASS: TestRemoteClient (4.78s)
--- PASS: TestRemoteClientLocks (16.85s)
--- PASS: TestRemoteClient_clientMD5 (12.08s)
--- PASS: TestRemoteClient_impl (0.00s)
--- PASS: TestRemoteClient_stateChecksum (17.92s)
```
@bflad bflad mentioned this issue Jun 4, 2020
Merged
bflad added a commit that referenced this issue Jun 5, 2020
@bflad
backend/s3: Updates for Terraform v0.13.0 (#25134)
ba081aa 
* deps: Update github.com/hashicorp/aws-sdk-go-base@v0.5.0

Updated via:

```
$ go get github.com/hashicorp/aws-sdk-go-base@v0.5.0
$ go mod tidy
$ go mod vendor
```

* backend/s3: Updates for Terraform v0.13.0

Reference: #13410
Reference: #18774
Reference: #19482
Reference: #20062
Reference: #20599
Reference: #22103
Reference: #22161
Reference: #22601
Reference: #22992
Reference: #24252
Reference: #24253
Reference: #24480
Reference: #25056

Changes:

```
NOTES

* backend/s3: Deprecated `lock_table`, `skip_get_ec2_platforms`, `skip_requesting_account_id` arguments have been removed
* backend/s3: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* backend/s3: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* backend/s3: Automatically expand `~` prefix for home directories in `shared_credentials_file` argument
* backend/s3: Add `assume_role_duration_seconds`, `assume_role_policy_arns`, `assume_role_tags`, and `assume_role_transitive_tag_keys` arguments

BUG FIXES

* backend/s3: Ensure configured profile is used
* backend/s3: Ensure configured STS endpoint is used during AssumeRole API calls
* backend/s3: Prefer AWS shared configuration over EC2 metadata credentials
* backend/s3: Prefer ECS credentials over EC2 metadata credentials
* backend/s3: Remove hardcoded AWS Provider messaging
```

Output from acceptance testing:

```
--- PASS: TestBackend (16.32s)
--- PASS: TestBackendConfig (0.58s)
--- PASS: TestBackendConfig_AssumeRole (0.02s)
--- PASS: TestBackendConfig_conflictingEncryptionSchema (0.00s)
--- PASS: TestBackendConfig_invalidKey (0.00s)
--- PASS: TestBackendConfig_invalidSSECustomerKeyEncoding (0.00s)
--- PASS: TestBackendConfig_invalidSSECustomerKeyLength (0.00s)
--- PASS: TestBackendExtraPaths (13.21s)
--- PASS: TestBackendLocked (28.98s)
--- PASS: TestBackendPrefixInWorkspace (5.65s)
--- PASS: TestBackendSSECustomerKey (17.60s)
--- PASS: TestBackend_impl (0.00s)
--- PASS: TestForceUnlock (17.50s)
--- PASS: TestKeyEnv (50.25s)
--- PASS: TestRemoteClient (4.78s)
--- PASS: TestRemoteClientLocks (16.85s)
--- PASS: TestRemoteClient_clientMD5 (12.08s)
--- PASS: TestRemoteClient_impl (0.00s)
--- PASS: TestRemoteClient_stateChecksum (17.92s)
```
@bflad
Copy link
Contributor

bflad commented Jun 5, 2020

Multiple fixes for credential ordering, automatically using the AWS shared configuration file if present, and profile configuration handling of the S3 Backend have been merged and will release with version 0.13.0-beta2 of Terraform.

@OJFord
Copy link
Contributor Author

OJFord commented Jun 5, 2020

Splendid, thank you!

mildwonkey pushed a commit that referenced this issue Jun 12, 2020
@bflad @mildwonkey
backend/s3: Updates for Terraform v0.13.0 (#25134)
8f430b4 
* deps: Update github.com/hashicorp/aws-sdk-go-base@v0.5.0

Updated via:

```
$ go get github.com/hashicorp/aws-sdk-go-base@v0.5.0
$ go mod tidy
$ go mod vendor
```

* backend/s3: Updates for Terraform v0.13.0

Reference: #13410
Reference: #18774
Reference: #19482
Reference: #20062
Reference: #20599
Reference: #22103
Reference: #22161
Reference: #22601
Reference: #22992
Reference: #24252
Reference: #24253
Reference: #24480
Reference: #25056

Changes:

```
NOTES

* backend/s3: Deprecated `lock_table`, `skip_get_ec2_platforms`, `skip_requesting_account_id` arguments have been removed
* backend/s3: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* backend/s3: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* backend/s3: Automatically expand `~` prefix for home directories in `shared_credentials_file` argument
* backend/s3: Add `assume_role_duration_seconds`, `assume_role_policy_arns`, `assume_role_tags`, and `assume_role_transitive_tag_keys` arguments

BUG FIXES

* backend/s3: Ensure configured profile is used
* backend/s3: Ensure configured STS endpoint is used during AssumeRole API calls
* backend/s3: Prefer AWS shared configuration over EC2 metadata credentials
* backend/s3: Prefer ECS credentials over EC2 metadata credentials
* backend/s3: Remove hardcoded AWS Provider messaging
```

Output from acceptance testing:

```
--- PASS: TestBackend (16.32s)
--- PASS: TestBackendConfig (0.58s)
--- PASS: TestBackendConfig_AssumeRole (0.02s)
--- PASS: TestBackendConfig_conflictingEncryptionSchema (0.00s)
--- PASS: TestBackendConfig_invalidKey (0.00s)
--- PASS: TestBackendConfig_invalidSSECustomerKeyEncoding (0.00s)
--- PASS: TestBackendConfig_invalidSSECustomerKeyLength (0.00s)
--- PASS: TestBackendExtraPaths (13.21s)
--- PASS: TestBackendLocked (28.98s)
--- PASS: TestBackendPrefixInWorkspace (5.65s)
--- PASS: TestBackendSSECustomerKey (17.60s)
--- PASS: TestBackend_impl (0.00s)
--- PASS: TestForceUnlock (17.50s)
--- PASS: TestKeyEnv (50.25s)
--- PASS: TestRemoteClient (4.78s)
--- PASS: TestRemoteClientLocks (16.85s)
--- PASS: TestRemoteClient_clientMD5 (12.08s)
--- PASS: TestRemoteClient_impl (0.00s)
--- PASS: TestRemoteClient_stateChecksum (17.92s)
```
@ghost
Copy link

ghost commented Jul 6, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Jul 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
backend/s3 enhancement
Projects
None yet
Milestone
v0.13.0
Development

Successfully merging a pull request may close this issue.

backend/s3: Updates for Terraform v0.13.0 hashicorp/terraform
3 participants
@bflad @OJFord @teamterraform