-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provider: Fallback to session-derived credentials #2883
Conversation
I've built terraform (which includes the terraform-provider-aws source directly) and the provider with this change on macOS using https://gist.github.com/mikemoate/99776bee1c0b161f5bc2db207c771727 Testing locally shows that this change breaks the behaviour I fixed in #1608 (which was finally released in terraform 0.11.2), specifically the following configuration no longer works:
I suspect this is related to the fact that As it stands I (unsurprisingly) would not be in favour of merging this PR. |
@mikemoate: Thanks for the report. I'll take a look this afternoon and update the PR. |
@mikemoate: pushed up a change the restores functionality in #1608. Did some preliminary testing and it seemed good, let me know if satisfies your use case. |
Any more feedback on the PR? |
You're correct and we've run into this before, especially in large scale environments. Hopefully the addition of max session duration into IAM roles can help mitigate this until we can come up with a proper provider-wide fix. At first blush this pull request seems good so I'll probably pull it in. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM -- thanks for this contribution! It should help a bunch of people out. 🚀
This has been released in version 1.14.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
hashicorp#2883 * provider: Fallback to session-derived credentials hashicorp#2883
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
#1608 allows for the session to figure out credentials by setting
opt.SharedConfigState = session.SharedConfigEnable
whenever the Profile is not empty.This appropriately allows shared config (
~/.aws/config
) to work correctly (including using assumed roles) iff theprofile
is set within the Terraform provider configuration.This does not work correctly in the case of an assumed role when relying on environment variables
AWS_PROFILE
andAWS_SDK_LOAD_CONFIG
.This patch alters the behavior to the following:
GetCredentials
I am a little worried that assumed role (or any form of temporary credential) does not seem to have the capability to auto-renew. I'm not sure how much of a problem this is, as terraform plans are (generally) not long-lived processes.
This should effectively resolve #1184.
NOTE: we'll need to bump terraform proper (as in hashicorp/terraform#16661) again, if this PR is accepted/merged.