-
Notifications
You must be signed in to change notification settings - Fork 9.9k
Terraform does not use AWS Task Roles to fetch modules from s3 #20439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Looks like the terraform's code responsible for downloading modules from s3 could work only with aws_access_key_id/aws_secret_access_key/aws_secret_access_key set explicitly or grabbed from EC2 metadata endpoint, but not with assumed role or credentials from EcsContainer metadata endpoint. Tested by configuring custom profiles in .aws/config and running terraform as |
The root issue is here: hashicorp/go-getter#152 in the |
Hm, it seems like hashicorp/go-getter#152 has been resolved by hashicorp/go-getter#218 which made it into this release https://github.com/hashicorp/go-getter/releases/tag/v1.4.2 -- however, I just tested this against terraform 0.13.5 and the problem remains. Terraform seems to be using some variant of 1.4.2: https://github.com/hashicorp/terraform/blob/master/go.mod#L57 -- but I can't tell if it includes this change or not. |
@solarmosaic-kflorence Here's a PR upgrading go-getter: #26762. Are you able to build that branch locally and test if it solves the issue? If not, can you provide detailed reproduction steps so that I can verify this issue is fixed? I'm not familiar with the use of AWS Task Roles. |
@alisdair oh cool, thanks. I have not built terraform locally before but will try to do so later today if time permits. This can be easily reproduced by running terraform within AWS CodeBuild which includes a The result currently is a failure that looks like this:
|
@solarmosaic-kflorence I looked into setting up CodeBuild or even just ECS to test this, but was not able to get anything up and running in a reasonable amount of time. The upstream changes really ought to fix it, so I'm marking this closed, but it would be good to get your confirmation if you're able to test the next 0.14 beta when it's released. Thanks! |
Awesome, really appreciate it @alisdair -- happy to test it when the beta is out. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Terraform Version
Terraform Configuration Files
Debug Output
Crash Output
Expected Behavior
Terraform should of been able to fetch the module from s3.
Actual Behavior
Terraform init failed to fetch the module and exited with error:
Error downloading modules: Error loading modules: NoCredentialProviders: no valid providers in chain. Deprecated.
Steps to Reproduce
Attempt to pull a s3 module with proper IAM permissions to access the s3 location but via a ECS / Codebuild task role. It is specifically accessing it via the Task Role that causes this issue. Using the EC2 role works and passing in he Access ID, Key and Session token work as well.
Additional Context
Terraform is being executed in a codebuild stage using a task role. It can access our remote state in s3 using the same task role with no issues. The only issue is with fetching a module from s3.
References
The text was updated successfully, but these errors were encountered: