Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically Enable AWS Go SDK Session Option SharedConfigState (AWS_SDK_LOAD_CONFIG environment variable) #9236

Closed
bflad opened this issue Jul 4, 2019 · 5 comments · Fixed by #14077
Closed

Automatically Enable AWS Go SDK Session Option SharedConfigState (AWS_SDK_LOAD_CONFIG environment variable) #9236

bflad opened this issue Jul 4, 2019 · 5 comments · Fixed by #14077
Assignees
@bflad
Labels
breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS.
Milestone
v3.0.0

Comments

@bflad
Copy link
Contributor

bflad commented Jul 4, 2019

Details

Currently, when working with Assumed IAM Role credentials following the Assuming an IAM Role in the AWS CLI documentation, the Terraform AWS Provider session logic requires the AWS_SDK_LOAD_CONFIG environment variable to set to a truthy value (e.g. AWS_SDK_LOAD_CONFIG=1). This is quite confusing user experience considering that the AWS CLI (boto) does not have a similar requirement.

For example, given this setup:

$ cat ~/.aws/config

[profile my-assume-role]
role_arn = arn:aws:iam::123456789012:role/my-assume-role
source_profile = my-assume-role-credentials

$ cat ~/.aws/credentials

[my-assume-role-credentials]
aws_access_key_id = ...
aws_secret_access_key = ...

$ cat main.tf

provider "aws" {
  region  = "us-east-1"
  version = "2.17.0"
}

data "aws_caller_identity" "current" {}

output "caller_arn" {
  value = "${data.aws_caller_identity.current.arn}"
}

$ export AWS_PROFILE=my-assume-role
$ terraform apply

Error: Error refreshing state: 1 error occurred:
  * provider.aws: No valid credential sources found for AWS Provider.
  Please see https://terraform.io/docs/providers/aws/index.html for more information on
  providing credentials for the AWS Provider

However, it works when the less documented environment variable is set:

$ export AWS_PROFILE=my-assume-role
$ export AWS_SDK_LOAD_CONFIG=1
$ terraform apply
data.aws_caller_identity.current: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

caller_arn = arn:aws:sts::123456789012:assumed-role/my-assume-role/1561748592973748000

We should be able to enable loading the shared configuration file automatically via the Options configuration SharedConfigState field.

This change should occur during a major version upgrade since it has the potential of unexpectedly changing authentication precedence and handling for some environments.

References

Among others:
@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. proposal Proposes new design or functionality. provider Pertains to the provider itself, rather than any interaction with AWS. labels Jul 4, 2019
@bflad bflad added this to the v3.0.0 milestone Jul 4, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jul 4, 2019
@bflad bflad changed the title Automatically Set AWS Go SDK Session Option SharedConfigEnable (AWS_SDK_LOAD_CONFIG environment variable) Automatically Enable AWS Go SDK Session Option SharedConfigState (AWS_SDK_LOAD_CONFIG environment variable) Jul 4, 2019
@bflad bflad removed the needs-triage Waiting for first response or review from a maintainer. label Jul 4, 2019
@jukie
Copy link
Contributor

jukie commented Jul 4, 2019

This would be super useful for my org. It looks like this it would just be change of the implementation here?
https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/config.go#L329-#L332

@bflad
Copy link
Contributor Author

bflad commented Jul 5, 2019

We will likely want to:

  • In hashicorp/aws-sdk-go-base, appropriately enable the configuration via a new boolean flag that defaults to true and gets exposed for the Terraform AWS Provider and S3 Backend
  • In Terraform AWS Provider and S3 Backend, update the dependency and set that flag to false by default (the existing behavior). Add a boolean configuration option to allow operators to set that flag to opt into setting true.
  • In Terraform AWS Provider and S3 Backend during their next major version upgrade, change the default configuration value to be true instead of false and include note about change in the upgrade guides

This will allow folks to opt into the change now (if they prefer) and leave any potential for breaking changes caused by the behavior change to occur in a major version release. 👍

@bflad bflad removed the proposal Proposes new design or functionality. label May 28, 2020
@bflad bflad mentioned this issue Jun 2, 2020
Closed
@bflad bflad self-assigned this Jul 7, 2020
bflad added a commit that referenced this issue Jul 7, 2020
@bflad
provider: Authentication updates for Terraform AWS Provider v3.0.0
717f065 
Reference: #5018
Reference: #6913
Reference: #7333
Reference: #9236
Reference: #9869
Reference: #9898
Reference: #9962
Reference: #9986
Reference: #10507
Reference: #11429
Reference: #12236
Reference: #12727
Reference: #12815
Reference: #13057

Changes:

```
NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default
```

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)
```
@bflad bflad mentioned this issue Jul 7, 2020
Merged
bflad added a commit that referenced this issue Jul 13, 2020
@bflad @renovate-bot
provider: Authentication updates for Terraform AWS Provider v3.0.0 (#…
2e86bbd 
…14077)

* Update module hashicorp/aws-sdk-go-base to v0.5.0

* provider: Authentication updates for Terraform AWS Provider v3.0.0

Reference: #5018
Reference: #6913
Reference: #7333
Reference: #9236
Reference: #9869
Reference: #9898
Reference: #9962
Reference: #9986
Reference: #10507
Reference: #11429
Reference: #12236
Reference: #12727
Reference: #12815
Reference: #13057

Changes:

```
NOTES

* provider: Credential ordering has changed from static, environment, shared credentials, EC2 metadata, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata) to static, environment, shared credentials, default AWS Go SDK (shared configuration, web identity, ECS, EC2 Metadata)
* provider: The `AWS_METADATA_TIMEOUT` environment variable no longer has any effect as we now depend on the default AWS Go SDK EC2 Metadata client timeout of one second with two retries

ENHANCEMENTS

* provider: Always enable shared configuration file support (no longer require `AWS_SDK_LOAD_CONFIG` environment variable)
* provider: Add `assume_role` configuration block `duration_seconds`, `policy_arns`, `tags`, and `transitive_tag_keys` arguments

BUG FIXES

* provider: Ensure configured STS endpoint is used during `AssumeRole` API calls
* provider: Prefer AWS shared configuration over EC2 metadata credentials by default
* provider: Prefer CodeBuild, ECS, EKS credentials over EC2 metadata credentials by default
```

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.89s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.90s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.99s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.22s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.29s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.37s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.38s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.39s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.40s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.40s)
--- PASS: TestAccAWSProvider_Endpoints_Deprecated (4.42s)
--- PASS: TestAccAWSProvider_Endpoints (4.53s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (8.32s)
```

* docs/provider: Add authentication changes section to version 3 upgrade guide and remove pre-3.0 notes

Co-authored-by: Renovate Bot <bot@renovateapp.com>
@bflad
Copy link
Contributor Author

bflad commented Jul 13, 2020

Support for this has been merged and will release with version 3.0.0 of the Terraform AWS Provider, likely in about two weeks. Please note this enhancement was also applied for the Terraform S3 Backend (part of Terraform CLI codebase) as part of 0.13.0-beta2.

@ghost
Copy link

ghost commented Jul 31, 2020

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Aug 12, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 12, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. enhancement Requests to existing resources that expand the functionality or scope. provider Pertains to the provider itself, rather than any interaction with AWS.
Projects
None yet
Milestone
v3.0.0
Development

Successfully merging a pull request may close this issue.

provider: Authentication updates for Terraform AWS Provider v3.0.0 hashicorp/terraform-provider-aws
2 participants
@bflad @jukie