Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provider with AssumeRoleArn uses default profile when profile is not specified #86

Closed
massimob76 opened this issue Sep 25, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@massimob76
Copy link
Contributor

What is the bug?

If aws_assume_role_arn is specified, but no profile is given,
the provider will assume that the 'default' profile will assume the given role arn.
This is not necessarily true, for instance if AWS credentials are specified via environment variables they should take the precedence and not force to use the 'default' profile.

How can one reproduce the bug?

  1. Create a role 'opensearch-role' that can manage the opensearch cluster
  2. Create a role 'opensearch-build' that can assume the opensearch-role
  3. Allow the local user to assume the 'opensearch-build' role, but not the 'opensearch-role' directly.
    So it should look like:
    local user => opensearch-build => opensearch-role
    but the local user should not be able to assume 'opensearch-role' directly
  4. configure the opensearch provider like:
provider "opensearch" {
  url                 = "https://...."
  aws_assume_role_arn = "arn:aws:iam::...:role/opensearch-role"
}
  1. the local user should assume the opensearch-build role:
aws sts assume-role --role-arn arn:aws:iam::...:role/opensearch-build --role-session-name test

and make sure that the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN are set
6. TF_LOG=debug terraform apply:
you should get an error similar to this:

<Message>User: arn:aws:iam::...:user/some-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::...:role/opensearch-role</Message>
...
Error: NoCredentialProviders: no valid providers in chain. Deprecated.

What is the expected behavior?

No errors, since opensearch-build is allowed to assume opensearch-role

What is your host/environment?

Macbook Pro - MacOS Ventura 13.2

Do you have any screenshots?

Screenshot 2023-09-25 at 17 35 13

Do you have any additional context?

Add any other context about the problem.

@massimob76 massimob76 added bug Something isn't working untriaged labels Sep 25, 2023
massimob76 pushed a commit to massimob76/terraform-provider-opensearch that referenced this issue Sep 25, 2023
… if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)
massimob76 pushed a commit to massimob76/terraform-provider-opensearch that referenced this issue Sep 25, 2023
… if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>
massimob76 added a commit to massimob76/terraform-provider-opensearch that referenced this issue Sep 25, 2023
… if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>
@moritzzimmer
Copy link
Contributor

guess this is the same as in #61

@massimob76
Copy link
Contributor Author

guess this is the same as in #61

Oh I didn't noticed that issue. Yes it's the same issue of #61 since it was reopened.
The PR should hopefully fix it.

@prudhvigodithi
Copy link
Member

[Untriage]
Closing this duplicate of #61, @massimob76 I have added a comment to your PR, please take a look.
Thank you

massimob76 added a commit to massimob76/terraform-provider-opensearch that referenced this issue Oct 26, 2023
massimob76 added a commit to massimob76/terraform-provider-opensearch that referenced this issue Oct 26, 2023
massimob76 added a commit to massimob76/terraform-provider-opensearch that referenced this issue Oct 26, 2023
prudhvigodithi pushed a commit that referenced this issue Nov 1, 2023
#87)

* When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (#86)

Signed-off-by: Massimo Battestini <[email protected]>

* Adds unit tests for AWS profile change (#86)

Signed-off-by: Massimo Battestini <[email protected]>

---------

Signed-off-by: Massimo Battestini <[email protected]>
afrodidact pushed a commit to afrodidact/terraform-provider-opensearch that referenced this issue Nov 7, 2023
opensearch-project#87)

* When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

* Adds unit tests for AWS profile change (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

---------

Signed-off-by: Massimo Battestini <[email protected]>
Signed-off-by: Aaron Miller <[email protected]>
afrodidact pushed a commit to afrodidact/terraform-provider-opensearch that referenced this issue Nov 7, 2023
opensearch-project#87)

* When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

* Adds unit tests for AWS profile change (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

---------

Signed-off-by: Massimo Battestini <[email protected]>
afrodidact pushed a commit to afrodidact/terraform-provider-opensearch that referenced this issue Dec 11, 2023
Signed-off-by: Aaron Miller <[email protected]>

Add anomaly detection (opensearch-project#105)

* Add anomaly detection

Signed-off-by: Rupa Lahiri <[email protected]>

* Add test for update

Signed-off-by: Rupa Lahiri <[email protected]>

* Add audit config in anomaly detector test

Signed-off-by: Rupa Lahiri <[email protected]>

* Format terraform in test

Signed-off-by: Rupa Lahiri <[email protected]>

---------

Signed-off-by: Rupa Lahiri <[email protected]>
Signed-off-by: Aaron Miller <[email protected]>

When the provider assumes a given role, don't use the default profile… (opensearch-project#87)

* When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

* Adds unit tests for AWS profile change (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

---------

Signed-off-by: Massimo Battestini <[email protected]>
Signed-off-by: Aaron Miller <[email protected]>

Add step to generate terraform provider documentation by running tfplugindocs (opensearch-project#120)

Signed-off-by: Rupa Lahiri <[email protected]>
Signed-off-by: Aaron Miller <[email protected]>

Improve documentation for HTTP basic authentication (opensearch-project#114)

* Update template

Signed-off-by: Jason Parraga <[email protected]>

* Generate docs using tfplugindocs

Signed-off-by: Jason Parraga <[email protected]>

---------

Signed-off-by: Jason Parraga <[email protected]>
Signed-off-by: Aaron Miller <[email protected]>

fix complaints in errcheck linter

Signed-off-by: Aaron Miller <[email protected]>

Add proxy support (opensearch-project#95)

* Add proxy support

Add a new optional parameter to the provider configuration to allow for
setting a proxy.  Using a proxy can be an easier method for connecting
to clusters within a VPC.

Signed-off-by: Tim Wisbauer <[email protected]>

* Add proxy support docs

Signed-off-by: Tim Wisbauer <[email protected]>

---------

Signed-off-by: Tim Wisbauer <[email protected]>

Add anomaly detection (opensearch-project#105)

* Add anomaly detection

Signed-off-by: Rupa Lahiri <[email protected]>

* Add test for update

Signed-off-by: Rupa Lahiri <[email protected]>

* Add audit config in anomaly detector test

Signed-off-by: Rupa Lahiri <[email protected]>

* Format terraform in test

Signed-off-by: Rupa Lahiri <[email protected]>

---------

Signed-off-by: Rupa Lahiri <[email protected]>

When the provider assumes a given role, don't use the default profile… (opensearch-project#87)

* When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

* Adds unit tests for AWS profile change (opensearch-project#86)

Signed-off-by: Massimo Battestini <[email protected]>

---------

Signed-off-by: Massimo Battestini <[email protected]>

Add step to generate terraform provider documentation by running tfplugindocs (opensearch-project#120)

Signed-off-by: Rupa Lahiri <[email protected]>

Improve documentation for HTTP basic authentication (opensearch-project#114)

* Update template

Signed-off-by: Jason Parraga <[email protected]>

* Generate docs using tfplugindocs

Signed-off-by: Jason Parraga <[email protected]>

---------

Signed-off-by: Jason Parraga <[email protected]>

Add proxy support (opensearch-project#95)

* Add proxy support

Add a new optional parameter to the provider configuration to allow for
setting a proxy.  Using a proxy can be an easier method for connecting
to clusters within a VPC.

Signed-off-by: Tim Wisbauer <[email protected]>

* Add proxy support docs

Signed-off-by: Tim Wisbauer <[email protected]>

---------

Signed-off-by: Tim Wisbauer <[email protected]>

Add anomaly detection (opensearch-project#105)

* Add anomaly detection

Signed-off-by: Rupa Lahiri <[email protected]>

* Add test for update

Signed-off-by: Rupa Lahiri <[email protected]>

* Add audit config in anomaly detector test

Signed-off-by: Rupa Lahiri <[email protected]>

* Format terraform in test

Signed-off-by: Rupa Lahiri <[email protected]>

---------

Signed-off-by: Rupa Lahiri <[email protected]>

Improve documentation for HTTP basic authentication (opensearch-project#114)

* Update template

Signed-off-by: Jason Parraga <[email protected]>

* Generate docs using tfplugindocs

Signed-off-by: Jason Parraga <[email protected]>

---------

Signed-off-by: Jason Parraga <[email protected]>

Add proxy support (opensearch-project#95)

* Add proxy support

Add a new optional parameter to the provider configuration to allow for
setting a proxy.  Using a proxy can be an easier method for connecting
to clusters within a VPC.

Signed-off-by: Tim Wisbauer <[email protected]>

* Add proxy support docs

Signed-off-by: Tim Wisbauer <[email protected]>

---------

Signed-off-by: Tim Wisbauer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants