[BUG] Environment variable AWS_PROFILE, AWS_ACCESS_KEY_ID and AWS_ACCES_KEY not respected with aws_assume_role_arn

[andrejvanderzee]

What is the bug?

The provider does not take into account AWS_PROFILE environment variable when using aws_assume_role_arn. Instead, we must explicitly set it in the provider config like this:

provider "opensearch" {
  url                         = var.opensearch_url
  healthcheck        = "false"
  aws_region          = "eu-west-1"
  aws_assume_role_arn = "arn:aws:iam::****:role/opensearch-master"
  aws_profile         = "management"
}

How can one reproduce the bug?

Remove aws_profile from the configuration above and do a export AWS_PROFILE=management. That will result in:

│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ 	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

What is the expected behavior?

Override the aws_profile setting in the provider configuration, if any.

What is your host/environment?

Ubuntu 22.04

[andrejvanderzee]

The same holds for using the aws_assume_role_arn with environment variables AWS_ACCESS_KEY_ID and AWS_ACCES_KEY. Only via the ~/.aws/credentials file it works.

[peterzhuamazon]

@prudhvigodithi to take a look on this.

[prudhvigodithi]

@massimob76 @ekirmayer can you please add your thoughts ?
Thank you

[massimob76]

@prudhvigodithi @andrejvanderzee that should be fixed by #87

[estebane-frb]

Hi @prudhvigodithi I just tried release 2.1.0 and unfortunately am still getting this error:

[INFO] Failed to put role mapping: NoCredentialProviders: no valid providers in chain. Deprecated.

This is my current provider setup.

provider "opensearch" {
  url                         = var.opensearch_url
  aws_assume_role_arn         = var.iam_role_to_assume
  aws_region                  = var.region
  healthcheck                 = false
  sign_aws_requests           = true
}

[prudhvigodithi]

Thanks @estebane-frb for the feedback, adding @massimob76 @rblcoder to please take a look and help @estebane-frb to fix the issue.

[rblcoder]

I am able to specify AWS profile both using

provider "opensearch" {
  url = "url"
  healthcheck        = "false"
  aws_region          = "region"
  aws_profile = "dev"
  aws_assume_role_arn = "role arn"
  aws_assume_role_external_id = "external id"
  version_ping_timeout = "10"

}

as well as

export AWS_PROFILE=dev

and

provider "opensearch" {
  url = "url"
  healthcheck        = "false"
  aws_region          = "region"
  aws_assume_role_arn = "role arn"
  aws_assume_role_external_id = "external id"
  version_ping_timeout = "10"
}

[falcocoris]

can't get it to work, i'm getting the following error :

│ Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

I can make it work using access_keys or basic auth but it doesn't meet our security requirements, which are, using IAM identity center.

Any idea what's wrong here ? Either it is isn't using the profile, or there's a missing link somewhere behind that (i'm thinking of the application layer of IAM identity center)

[rblcoder]

@falcocoris could you please share the terraform Opensearch provider configuration you are using?

[falcocoris]

provider "opensearch" {
  url                        = "https://vpc-blabla.eu-west-1.es.amazonaws.com"
  aws_region                 = "eu-west-1"
  healthcheck                = false
  version_ping_timeout       = "10"
}

and my aws config file is like this :

[default]
sso_session = mycompany
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess
region = eu-west-1
[sso-session mycompany]
sso_start_url = https://blabla.awsapps.com/start
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
[profile dev]
region = eu-west-1
sso_session = enlaps
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess
[dev]
region = eu-west-1
sso_session = enlaps
sso_account_id = my_aws_account_id
sso_role_name = AdministratorAccess

There are some duplicates here as I was trying to force using an explicit profile etc, anyways, nothing worked.

[rblcoder]

@falcocoris Using SSO works when OpenSearch allows access to the role ARN created by IAM Identity Center

arn:aws:iam::aws-account-ID:role/aws-reserved/sso.amazonaws.com/aws-region/AWSReservedSSO_permission-set-name_unique-suffix

https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html

[falcocoris]

ARN

that's exactly what i was missing, thx !

Do you think it's worth mentioning in the provider configuration section ?

It's got nothing to do with the provider in the end, but wondering if it's relevent

[prudhvigodithi]

Thanks @rblcoder. Also @falcocoris this is more related to how the AWS OpenSearch is created with proper working SSO settings, adding it in terraform provider docs seems to me like its deviating the scope of the terraform provider. The provider is is cloud-agnostic it targets to work for OpenSearch for any given endpoint. Also I feel that SSO configuration with AWS OpenSearch should be part of AWS docs, WDYT @falcocoris @rblcoder @bbarani ?

Also @falcocoris if you still think its better to add a one liner about this SSO setup (when used AWS OpenSearch), please feel free to raise a PR.

Thanks

[rblcoder]

@falcocoris, adding it to the OpenSearch Terraform provider documentation would deviate from its scope as it is something we are configuring in AWS. Do contribute a line on SSO configuration for AWS OpenSearch by submitting a PR, if you believe it should be there.