1

// ERROR that I am getting in the Client environment

    Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role) cannot be assumed.

There are a number of possible causes of this - the most common are:
  * The credentials used in order to assume the role are invalid
  * The credentials do not have appropriate permission to assume the role
  * The role ARN is not valid

Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
    
// "terraform init" and "terraform validate" works fine. After that, "terraform plan" gives the above error

// References

https://github.com/terraform-providers/terraform-provider-aws/issues/8052

https://github.com/terraform-providers/terraform-provider-aws/issues/9869

https://github.com/hashicorp/terraform/issues/11270

https://github.com/terraform-providers/terraform-provider-aws/issues/12727

https://www.reddit.com/r/Terraform/comments/drtt5y/having_trouble_with_aws_assume_role/

https://stackoverflow.com/questions/58589585/terraform-issue-with-assume-role

https://stackoverflow.com/questions/45559078/terraform-using-iam-role-assume

https://stackoverflow.com/questions/59704676/terraform-aws-assume-role

// create_ec2.tf (using role 'sudip_terraform_ec2_role')

provider "aws" {
  version     = "3.5.0"
  region      = "eu-west-1"    
  access_key  = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
  secret_key  = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
  profile     = "sudip_terraform"
  alias       = "terraform"
  endpoints {
    sts = "https://sts.amazonaws.com"
  }
  assume_role {
    role_arn     = "arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role"
    session_name = "sts:RoleSessionName"
  }
}

# chosen from the RESOURCE section in Terraform 'Provider' section
resource "aws_instance" "sudip_terraform_ec2" {
  provider      = "aws.terraform"
  ami           = "ami-07d9160fa81ccffb5"
  instance_type = "t2.micro"
}

// create_ec2.tf (using role 'sudip_terraform_ec2_role2')

provider "aws" {
  version     = "3.5.0"
  region      = "eu-west-1"    
  access_key  = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
  secret_key  = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
  profile     = "sudip_terraform"
  alias       = "terraform"
  endpoints {
    sts = "https://sts.amazonaws.com"
  }
  assume_role {
    role_arn     = "arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role2"
    session_name = "sts:RoleSessionName"
  }
}

# chosen from the RESOURCE section in Terraform 'Provider' section
resource "aws_instance" "sudip_terraform_ec2" {
  provider      = "aws.terraform"
  ami           = "ami-07d9160fa81ccffb5"
  instance_type = "t2.micro"
}

// did not write this in 'create_ec2.tf' - is this required? I have to create only 1 EC2 instance_type

terraform {
  required_providers {
    aws = {
      source      = "hashicorp/aws"
      version     = "3.5.0"
      region      = "eu-west-1"
      access_key  = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
      secret_key  = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
    }
  }
}

// sudip_terraform_ec2_role (with 'EC2Fullaccess' + 'IAMFullaccess' permissions)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<<my_AWS_account_number>>:user/sudip_terraform"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

// sudip_terraform_ec2_role2 (with 'EC2Fullaccess' + 'IAMFullaccess' permissions)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<<my_AWS_account_number>>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

// In ROLE 'sudip_terraform_ec2_role', I have added an inline policy as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<<my_AWS_account_no>>:role/sudip_terraform_ec2_role"
        }
    ]
}

// In ROLE 'sudip_terraform_ec2_role2', I have added an inline policy as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<<my_AWS_account_no>>:role/sudip_terraform_ec2_role2"
        }
    ]
}

// .aws/config

[default]
region = eu-west-1
output = json

[profile sudip_terraform]
source_profile = default
region = eu-west-1
output = json

// .aws/credentials

[default]
aws_access_key_id = <<access_key_of_IAM_USER 'sudip_terraform'>>
aws_secret_access_key = <<secret_key_of_IAM_USER 'sudip_terraform'>>

[sudip_terraform]
source_profile = default
role_arn = arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role2
aws_access_key_id = <<access_key_of_IAM_USER 'sudip_terraform'>>
aws_secret_access_key = <<secret_key_of_IAM_USER 'sudip_terraform'>>

// commands

setx AWS_SHARED_CREDENTIALS_FILE ~/.aws/credentials

setx AWS_CONFIG_FILE ~/.aws/config

setx AWS_SDK_LOAD_CONFIG "true"

aws configure list --profile sudip_terraform

aws sts assume-role --role-arn "arn:aws:iam::<<my_account_no>>:role/sudip_terraform_ec2_role" --role-session-name AWSCLI-Session

aws --profile sudip_terraform sts get-caller-identity

aws iam list-users --profile sudip_terraform

// proxy commands (can be tried without proxy too)

setx no_proxy .sts.amazonaws.com

set http_proxy = http://<<client_userid>>:<<client_password>>@fr0-proxylan-vip.eu.<<client_name>>.corp:3128

set https_proxy = http://<<client_userid>>:<<client_password>>@fr0-proxylan-vip.eu.<<client_name>>.corp:3128

unset http_proxy https_proxy
Sudip
  • 31
  • 4

0 Answers0