// ERROR that I am getting in the Client environment
Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
// "terraform init" and "terraform validate" works fine. After that, "terraform plan" gives the above error
// References
https://github.com/terraform-providers/terraform-provider-aws/issues/8052
https://github.com/terraform-providers/terraform-provider-aws/issues/9869
https://github.com/hashicorp/terraform/issues/11270
https://github.com/terraform-providers/terraform-provider-aws/issues/12727
https://www.reddit.com/r/Terraform/comments/drtt5y/having_trouble_with_aws_assume_role/
https://stackoverflow.com/questions/58589585/terraform-issue-with-assume-role
https://stackoverflow.com/questions/45559078/terraform-using-iam-role-assume
https://stackoverflow.com/questions/59704676/terraform-aws-assume-role
// create_ec2.tf (using role 'sudip_terraform_ec2_role')
provider "aws" {
version = "3.5.0"
region = "eu-west-1"
access_key = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
secret_key = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
profile = "sudip_terraform"
alias = "terraform"
endpoints {
sts = "https://sts.amazonaws.com"
}
assume_role {
role_arn = "arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role"
session_name = "sts:RoleSessionName"
}
}
# chosen from the RESOURCE section in Terraform 'Provider' section
resource "aws_instance" "sudip_terraform_ec2" {
provider = "aws.terraform"
ami = "ami-07d9160fa81ccffb5"
instance_type = "t2.micro"
}
// create_ec2.tf (using role 'sudip_terraform_ec2_role2')
provider "aws" {
version = "3.5.0"
region = "eu-west-1"
access_key = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
secret_key = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
profile = "sudip_terraform"
alias = "terraform"
endpoints {
sts = "https://sts.amazonaws.com"
}
assume_role {
role_arn = "arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role2"
session_name = "sts:RoleSessionName"
}
}
# chosen from the RESOURCE section in Terraform 'Provider' section
resource "aws_instance" "sudip_terraform_ec2" {
provider = "aws.terraform"
ami = "ami-07d9160fa81ccffb5"
instance_type = "t2.micro"
}
// did not write this in 'create_ec2.tf' - is this required? I have to create only 1 EC2 instance_type
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.5.0"
region = "eu-west-1"
access_key = "<<access_key_of_IAM_USER 'sudip_terraform'>>"
secret_key = "<<secret_key_of_IAM_USER 'sudip_terraform'>>"
}
}
}
// sudip_terraform_ec2_role (with 'EC2Fullaccess' + 'IAMFullaccess' permissions)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<my_AWS_account_number>>:user/sudip_terraform"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
// sudip_terraform_ec2_role2 (with 'EC2Fullaccess' + 'IAMFullaccess' permissions)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<my_AWS_account_number>>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
// In ROLE 'sudip_terraform_ec2_role', I have added an inline policy as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<<my_AWS_account_no>>:role/sudip_terraform_ec2_role"
}
]
}
// In ROLE 'sudip_terraform_ec2_role2', I have added an inline policy as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<<my_AWS_account_no>>:role/sudip_terraform_ec2_role2"
}
]
}
// .aws/config
[default]
region = eu-west-1
output = json
[profile sudip_terraform]
source_profile = default
region = eu-west-1
output = json
// .aws/credentials
[default]
aws_access_key_id = <<access_key_of_IAM_USER 'sudip_terraform'>>
aws_secret_access_key = <<secret_key_of_IAM_USER 'sudip_terraform'>>
[sudip_terraform]
source_profile = default
role_arn = arn:aws:iam::<<my_AWS_account_number>>:role/sudip_terraform_ec2_role2
aws_access_key_id = <<access_key_of_IAM_USER 'sudip_terraform'>>
aws_secret_access_key = <<secret_key_of_IAM_USER 'sudip_terraform'>>
// commands
setx AWS_SHARED_CREDENTIALS_FILE ~/.aws/credentials
setx AWS_CONFIG_FILE ~/.aws/config
setx AWS_SDK_LOAD_CONFIG "true"
aws configure list --profile sudip_terraform
aws sts assume-role --role-arn "arn:aws:iam::<<my_account_no>>:role/sudip_terraform_ec2_role" --role-session-name AWSCLI-Session
aws --profile sudip_terraform sts get-caller-identity
aws iam list-users --profile sudip_terraform
// proxy commands (can be tried without proxy too)
setx no_proxy .sts.amazonaws.com
set http_proxy = http://<<client_userid>>:<<client_password>>@fr0-proxylan-vip.eu.<<client_name>>.corp:3128
set https_proxy = http://<<client_userid>>:<<client_password>>@fr0-proxylan-vip.eu.<<client_name>>.corp:3128
unset http_proxy https_proxy