s3 backend creation issue with credential_process + source_profile + role_arn

[reegnz]

I am trying to use terragrunt with aws-vault but my configuration seems to fail with terragrunt (and terraform), but works fine for the cli for example.

I believe that this might be an issue with not using the latest SDK, so I would try to upgrade that first and see if that fixes the issue.

My aws config:

[profile work]
region=us-east-1
credential_process = aws-vault exec work --json --prompt=osascript

[profile playground-AdminRole]
region=us-east-1
source_profile=work
role_arn=arn:aws:iam::111111111111:role/AdminRole

➜ terragrunt apply
[terragrunt] 2019/09/13 13:14:18 Reading Terragrunt config file at /Users/reegnz/github/aws-infra-live/playground/global/domain/terragrunt.hcl
[terragrunt] [/Users/reegnz/github/aws-infra-live/playground/global/domain] 2019/09/13 13:14:18 Running command: terraform --version
[terragrunt] 2019/09/13 13:14:19 Terraform files in /Users/reegnz/github/aws-infra-live/playground/global/domain/.terragrunt-cache/YHAiOZmsTQ0ZYoYx4EKbpRrLc6U/atLwOwOfUS0c8RxP5eXSzcffHRw/domain are up to date. Will not download again.
[terragrunt] 2019/09/13 13:14:19 Copying files from /Users/reegnz/aws-infra-live/playground/global/domain into /Users/reegnz/github/aws-infra-live/playground/global/domain/.terragrunt-cache/YHAiOZmsTQ0ZYoYx4EKbpRrLc6U/atLwOwOfUS0c8RxP5eXSzcffHRw/domain
[terragrunt] 2019/09/13 13:14:19 Setting working directory to /Users/reegnz/aws-infra-live/playground/global/domain/.terragrunt-cache/YHAiOZmsTQ0ZYoYx4EKbpRrLc6U/atLwOwOfUS0c8RxP5eXSzcffHRw/domain
[terragrunt] 2019/09/13 13:14:19 Error initializing session: SharedConfigAssumeRoleError: failed to load assume role for arn:aws:iam::946862322396:role/AdminRole, source profile has no shared credentials
[terragrunt] 2019/09/13 13:14:19 Unable to determine underlying exit code, so Terragrunt will exit with error code 1

[reegnz]

Terraform also has an issue with such an aws config: hashicorp/terraform#22653

[brikis98]

Oh, interesting. Is credential_process must be something new? At any rate, a PR that updates AWS SDK version is welcome!

[lorengordon]

It's reasonably new yes, been around longer on the python side. Here's the doc on the aws config. It's really handy when you have a federated identity provider and want to get auto-refreshing temp creds for cli actions.

Our team contributed the initial implementation to the AWS GO SDK last year. It's been slowly filtering through the ecosystem. AWS credential handling is still a total pain to implement well.

[Sidenote: Have you looked at dependabot to help keep dependency versions up-to-date?]

[brikis98]

It's really handy when you have a federated identity provider and want to get auto-refreshing temp creds for cli actions.

💯

Our team contributed the initial implementation to the AWS GO SDK last year. It's been slowly filtering through the ecosystem. AWS credential handling is still a total pain to implement well.

Nice 🍺

[Sidenote: Have you looked at dependabot to help keep dependency versions up-to-date?]

Considered it, but haven't had time to dig into the details and implement it.

[reegnz]

@brikis98 I will have a go at bumping the SDK version, we'll see if that's enough. With terraform that one is a bit harder to crack :(

[brikis98]

Thx!

[reegnz]

#890 probably fixed this issue.

[reegnz]

The accompanying terraform issue also got fixed: hashicorp/terraform#22653

Same applies regarding env variables here:

export AWS_SDK_LOAD_CONFIG=1
export AWS_REGION=us-east-1
export AWS_PROFILE=playground-AdminRole

Tested it, works OK.