AWS noob here. I am unable to find where in the management console do we see the access token. I have access to the secret key and the access key but apparently API access to AWS requires an access token as well which I am unable to find anywhere on the portal
Additional Information:
What I am looking for, is a way to create and destroy tokens via the management console provided by AWS. I am actually learning about terraform AWS provider which requires access key, secret key and the token.
Scraping the internet for answers, it becomes clear that one create and destroy these tokens using the SDK. I am looking at an easy and quick way to create this token via the management console itself. Is that even possible?
Accessing the AWS resource without a token gives me the following error:
aws_instance.sl-ec2-01: Creating...
╷
│ Error: creating EC2 Instance: InvalidAMIID.NotFound: The image id '[ami-07ffb2f4d65357b42]' does not exist
│ status code: 400, request id: 53057722-210e-46fa-89e3-2484f35ab263
│
│ with aws_instance.sl-ec2-01,
│ on ec2-instance.tf line 1, in resource "aws_instance" "sl-ec2-01":
│ 1: resource "aws_instance" "sl-ec2-01" {
this is the exact ami that I retrieved from the portal. My terraform code snippet for provisioning a new VM in the ap-south-1 region:
resource "aws_instance" "sl-ec2-01" {
instance_type = "t2.micro"
ami = "ami-07ffb2f4d65357b42"
}
Update 2:
It turns out I had not changed the region information which is why the AMI was not matching. It has now spun an image correctly.
An IAM User only has an Access Key and a Secret Key.
However, if you create temporary credentials using the AWS Security Token Service (STS), then a token is also provided.
For example, using your IAM User credentials to call AssumeRole() to gain privileges from an IAM Role, then you will be given:
Access Key
Secret Key
Access Token
Apparently, the AMI (machine image) corresponding to a particular OS flavor changes from region to region. While I had changed my region, I hadn't changed the AMI. Which is what I was erring with.
Upon changing the AMI for the OS to the one for my new region, it worked
Related
I'm facing a issue, status code is:401
"creating ec2 instance: authfailure: aws was not able to validate the provided access credentials │ status code: 401, request id: d103063f-0b26-4b84-9719-886e62b0e2b1"
the instance code:
resource "aws_instance" "test-EC2" {
instance_type = "t2.micro"
ami = "ami-07ffb2f4d65357b42"
}
I have checked the AMI region still not working
any help would be appreciated
I am looking for a way to create and destroy tokens via the management console provided by AWS. I am learning about terraform AWS provider which requires an access key, a secret key and a token.
As stated in the error message :
creating ec2 instance: authfailure: aws was not able to validate the provided access credentials │ status code: 401, request id: d103063f-0b26-4b84-9719-886e62b0e2b1".
It is clear that terraform is not able to authenticate itself using terraform AWS-provider.
You have to have a provider block in your terraform configuration to use one of the supported ways to get authenticated.
provider "aws" {
region = var.aws_region
}
In general, the following are the ways to get authenticated to AWS via the AWS-terraform provider.
Parameters in the provider configuration
Environment variables
Shared credentials files
Shared configuration files
Container credentials
Instance profile credentials and region
For more details, please take a look at: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration
By default, if you are already programmatically signed in to your AWS account AWS-terraform provider will use those credentials.
For example:
If you are using aws_access_key_id and aws_secret_access_key to authenticate yourself then you might have a profile for these credentials. you can check this info in your $HOME/.aws/credentials config file.
export the profile using the below command and you are good to go.
export AWS_PROFILE="name_of_profile_using_secrets"
If you have a SSO user for authentication
Then you might have a sso profile available in $HOME/.aws/config In that case you need to sign in with the respective aws sso profile using the below command
aws sso login --profile <sso_profile_name>
If you don't have a SSO profile yet you can also configure it using the below commands and then export it.
aws configure sso
[....] # configure your SSO
export AWS_PROFILE=<your_sso_profile>
Do you have an aws provider defined in your terraform configuration?
provider "aws" {
region = var.aws_region
profile = var.aws_profile
}
if you are running this locally, please have an IAM user profile set (use aws configure) and export that profile in your current session.
aws configure --profile xxx
export AWS_PROFILE=xxx
once you have the profile set, this should work.
If you are running this deployment in any pipleine like Github Action, you could also make use of OpenId connect to avoid any accesskey and secretkey.
Please find the detailed setup for OpenId connect here.
Just started using IntelliJ with AWS and this error pops after using the terraform apply command and the code is just a simple deployment of an EC2 instance.
Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://169.254.169.2
54/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: i/o timeout
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 1, in provider "aws":
│ 1: provider "aws" {
│
╵
Credentials with AWS Explorer are correct Using an IAM user in Admin group. Terraform is installed IntelliJ plug-ins for Terraform and AWS are installed There is a connection between IntelliJ and AWS
Using Windows 10 Can't use admin operations on Windows I feel like Terraform and AWS cant be connected (as the error says), but I can't understand why.
Any ideas how can I deploy this instance? Any help is appreciated. I am here to answer any questions you may have. I expected to deploy an EC2 instance. I've tried creating a new project, reinstalling IntelliJ, using other IDE like VS Code.
So I had to run:
$ export AWS_ACCESS_KEY_ID=(your access key id)
$ export AWS_SECRET_ACCESS_KEY=(your secret access key)
With my keys in the Ubuntu terminal in IntelliJ and it worked!
Alternatively, you can configure your provider block as follows:
provider "aws" {
region = "aws_region_to_create_resources"
profile = "aws_profile_to_use"
}
or if your aws credentials file is in another path other than the default $HOME/.aws :
provider "aws" {
region = "aws_region_to_create_resources"
shared_credentials_file = "path_to_aws_credentials_file"
profile = "aws_profile_to_use"
}
Specifying a profile has the advantage of allowing you to use different AWS accounts for different environments. You can also use this method to deploy resources in the same terraform module to different accounts or regions by using aliases.
I have a Terraform GitLab runner I've provisioned in my kubernetes cluster via Helm to execute Terraform related CICD pipelines. The runner users a specific service account that has access to a provisioned IAM Role for the runner using IAM Role for Service Accounts. To ensure that the runner is able to obtain the correct role, in my pipeline, I've included aws sts get-caller-identity call in my job and the job successfully returns the role. However, when terraform plan -out=tfplan or terraform apply tfplan is executed, I get the following error:
Error: error configuring S3 Backend: no valid credential sources for
S3 Backend found. │ │ Please see
https://www.terraform.io/docs/language/settings/backends/s3.html │ for
more information about providing credentials. │ │ Error:
NoCredentialProviders: no valid providers in chain. Deprecated. │ For
verbose messaging see aws.Config.CredentialsChainVerboseErrors
This error comes up randomly. It does not occur consistently.
I've considered using "skip_credentials_validation" and "skip_requesting_account_id" as mentioned in this stackoverflow post, but I feel there should be a better way for terraform to detect if the credentials are present for this type of scenario without having to do this type of bypass or actually committing a credentials file into the repository with access key and secret access key to assume a role.
Does anyone know how this can be done such that terraform would pick up the role consistently without hardcoding credentials?
Did you try explicitly initialize terraform with your backend config?
terraform init \
-backend-config="access_key=<your access key>" \
-backend-config="secret_key=<your secret key>"
I've noticed that after upgrading the values.yml file for the GitLab Runner and upgrading the runner to be on the current version (15.2.1) combined with IAM Role for Service Accounts enabled terraform init and plan to run as expected.
Keep in mind I've also updated GitLab server to v15.3 as well such that it is generally in sync with the runner version.
I tried to use resource aws_glue_job, but as soon as it's prepared to be launched, an error is shown as follows:
│ Error: error creating Glue Job (job): AccessDeniedException: Account 411xxxxxxxx (Account id) is denied access.
│
│ with aws_glue_job.job,
│ on main.tf line 94, in resource "aws_glue_job" "job":
│ 94: resource "aws_glue_job" "job" {
I checked the policies and apparently is okay. What might be doing it?
For some reason my issue was solved by creating and using a new account. This account being used previously was for test, that is why I did have no problems by changing It to a new one
We still have the same problem; even with sub-accounts of a totally new account. It seems like more and more people have the same issue:
Access Denied for Glue_Job in terraform
AWSGlue AccessDeniedException, Status Code 400
Access Denied When Create AWS Glue Crawler
AWS Glue gives AccessDeniedException
https://repost.aws/questions/QUhxdKlj4VSF-dzTXo7Xt3Iw/aws-glue-access-denied-exception-status-code-400
https://repost.aws/questions/QU7wLjCe0rR_Wp5VFgVKTIbg/unable-to-run-create-glue-job-from-root-user-getting-access-denied-exception
I had the exact same problem. Logging with TF_LOG (debbuging_terraform) helped me to be sure that this was not being caused by anything that I could fix.
If you have already verified policies (For example I attached AWSGlueConsoleFullAccess policy to the role creating glue job) and you have also verified that aws provider is correct, see: provider. You can open a ticket with billing & account and they will escalate this properly. They helped me and now I am able to create glue jobs again with the same account.
service account has all permission to create an vm instance (Service Account User, Project Owner, Project Editor). When I run terraform, this occurs:
│ Error: Error waiting for instance to create: The user does not have access to service account 'mymail#gmail.com'. User: 'terraform#direct-keel-275713.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
│
│
│ with module.vm.google_compute_instance.icinga,
│ on modules/vm/main.tf line 23, in resource "google_compute_instance" "icinga":
│ 23: resource "google_compute_instance" "icinga" {
There is something wrong with how you have Terraform setup.
The error message includes the text The user does not have access to service account 'mymail#gmail.com'.
The identity mymail#gmail.com is not a service account.
Once you have the credentials set up correctly, the identity that Terraform is using for authorization must have the role roles/iam.serviceAccountUser or similar. The role you select must have the permission iam.serviceAccounts.actAs.
Service Accounts Roles
Note: roles such as roles/compute.admin do not have the permission iam.serviceAccounts.actAs.
Terraform by default will look for the environment variable GOOGLE_APPLICATION_CREDENTIALS. That variable should point to the full path of a service account JSON key file.
Next, Terraform will look for the CLI/SDK credentials created by gcloud auth application-default login.
I prefer to specify the service account in the Terraform HCL (usually in a variables file).
provider "google" {
project = "PROJECT_ID"
credentials = "/path/to/service-account.json"
}