aws provider credentials through vault

[oillio]

I am trying to use vault to generate credentials for an AWS provider:

provider "vault" {}

data "vault_generic_secret" "aws_auth" {
  path = "aws/creds/deploy"
}

provider "aws" {
  region = "${var.aws_region}"
  access_key = "${data.vault_generic_secret.aws_auth.data["access_key"]}"
  secret_key = "${data.vault_generic_secret.aws_auth.data["secret_key"]}"
}

This gives the error: AuthFailure: AWS was not able to validate the provided access credentials

It will pull the data values if they are saved in the state. If I provide credentials some other way, and apply this such that the aws_auth fields are set to tfstate, this config will work going forward. However, as vault will expire the provided credentials, it will eventually begin failing again.

This may be related to #4149. I created a new issue as I don't see a chicken and egg problem here. From what I understand, terraform should be able to generate the credentials from vault first and then use them in the aws provider with current functionality.

[apparentlymart]

Hi @oillio! Sorry this didn't work out.

I think unfortunately this may be the same issue covered in #4149, but I agree that it's weird. If you could share the full output of terraform plan in this scenario (with any sensitive information redacted) that would help a lot, since it would be possible to see at what point in the plan lifecycle Terraform is encountering this error.

[ankitkl]

getting the issue!!!

provider "vault" {
address = "http://127.0.0.1:8200"
    //token = "<redacted>"
   token = "terrahelp-devonly-vault-root-token"
}
resource "vault_generic_secret" "example3" {
  path = "cubbyhole"
  allow_read = true
   data_json = <<EOT
{
  "key2":   "sh-rsa <redacted> root@#localhost.localdomain"
}
EOT
}

resource "aws_key_pair" "deployer" {
  key_name   = "deployer-key"
  public_key = "${vault_generic_secret.example3.data.key2}"
}

[apparentlymart]

Hi @ankitkl!

First of all, just to be safe I replaced some key-looking-things in your comment with <redacted> in case they were sensitive. Hopefully they weren't. 😀

As mentioned in my previous comment, it would be very helpful to see the full output of your run terraform plan, with any of your sensitive information removed. That will help me understand where in the Terraform lifecycle this failure is occuring.

[ankitkl]

@apparentlymart I have already edit the sensitive before placing here 😀

[apparentlymart]

You helpfully shared the config, but to understand what is going on I really need to see the console output from terraform plan.

[ankitkl]

provider "vault" {
address = "http://127.0.0.1:8200"
    //token = "Otl3fpxocU9nAG2hJshkDWRn0bnI6d1rWbhCBdvKA+M="
   token = "terrahelp-devonly-vault-root-token"
}
data "vault_generic_secret" "rundeck_auth" {
  path = "cubbyhole"
}
resource "aws_key_pair" "deployer" {
  key_name   = "deployer-key"
  public_key = "${data.vault_generic_secret.rundeck_auth.data["key"]}"
}

Here is my updated code !!

While doing plan getting this below error

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

vault_generic_secret.example3: Refreshing state... (ID: cubbyhole)
data.vault_generic_secret.rundeck_auth: Refreshing state...
Error refreshing state: 1 error(s) occurred:

* data.vault_generic_secret.rundeck_auth: 1 error(s) occurred:

* data.vault_generic_secret.rundeck_auth: data.vault_generic_secret.rundeck_auth: unexpected EOF
panic: runtime error: invalid memory address or nil pointer dereference
2017/05/11 04:25:43 [DEBUG] plugin: terraform: [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x3ab5d99]
2017/05/11 04:25:43 [DEBUG] plugin: terraform:
2017/05/11 04:25:43 [DEBUG] plugin: terraform: goroutine 48 [running]:
2017/05/11 04:25:43 [DEBUG] plugin: terraform: github.com/hashicorp/terraform/builtin/providers/vault.genericSecretDataSourceRead(0xc4204b82a0, 0x4e58a60, 0xc42054c990, 0x3f20201, 0x9)
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/gopath/src/github.com/hashicorp/terraform/builtin/providers/vault/data_source_generic_secret.go:75 +0x189
2017/05/11 04:25:43 [DEBUG] plugin: terraform: github.com/hashicorp/terraform/helper/schema.(*Resource).ReadDataApply(0xc420653c20, 0xc42034a4c0, 0x4e58a60, 0xc42054c990, 0xc420137198, 0xc420106f01, 0x0)
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/gopath/src/github.com/hashicorp/terraform/helper/schema/resource.go:252 +0xbb
2017/05/11 04:25:43 [DEBUG] plugin: terraform: github.com/hashicorp/terraform/helper/schema.(*Provider).ReadDataApply(0xc4203a05b0, 0xc42022b860, 0xc42034a4c0, 0x7f8423b9e000, 0x0, 0x0)
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/gopath/src/github.com/hashicorp/terraform/helper/schema/provider.go:381 +0x91
2017/05/11 04:25:43 [DEBUG] plugin: terraform: github.com/hashicorp/terraform/plugin.(*ResourceProviderServer).ReadDataApply(0xc4202a9860, 0xc42021d2a0, 0xc42021d710, 0x0, 0x0)
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/gopath/src/github.com/hashicorp/terraform/plugin/resource_provider.go:565 +0x4e
2017/05/11 04:25:43 [DEBUG] plugin: terraform: reflect.Value.call(0xc42021bce0, 0xc42000c9c0, 0x13, 0x505c04a, 0x4, 0xc4206edf20, 0x3, 0x3, 0x439000, 0xc42054cde0, ...)
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/go/src/reflect/value.go:434 +0x91f
2017/05/11 04:25:43 [DEBUG] plugin: terraform: reflect.Value.Call(0xc42021bce0, 0xc42000c9c0, 0x13, 0xc420024720, 0x3, 0x3, 0xc420164f00, 0xc420165080, 0x0)
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/go/src/reflect/value.go:302 +0xa4
2017/05/11 04:25:43 [DEBUG] plugin: terraform: net/rpc.(*service).call(0xc4202d3180, 0xc4202d3140, 0xc420357540, 0xc420521600, 0xc4205bb540, 0x41f8cc0, 0xc42021d2a0, 0x16, 0x41f8d00, 0xc42021d710, ...)
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/go/src/net/rpc/server.go:387 +0x144
2017/05/11 04:25:43 [DEBUG] plugin: terraform: created by net/rpc.(*Server).ServeCodec
2017/05/11 04:25:43 [DEBUG] plugin: terraform:  /opt/go/src/net/rpc/server.go:481 +0x404
2017/05/11 04:25:43 [DEBUG] plugin: /usr/bin/terraform: plugin process exited
2017/05/11 04:25:43 [ERROR] root: eval: *terraform.EvalReadDataApply, err: data.vault_generic_secret.rundeck_auth: unexpected EOF
2017/05/11 04:25:43 [ERROR] root: eval: *terraform.EvalSequence, err: data.vault_generic_secret.rundeck_auth: unexpected EOF

[apparentlymart]

Thanks for that, @ankitkl! Based on this it seems like you are hitting a different error, so I've opened #14408 for this.

[radeksimko]

The crash was addressed in #14435

There's a known issue with resource <-> provider block dependency/reference yet to be resolved - #12393 or #4149 respectively which is very likely the cause of the mentioned AuthFailure. I'm closing this to consolidate issues into #4149 A link to this issue will remain there, so we can later verify whether this is fixed.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.