Provider with AssumeRoleArn uses default profile when profile is not specified #86

massimob76 · 2023-09-25T15:39:34Z

What is the bug?

If aws_assume_role_arn is specified, but no profile is given,
the provider will assume that the 'default' profile will assume the given role arn.
This is not necessarily true, for instance if AWS credentials are specified via environment variables they should take the precedence and not force to use the 'default' profile.

How can one reproduce the bug?

Create a role 'opensearch-role' that can manage the opensearch cluster
Create a role 'opensearch-build' that can assume the opensearch-role
Allow the local user to assume the 'opensearch-build' role, but not the 'opensearch-role' directly.
So it should look like:
local user => opensearch-build => opensearch-role
but the local user should not be able to assume 'opensearch-role' directly
configure the opensearch provider like:

provider "opensearch" {
  url                 = "https://...."
  aws_assume_role_arn = "arn:aws:iam::...:role/opensearch-role"
}

the local user should assume the opensearch-build role:

aws sts assume-role --role-arn arn:aws:iam::...:role/opensearch-build --role-session-name test

and make sure that the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN are set
6. TF_LOG=debug terraform apply:
you should get an error similar to this:

<Message>User: arn:aws:iam::...:user/some-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::...:role/opensearch-role</Message>
...
Error: NoCredentialProviders: no valid providers in chain. Deprecated.

What is the expected behavior?

No errors, since opensearch-build is allowed to assume opensearch-role

What is your host/environment?

Macbook Pro - MacOS Ventura 13.2

Do you have any screenshots?

Do you have any additional context?

Add any other context about the problem.

The text was updated successfully, but these errors were encountered:

… if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86)

… if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]>

moritzzimmer · 2023-09-25T17:39:44Z

guess this is the same as in #61

massimob76 · 2023-10-05T09:10:29Z

guess this is the same as in #61

Oh I didn't noticed that issue. Yes it's the same issue of #61 since it was reopened.
The PR should hopefully fix it.

prudhvigodithi · 2023-10-09T15:16:32Z

[Untriage]
Closing this duplicate of #61, @massimob76 I have added a comment to your PR, please take a look.
Thank you

Signed-off-by: Massimo Battestini <[email protected]>

#87) * When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (#86) Signed-off-by: Massimo Battestini <[email protected]> * Adds unit tests for AWS profile change (#86) Signed-off-by: Massimo Battestini <[email protected]> --------- Signed-off-by: Massimo Battestini <[email protected]>

opensearch-project#87) * When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> * Adds unit tests for AWS profile change (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> --------- Signed-off-by: Massimo Battestini <[email protected]> Signed-off-by: Aaron Miller <[email protected]>

opensearch-project#87) * When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> * Adds unit tests for AWS profile change (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> --------- Signed-off-by: Massimo Battestini <[email protected]>

Signed-off-by: Aaron Miller <[email protected]> Add anomaly detection (opensearch-project#105) * Add anomaly detection Signed-off-by: Rupa Lahiri <[email protected]> * Add test for update Signed-off-by: Rupa Lahiri <[email protected]> * Add audit config in anomaly detector test Signed-off-by: Rupa Lahiri <[email protected]> * Format terraform in test Signed-off-by: Rupa Lahiri <[email protected]> --------- Signed-off-by: Rupa Lahiri <[email protected]> Signed-off-by: Aaron Miller <[email protected]> When the provider assumes a given role, don't use the default profile… (opensearch-project#87) * When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> * Adds unit tests for AWS profile change (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> --------- Signed-off-by: Massimo Battestini <[email protected]> Signed-off-by: Aaron Miller <[email protected]> Add step to generate terraform provider documentation by running tfplugindocs (opensearch-project#120) Signed-off-by: Rupa Lahiri <[email protected]> Signed-off-by: Aaron Miller <[email protected]> Improve documentation for HTTP basic authentication (opensearch-project#114) * Update template Signed-off-by: Jason Parraga <[email protected]> * Generate docs using tfplugindocs Signed-off-by: Jason Parraga <[email protected]> --------- Signed-off-by: Jason Parraga <[email protected]> Signed-off-by: Aaron Miller <[email protected]> fix complaints in errcheck linter Signed-off-by: Aaron Miller <[email protected]> Add proxy support (opensearch-project#95) * Add proxy support Add a new optional parameter to the provider configuration to allow for setting a proxy. Using a proxy can be an easier method for connecting to clusters within a VPC. Signed-off-by: Tim Wisbauer <[email protected]> * Add proxy support docs Signed-off-by: Tim Wisbauer <[email protected]> --------- Signed-off-by: Tim Wisbauer <[email protected]> Add anomaly detection (opensearch-project#105) * Add anomaly detection Signed-off-by: Rupa Lahiri <[email protected]> * Add test for update Signed-off-by: Rupa Lahiri <[email protected]> * Add audit config in anomaly detector test Signed-off-by: Rupa Lahiri <[email protected]> * Format terraform in test Signed-off-by: Rupa Lahiri <[email protected]> --------- Signed-off-by: Rupa Lahiri <[email protected]> When the provider assumes a given role, don't use the default profile… (opensearch-project#87) * When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> * Adds unit tests for AWS profile change (opensearch-project#86) Signed-off-by: Massimo Battestini <[email protected]> --------- Signed-off-by: Massimo Battestini <[email protected]> Add step to generate terraform provider documentation by running tfplugindocs (opensearch-project#120) Signed-off-by: Rupa Lahiri <[email protected]> Improve documentation for HTTP basic authentication (opensearch-project#114) * Update template Signed-off-by: Jason Parraga <[email protected]> * Generate docs using tfplugindocs Signed-off-by: Jason Parraga <[email protected]> --------- Signed-off-by: Jason Parraga <[email protected]> Add proxy support (opensearch-project#95) * Add proxy support Add a new optional parameter to the provider configuration to allow for setting a proxy. Using a proxy can be an easier method for connecting to clusters within a VPC. Signed-off-by: Tim Wisbauer <[email protected]> * Add proxy support docs Signed-off-by: Tim Wisbauer <[email protected]> --------- Signed-off-by: Tim Wisbauer <[email protected]> Add anomaly detection (opensearch-project#105) * Add anomaly detection Signed-off-by: Rupa Lahiri <[email protected]> * Add test for update Signed-off-by: Rupa Lahiri <[email protected]> * Add audit config in anomaly detector test Signed-off-by: Rupa Lahiri <[email protected]> * Format terraform in test Signed-off-by: Rupa Lahiri <[email protected]> --------- Signed-off-by: Rupa Lahiri <[email protected]> Improve documentation for HTTP basic authentication (opensearch-project#114) * Update template Signed-off-by: Jason Parraga <[email protected]> * Generate docs using tfplugindocs Signed-off-by: Jason Parraga <[email protected]> --------- Signed-off-by: Jason Parraga <[email protected]> Add proxy support (opensearch-project#95) * Add proxy support Add a new optional parameter to the provider configuration to allow for setting a proxy. Using a proxy can be an easier method for connecting to clusters within a VPC. Signed-off-by: Tim Wisbauer <[email protected]> * Add proxy support docs Signed-off-by: Tim Wisbauer <[email protected]> --------- Signed-off-by: Tim Wisbauer <[email protected]>

massimob76 added bug Something isn't working untriaged labels Sep 25, 2023

massimob76 mentioned this issue Sep 25, 2023

When the provider assumes a given role, don't use the default profile… #87

Merged

prudhvigodithi removed the untriaged label Oct 9, 2023

prudhvigodithi closed this as completed Oct 9, 2023

vasyaxparfenov mentioned this issue Oct 19, 2023

added opensearch serverless support #92

Merged

massimob76 added a commit to massimob76/terraform-provider-opensearch that referenced this issue Oct 26, 2023

Adds unit tests for AWS profile change (opensearch-project#86)

6ec75c5

Signed-off-by: Massimo Battestini <[email protected]>

massimob76 added a commit to massimob76/terraform-provider-opensearch that referenced this issue Oct 26, 2023

Adds unit tests for AWS profile change (opensearch-project#86)

e1b7494

Signed-off-by: Massimo Battestini <[email protected]>

massimob76 added a commit to massimob76/terraform-provider-opensearch that referenced this issue Oct 26, 2023

Adds unit tests for AWS profile change (opensearch-project#86)

7c61d11

Signed-off-by: Massimo Battestini <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Provider with AssumeRoleArn uses default profile when profile is not specified #86

Provider with AssumeRoleArn uses default profile when profile is not specified #86

massimob76 commented Sep 25, 2023

moritzzimmer commented Sep 25, 2023

massimob76 commented Oct 5, 2023

prudhvigodithi commented Oct 9, 2023

Provider with AssumeRoleArn uses default profile when profile is not specified #86

Provider with AssumeRoleArn uses default profile when profile is not specified #86

Comments

massimob76 commented Sep 25, 2023

What is the bug?

How can one reproduce the bug?

What is the expected behavior?

What is your host/environment?

Do you have any screenshots?

Do you have any additional context?

moritzzimmer commented Sep 25, 2023

massimob76 commented Oct 5, 2023

prudhvigodithi commented Oct 9, 2023