bless bless_ca fails to call KMS when using roles #29

johnkeates · 2019-11-24T04:37:08Z

Running a bare minimum config:

provider "bless" {
  region  = "eu-west-1"
}

resource "bless_ca" "fooca" {
  kms_key_id = "65ba1ca8-222a-2226-2222-020fc86a71d7"
}

This tries to find the key in the current AWS role, but we use role assuming, so our base role doesn't actually have access to the account and resources. The general aws provider does role-assuming based on how it's configured but bless doesn't currently support that so it cannot switch to the correct role to access KMS. Profile doesn't work either because our base STS credentials are env-only thus role-assuming based on ~/.aws/config fails with a message about the base profile not having credentials (which is correct, the base profile is loaded via aws-vault using STS creds):

provider "aws" {
  version = ">= 2.0.0"
  region  = "eu-west-1"

  assume_role {
    role_arn = "${lookup(var.role_arns, var.account)}"
  }
}

A few edits later: I suppose this is more like a feature request than a bug.

The text was updated successfully, but these errors were encountered:

johnkeates changed the title ~~bless bless_ca fails to call KMS~~ bless bless_ca fails to call KMS when using roles Nov 24, 2019

ryanking mentioned this issue May 27, 2020

[feature] role auth #33

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bless bless_ca fails to call KMS when using roles #29

bless bless_ca fails to call KMS when using roles #29

johnkeates commented Nov 24, 2019 •

edited

Loading

bless bless_ca fails to call KMS when using roles #29

bless bless_ca fails to call KMS when using roles #29

Comments

johnkeates commented Nov 24, 2019 • edited Loading

johnkeates commented Nov 24, 2019 •

edited

Loading