Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: AWS Provider fails with opt-in regions and assume role configuration #32549

Open
malachi-constant opened this issue Jul 17, 2023 · 2 comments
Labels
authentication Pertains to authentication; to the provider itself of otherwise. bug Addresses a defect in current functionality. provider Pertains to the provider itself, rather than any interaction with AWS.

Comments

@malachi-constant
Copy link

Terraform Core Version

1.5.3

AWS Provider Version

v4.57.0

Affected Resource(s)

provider "aws" {}

Expected Behavior

AWS role should be allowed to be assumed in an opt-in region even if the identity (assuming account) does not have the opt-in region enabled.

Actual Behavior

This configuration works when Identity's account has the same opt-in region enabled. It does not when the region is only enabled in the account the assumed role resides in.

provider "aws" {
  region = "ap-south-2"
  assume_role {
    role_arn     = "arn:aws:iam::111111111111:role/LayerManagement"
    session_name = "GitlabLayer"
  }
}

Relevant Error/Panic Output Snippet

AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 59fbba66-d74e-4d74-9ffb-bd9940ccadd3, api error InvalidClientTokenId: The security token included in the request is invalid

Terraform Configuration Files

provider "aws" {
  region = "ap-south-2" # Opt-in Region
  assume_role {
    role_arn     = "arn:aws:iam::111111111111:role/LayerManagement" # Account B Assumable Role
    session_name = "GitlabLayer"
  }
}

Steps to Reproduce

  1. Account A Identity not opted-in to any regions
  2. Account B With an assumable role and an opt-in region.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

@malachi-constant malachi-constant added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Jul 17, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@cervantn
Copy link

Just adding some additional context here:

In IAM, you can update an AWS account to return session tokens from STS' global endpoint which will work in any region, including opt-in regions, by calling SetSecurityTokenServicePreferences and upgrading to using v2Tokens (see the Managing global endpoint session tokens AWS docs).

This, in turn, allows an AWS account which is not opted-in to a given region to assume a role into an account which is opted-in to that region using the global STS endpoint. The global endpoint must be used if the source account is not opted-in to the given region, as it won't be permitted to call the regionalized STS endpoint.

If you want to check if an AWS account is opted-in to a given region, you can do so by calling the ListRegions API.

@justinretzolk justinretzolk added provider Pertains to the provider itself, rather than any interaction with AWS. authentication Pertains to authentication; to the provider itself of otherwise. and removed needs-triage Waiting for first response or review from a maintainer. labels Jul 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
authentication Pertains to authentication; to the provider itself of otherwise. bug Addresses a defect in current functionality. provider Pertains to the provider itself, rather than any interaction with AWS.
Projects
None yet
Development

No branches or pull requests

3 participants