Search code examples
amazon-web-servicesterraformamazon-iamterraform-provider-aws

Terraform assume role despite correct IAM setup

Ive been able to test this role by assuming it using the CLI with the given the profile. However, I still get this error on apply:

│ Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<omitted>:role/<omitted>) cannot be assumed.
│ 
│ There are a number of possible causes of this - the most common are:
│   * The credentials used in order to assume the role are invalid
│   * The credentials do not have appropriate permission to assume the role
│   * The role ARN is not valid
│ 
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│       For verbose messaging see aws.Config.CredentialsChainVerboseErrors
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on providers.tf line 3, in provider "aws":
│    3: provider "aws" {
│

The provider configuration looks like so:

provider "aws" {
  region  = var.aws_region
  profile = var.aws_profile
  assume_role {
    role_arn     = var.assume_role_arn
    session_name = "assume-role-${timestamp()}"
  }
}

Assuming all variables are correct - what am I doing wrong?

I was able to re-create this in a simple repositiory: https://github.com/SparkPost/tf-recreate-assume-role-bug

You'll obviously have to create a correct assume role setup with permissions both in the assume-role policy of the role and the policy of the user/role doing the assuming.

Edit: It's been requested, so here's the trust policy of the assumed role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<omitted>:user/<my username>"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Additionally, it should be noted that I am an admin user with permission to assume all roles.

Here's the command I used to test the assume role from the CLI:

aws sts --profile <profile used in module> assume-role --role-arn <role arn from error message> --role-session-name test

This returned successfully.

Solution

  • Your timestamp() will return illegal characters for session name. You have to format it to have only good characters, e.g.:

    session_name = "assume-role-${formatdate("MMM-DD-YYYY", timestamp())}"