Commit Graph

11 Commits

Author SHA1 Message Date
julius-bonial 5d8662d5da fix wrong usage of hashicorp/errwrap (#11500)
According to https://github.com/hashicorp/errwrap
'{{err}}' has to be used instead of '%s'

Without this patch, error output from terraform is missing important information:
* aws_cloudwatch_log_group.logs: Error Getting CloudWatch Logs Tag List: %s

With this patch, I get the important information. E.g.:
* aws_cloudwatch_log_group.logs: Error Getting CloudWatch Logs Tag List: AccessDeniedException: User: arn:aws:sts::XYZ:assumed-role/AAA-BBB-CCC/terraform-assuming-role-assume-role-ReadOnly is not authorized to perform: logs:ListTagsLogGroup on resource: arn:aws:logs:us-east-1:XYZ:log-group:logs:log-stream:
2017-01-29 19:19:48 +00:00
Joshua Carp 1f8c2e4c69 Parse AWS partition from ARN.
[Resolves #5307]
2016-10-07 00:08:30 -04:00
James Nugent e3ccb51168 provider/aws: Add assume_role block to provider
This replaces the previous `role_arn` with a block which looks like
this:

```
provider "aws" {
        // secret key, access key etc

	assume_role {
	        role_arn = "<Role ARN>"
		session_name = "<Session Name>"
		external_id = "<External ID>"
	}
}
```

We also modify the configuration structure and read the values from the
block if present into those values and adjust the call to AssumeRole to
include the SessionName and ExternalID based on the values set in the
configuration block.

Finally we clean up the tests and add in missing error checks, and clean
up the error handling logic in the Auth helper functions.
2016-09-03 12:54:30 -07:00
Ian Duffy 767914bbdc [GH-1275] Support for AWS access via IAMs AssumeRole functionality
This commit enables terraform to utilise the assume role functionality
of sts to execute commands with different privileges than the API
keys specified.

Signed-off-by: Ian Duffy <ian@ianduffy.ie>
2016-09-02 10:22:57 -07:00
Radek Simko e251d5c7bd Merge pull request #8114 from TimeIncOSS/f-aws-skip-options
aws: Change names of new skip_* fields + document those
2016-08-12 07:00:14 +01:00
James Nugent 21d1ac41fa Merge branch 'd-update-aws-sdk' 2016-08-11 12:52:35 -04:00
Radek Simko 2073e80c66
aws/config: Shortened conditions [cleanup] 2016-08-10 15:25:16 +01:00
Renier Morales c2bcb5fbe5 Skip IAM/STS validation and metadata check (#7874)
* Skip IAM/STS validation and metadata check

* Skip IAM/STS identity validation - For environments or other api
  implementations where there are no IAM/STS endpoints available, this
  option lets you opt out from that provider initialization step.
* Skip metdata api check - For environments in which you know ahead of
  time there isn't going to be a metadta api endpoint, this option lets
  you opt out from that check to save time.

* Allow iam/sts initialization even if skipping account/cred validation

(#7874)

* Split out skip of IAM validation into credentials and account id

(#7874)
2016-08-10 15:10:34 +01:00
James Nugent 6ddb8f5975 provider/aws: session.New -> session.NewSession()
Version 1.3.1 deprecates use of `session.New()` in favour of
`session.NewSession()`, which also returns an error. This commit updates
the various call sites previously making use of `session.New()`.
2016-08-08 17:57:35 -05:00
Kraig Amador a23bcf2ec9 Added accountid to AWSClient and set it early in the initialization phase. We use iam.GetUser(nil) scattered around to get the account id, but this isn't the most reliable method. GetAccountId now uses one more method (sts:GetCallerIdentity) to get the account id, this works with federated users. 2016-05-05 07:02:12 -07:00
Colin Hebert f1f602cdf6 aws: Enable account ID check for assumed roles + EC2 instances 2016-04-27 12:56:03 +02:00