packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

amazon-ebs assume role session tags ignored

Open moss2k13 opened this issue 2 years ago • 0 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Overview of the Issue

I'm trying to build AWS custom AMI assuming a role that requires session request tags in its policy condition: https://docs.aws.amazon.com//IAM/latest/UserGuide/id_session-tags.html I'm unable to configure packer to fulfill below condition:

            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/team": "MYTEAM"
                }
            }

Packer version

1.8.5

Operating system and Environment details

Packer docker image hashicorp/packer:1.8.5

Reproduction Steps

short version: docker run -it --rm -e PACKER_LOG=1 hashicorp/packer:1.8.5 build -debug custom-emr-ami.json

full version (details in logs):

aws --profile temporary-user sts get-session-token &> get-session-token

docker run -it --rm --name packer -v $(pwd):/workspace -w /workspace -e PACKER_LOG=1 -e AWS_ACCESS_KEY_ID=$(cat get-session-token | jq -r .Credentials.AccessKeyId) -e AWS_SECRET_ACCESS_KEY=$(cat get-session-token | jq -r .Credentials.SecretAccessKey) -e AWS_SESSION_TOKEN=$(cat get-session-token | jq -r .Credentials.SessionToken) -e AWS_REGION=eu-central-1 hashicorp/packer:1.8.5 build -var AmazonOsReleaseLabel=2.0.20221210.1 -var prefix=my-dev -var packerPath=/tmp/downloads -debug custom-emr-ami.json

Packer Templates

working template with policy without conditions -> HERE not working template with policy with conditions -> HERE

Logs

Packer working output with policy without conditions -> HERE Packer not working output with policy with conditions -> HERE AWS trust policy for packer-test-role -> HERE AWS packer-test-role policy without condition -> HERE AWS packer-test-role policy with condition -> HERE AWS logs working DescribeImages with policy without conditions -> HERE AWS logs not working DescribeImages with policy with conditions -> HERE

moss2k13 avatar Feb 21 '23 09:02 moss2k13