Aws provider can't assume role but AWS CLI can

aws provider can’t assume role but AWS CLI can

I want to manage my AWS Organization with Terraform CLI and then create some
resources in sub-accounts of my org.

I signed in to AWS with my root credentials and created an IAM user with the
AdministratorAccess policy, then I created access keys for this IAM user and put
them as the default and only profile in my ~/.aws/credentials. These are the
only credentials available on the system and Terraform is using them.

I then have this terraform code to set up my organization and sub-accounts and
then assume the role to create stuff in the sub-account:

terraform {
  required_version = ">= 0.15"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.40.0"
    }
  }
}
provider "aws" {
  region  = var.region
  profile = "default"
  alias   = "root"
  default_tags { [...] }
}
resource "aws_organizations_organization" "organization" {
  feature_set = "ALL"
  provider    = aws.root
}
resource "aws_organizations_account" "devel" {
  name      = "acme-devel"
  email     = "aws_devel@acme.org"
  role_name = "Admin"
  provider  = aws.root
}
provider "aws" {
  profile = var.credentials_profile_root
  assume_role {
    role_arn     = "arn:aws:iam::${aws_organizations_account.devel.id}:role/Admin"
    session_name = "Terraform_devel"
  }
  alias  = "devel"
  region = var.region
  default_tags { [...] }
}
resource "aws_s3_bucket" "acme_test001" {
  bucket        = "acme-whatever-test001"
  acl           = "private"
  provider = aws.devel
}

I am always getting this error:
Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::XXXXXXX:role/Admin) cannot be assumed.

But if cut’n’paste the ARN to the CLI it works:

aws sts assume-role --role-session-name CLI_Tests --role-arn arn:aws:iam::XXXX:role/Admin

I cannot understand what is terraform doing different than the cli and why it is failing.

I’m using Terraform v0.15.4 with AWS provider v3.40.0 on macOS 10.14 and aws-cli/2.2.4.

Any help would be appreciated.

1 Like

Answering my own question, it was a silly problem that I failed to see :slight_smile:

When creating a new aws_organizations_account it will start out with only the default regions enabled and I was trying to use var.region = "eu-south-1" which isn’t one of them.

After logging in the AWS Console and enabling the region my code started to work correctly.

I’m now looking into how to enable my non-default region with terraform.

1 Like

@lesinigo I am getting the same error in terraform cloud :

Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::OMITTED:role/AWSAdmin) cannot be assumed.

How did you solve your issue ?
Would appreciate much if you could please some guidance here.
Reading this "

`When creating a new aws_organizations_account it will start out with only the default regions enabled and I was trying to use var.region = "eu-south-1" which isn’t one of them.

After logging in the AWS Console and enabling the region my code started to work correctly.

I’m now looking into how to enable my non-default region with terraform 27.

`

really does not help me as a noobie.

Thanks in advance.

This helped me, thank you so much!

My environment is a little different I have 2 accounts in an AWS Organizations and I have an ec2 instance with an assumed role called ROLE_A in the other account I created a ROLE_B and in the trust_relationship it allows ROLE_A to do ‘sts:assumerole’ and in role_A it allows it to do ‘sts:assumerole’ in role_b in the other account but it doesn’t work I activated debug in terraform but the instance always uses role_a the assume_role parameter of main.tf seems not to be read and trying to assume the other role in the other account.

$ aws sts get-caller-identity
{
    "UserId": "AAAAAAAAAAAA:i-XXXXXXX",
    "Account": "YYYYYYYY",
    "Arn": "arn:aws:sts::XXXXXXXX:assumed-role/ROLE_A/i-xxxxxxx"
}
$ 

In the logs files of the terraform;

2023-04-07T00:27:17.480Z [INFO]  Terraform version: 1.4.2
2023-04-07T00:27:17.480Z [DEBUG] using github.com/hashicorp/go-tfe v1.18.0
2023-04-07T00:27:17.480Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.16.2
2023-04-07T00:27:17.480Z [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0
2023-04-07T00:27:17.480Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.0
2023-04-07T00:27:17.481Z [DEBUG] using github.com/zclconf/go-cty v1.12.1
2023-04-07T00:27:17.481Z [INFO]  Go runtime version: go1.19.6
2023-04-07T00:27:17.481Z [INFO]  CLI args: []string{"terraform", "plan"}
2023-04-07T00:27:17.481Z [DEBUG] Attempting to open CLI config file: /home/ubuntu/.terraformrc
2023-04-07T00:27:17.481Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-04-07T00:27:17.481Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-04-07T00:27:17.481Z [DEBUG] ignoring non-existing provider search directory /home/ubuntu/.terraform.d/plugins
2023-04-07T00:27:17.481Z [DEBUG] ignoring non-existing provider search directory /home/ubuntu/.local/share/terraform/plugins
2023-04-07T00:27:17.481Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2023-04-07T00:27:17.481Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2023-04-07T00:27:17.481Z [DEBUG] ignoring non-existing provider search directory /var/lib/snapd/desktop/terraform/plugins
2023-04-07T00:27:17.484Z [INFO]  CLI command args: []string{"plan"}
2023-04-07T00:27:17.518Z [INFO]  Attempting to use session-derived credentials
2023-04-07T00:27:17.524Z [INFO]  Successfully derived credentials from session
2023-04-07T00:27:17.524Z [INFO]  AWS Auth provider used: "EC2RoleProvider"
2023-04-07T00:27:17.524Z [DEBUG] Trying to get account information via sts:GetCallerIdentity
2023-04-07T00:27:17.525Z [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:

-----------------------------------------------------
2023-04-07T00:27:17.594Z [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 473
Content-Type: text/xml
Date: Fri, 07 Apr 2023 00:27:16 GMT
X-Amzn-Requestid: AAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAAAAA


-----------------------------------------------------
2023-04-07T00:27:17.594Z [DEBUG] [aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::<ID ACCOUNT A>:assumed-role/ROLE-A/i-XXXXXXX</Arn>
    <UserId>AAAAAAAA:i-XXXXXX</UserId>
    <Account>ID ACCOUNT A</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>AAAAAAAAAAAAAAAAAAAA</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
2023-04-07T00:27:19.622Z [DEBUG] checking for provisioner in "."
2023-04-07T00:27:19.625Z [DEBUG] checking for provisioner in "/usr/bin"
2023-04-07T00:27:19.630Z [INFO]  backend/local: starting Plan operation
2023-04-07T00:27:19.631Z [DEBUG] [aws-sdk-go] DEBUG: Request s3/ListObjects Details:
---[ REQUEST POST-SIGN ]-----------------------------

Any idea? thanks for help