I’m trying to use Packer with AssumeRoke configured with MFA.
- PC: MacBook m2 Pro
- OS: Sonoma 14.1.1
- Packer version: 1.9.4
~/.aws/config
[profile base]
region = ap-northeast-1
output = json
[profile packer]
region = ap-northeast-1
output = json
role_arn = arn:aws:iam::999999999999:role/assumerole-admin
source_profile = base
mfa_serial = arn:aws:iam::999999999999:mfa/testuser
role_session_name = testuser
duration_seconds = 43200
~/.aws/credentials
[base]
aws_access_key_id=XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
It works fine with AWS CLI.
$ aws s3 ls --profile packer
Enter MFA code for arn:aws:iam::999999999999:mfa/testuser:
2023-05-08 11:09:56 aaaaaaaa
2023-04-27 17:48:31 bbbbbbbb
2022-08-09 15:20:57 cccccccc
How ever, an error occurs in packer, probably bacause the mfa_code attribute isn’t effective.
sample.json
{
"variables": {
"mfa_code": "000000"
},
"builders": [{
"type": "amazon-ebs",
"region": "ap-northeast-1",
"source_ami": "ami-xxxxxxxx",
"instance_type": "t2.small",
"ssh_username": "ec2-user",
"ami_name": "role-example",
"mfa_code": "{{user `mfa_code`}}",
"profile": "packer"
}],
"provisioners": [{
"type": "shell",
"inline": [
"sudo yum -y update",
"sudo yum -y install nginx"
]
}]
}
command
$ packer build -var 'mfa_code=123456' sample.json
amazon-ebs: output will be in this color.
Build 'amazon-ebs' errored after 852 microseconds: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
==> Wait completed after 902 microseconds
==> Some builds didn't complete successfully and had errors:
--> amazon-ebs: Error creating AWS session: AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
==> Builds finished but no artifacts were created.
This error occurs whether the mfa_code attribute is present or not, and whether the value of mfa_code is correct or incorrect.
How can I make the mfa_code attribute effective?