如何要求 Terraform CLI 使用 AWS 共享凭证而不是其主机的 AWS EC2 实例配置文件
How to ask Terraform CLI to use AWS Shared Credentials not AWS EC2 instance profile of its host
尝试通过 user-data 脚本在 AWS EC2 上 运行 Terraform CLI v0.12.28。提供实例后,它应该会自动启动基础设施构建。
要构建的基础设施可以在其他云或帐户上。凭据存储在 SSM Parameter Store 中。 EC2 实例具有角色配置文件以允许访问 Parameter Store。
export TF_LOG=TRACE
export TF_IN_AUTOMATION=1
export AWS_PROFILE=digital_ocean
export AWS_SDK_LOAD_CONFIG=1
AWS_EC2_METADATA_DISABLED=true
/usr/local/bin/terraform init -input=false
问题是发送 X-AMZ-SECURITY-TOKEN header 时 Terraform init 失败。其他云提供商(Digital Ocean - 使用 AWS S3 API)无法理解 header。
[INFO] Attempting to use session-derived credentials
[INFO] Successfully derived credentials from session
[INFO] AWS Auth provider used: "EC2RoleProvider"
...
HTTP/1.1 501 Not Implemented
Connection: close
Content-Length: 248
Content-Type: application/xml
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Amz-Error-Code: NotImplemented
X-Amz-Error-Message: Server does not support one or more requested headers. Please see https://developers.digitalocean.com/documentation/spaces/#aws-s3-compatibility
X-Do-Spaces-Error: unsupported_header_x-amz-security-token
...
status code: 501, request id: , host id:
Error refreshing state: NotImplemented: Server does not support one or more requested headers. Please see https://developers.digitalocean.com/documentation/spaces/#aws-s3-compatibility
设置成功后手动执行相同的命令。
[INFO] AWS Auth provider used: "SharedCredentialsProvider"
主要区别似乎在于所使用的 AWS Auth 提供商。
我的问题:即使 EC2 实例具有角色配置文件,我如何说服 Terraform 仅使用 SharedCredentialsProvider?
此外,为什么当用户登录并手动执行相同的命令(sudo su - root ...)时,Auth 提供程序会有所不同?
平台:EC2/亚马逊Linux2
问题是用户数据环境缺少一些变量。
我将以下内容添加到用户数据脚本中,TF init 按预期工作:
export AWS_AUTO_SCALING_HOME=/opt/aws/apitools/as
export AWS_CLOUDWATCH_HOME=/opt/aws/apitools/mon
export AWS_ELB_HOME=/opt/aws/apitools/elb
export AWS_PATH=/opt/aws
export EC2_AMITOOL_HOME=/opt/aws/amitools/ec2
export EC2_HOME=/opt/aws/apitools/ec2
export HOME=/root
export LOGNAME=root
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin
export SHELL=/bin/bash
export USER=root
实际上,更具体地说,用户数据脚本执行一些设置(创建目录、安装包等)并使用 'at' 延迟 TF 调用。这是为了使 EC2 实例能够正常启动。
环境变量在'at'脚本中
# yum install ... &co
#
cat > /run/tf/run_tf <<EOF
#!/bin/bash
cd /run/tf/XXX
export TF_VAR_zzz="${...}"
export TF_LOG=TRACE
export TF_IN_AUTOMATION=1
export AWS_PROFILE="..."
export AWS_SDK_LOAD_CONFIG=1
export AWS_EC2_METADATA_DISABLED=true
export AWS_AUTO_SCALING_HOME=/opt/aws/apitools/as
export AWS_CLOUDWATCH_HOME=/opt/aws/apitools/mon
export AWS_ELB_HOME=/opt/aws/apitools/elb
export AWS_PATH=/opt/aws
export EC2_AMITOOL_HOME=/opt/aws/amitools/ec2
export EC2_HOME=/opt/aws/apitools/ec2
export HOME=/root
export LOGNAME=root
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin
export SHELL=/bin/bash
export USER=root
/usr/local/bin/terraform init -input=false
/usr/local/bin/terraform plan -input=false -out=tfplan
EOF
chmod 0755 /run/tf/run_tf
at now +2 minutes -f /run/tf/run_tf
尝试通过 user-data 脚本在 AWS EC2 上 运行 Terraform CLI v0.12.28。提供实例后,它应该会自动启动基础设施构建。
要构建的基础设施可以在其他云或帐户上。凭据存储在 SSM Parameter Store 中。 EC2 实例具有角色配置文件以允许访问 Parameter Store。
export TF_LOG=TRACE
export TF_IN_AUTOMATION=1
export AWS_PROFILE=digital_ocean
export AWS_SDK_LOAD_CONFIG=1
AWS_EC2_METADATA_DISABLED=true
/usr/local/bin/terraform init -input=false
问题是发送 X-AMZ-SECURITY-TOKEN header 时 Terraform init 失败。其他云提供商(Digital Ocean - 使用 AWS S3 API)无法理解 header。
[INFO] Attempting to use session-derived credentials
[INFO] Successfully derived credentials from session
[INFO] AWS Auth provider used: "EC2RoleProvider"
...
HTTP/1.1 501 Not Implemented
Connection: close
Content-Length: 248
Content-Type: application/xml
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Amz-Error-Code: NotImplemented
X-Amz-Error-Message: Server does not support one or more requested headers. Please see https://developers.digitalocean.com/documentation/spaces/#aws-s3-compatibility
X-Do-Spaces-Error: unsupported_header_x-amz-security-token
...
status code: 501, request id: , host id:
Error refreshing state: NotImplemented: Server does not support one or more requested headers. Please see https://developers.digitalocean.com/documentation/spaces/#aws-s3-compatibility
设置成功后手动执行相同的命令。
[INFO] AWS Auth provider used: "SharedCredentialsProvider"
主要区别似乎在于所使用的 AWS Auth 提供商。
我的问题:即使 EC2 实例具有角色配置文件,我如何说服 Terraform 仅使用 SharedCredentialsProvider?
此外,为什么当用户登录并手动执行相同的命令(sudo su - root ...)时,Auth 提供程序会有所不同?
平台:EC2/亚马逊Linux2
问题是用户数据环境缺少一些变量。
我将以下内容添加到用户数据脚本中,TF init 按预期工作:
export AWS_AUTO_SCALING_HOME=/opt/aws/apitools/as
export AWS_CLOUDWATCH_HOME=/opt/aws/apitools/mon
export AWS_ELB_HOME=/opt/aws/apitools/elb
export AWS_PATH=/opt/aws
export EC2_AMITOOL_HOME=/opt/aws/amitools/ec2
export EC2_HOME=/opt/aws/apitools/ec2
export HOME=/root
export LOGNAME=root
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin
export SHELL=/bin/bash
export USER=root
实际上,更具体地说,用户数据脚本执行一些设置(创建目录、安装包等)并使用 'at' 延迟 TF 调用。这是为了使 EC2 实例能够正常启动。
环境变量在'at'脚本中
# yum install ... &co
#
cat > /run/tf/run_tf <<EOF
#!/bin/bash
cd /run/tf/XXX
export TF_VAR_zzz="${...}"
export TF_LOG=TRACE
export TF_IN_AUTOMATION=1
export AWS_PROFILE="..."
export AWS_SDK_LOAD_CONFIG=1
export AWS_EC2_METADATA_DISABLED=true
export AWS_AUTO_SCALING_HOME=/opt/aws/apitools/as
export AWS_CLOUDWATCH_HOME=/opt/aws/apitools/mon
export AWS_ELB_HOME=/opt/aws/apitools/elb
export AWS_PATH=/opt/aws
export EC2_AMITOOL_HOME=/opt/aws/amitools/ec2
export EC2_HOME=/opt/aws/apitools/ec2
export HOME=/root
export LOGNAME=root
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin
export SHELL=/bin/bash
export USER=root
/usr/local/bin/terraform init -input=false
/usr/local/bin/terraform plan -input=false -out=tfplan
EOF
chmod 0755 /run/tf/run_tf
at now +2 minutes -f /run/tf/run_tf