Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression: version 8.6.0 fails when AWS CLI is authenticated with SSO #316

Open
1 task done
miaeyg opened this issue Jan 5, 2025 · 0 comments
Open
1 task done

Regression: version 8.6.0 fails when AWS CLI is authenticated with SSO #316

miaeyg opened this issue Jan 5, 2025 · 0 comments
Labels
bug Something isn't working new Added to an issue when it's new ;)

Comments

@miaeyg
Copy link

miaeyg commented Jan 5, 2025

Terraform Version Details

{
  "terraform_version": "\"1.9.6\"",
  "terraform_revision": "null",
  "terraform_outdated": "true",
  "provider_selections": "{\"registry.terraform.io/hashicorp/aws\":\"5.82.2\",\"registry.terraform.io/hashicorp/cloudinit\":\"2.3.5\",\"registry.terraform.io/hashicorp/external\":\"2.3.4\",\"registry.terraform.io/hashicorp/kubernetes\":\"2.35.1\",\"registry.terraform.io/hashicorp/local\":\"2.5.2\",\"registry.terraform.io/hashicorp/null\":\"3.2.3\",\"registry.terraform.io/hashicorp/random\":\"3.6.3\",\"registry.terraform.io/hashicorp/time\":\"0.12.1\",\"registry.terraform.io/hashicorp/tls\":\"4.0.6\"}"
}

Terraform Variable File Details

Not relevant

Steps to Reproduce

Upgrade to version 8.6.0 of this project and version 1.9.6 of Terraform (not using Docker)
Run terraform init -upgrade
Authenticate AWS CLI using SSO (a IAM Identity Center user) using a command such as below. This is how I always authenticate AWS CLI.

aws sso login --sso-session eyal

When I ran the "terraform plan" command I saw this section below. This section fails when I apply the plan.

# module.eks.aws_eks_access_entry.this["cluster_creator"] will be created
  + resource "aws_eks_access_entry" "this" {
      + access_entry_arn  = (known after apply)
      + cluster_name      = (known after apply)
      + created_at        = (known after apply)
      + id                = (known after apply)
      + kubernetes_groups = [
          + "rbac.authorization.k8s.io",
        ]
      + modified_at       = (known after apply)
      + principal_arn     = "arn:aws:sts::855334947981:assumed-role/AWSReservedSSO_AdministratorAccess_88b75af5706b77a1/eyal"
      + tags              = {
          + "project_name" = "viya"
        }
      + tags_all          = {
          + "project_name" = "viya"
        }
      + type              = "STANDARD"
      + user_name         = "eyal"
    }

Note the principal_arn parameter - it is my SSO userid. The error fails because of this.

Expected Behavior

To finish OK as it used to in previous versions of this project

Actual Behavior

Fails with this error below:

module.eks.module.eks_managed_node_group["generic2"].aws_eks_node_group.this[0]: Still creating... [3m50s elapsed]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Still creating... [3m50s elapsed]
module.eks.module.eks_managed_node_group["generic2"].aws_eks_node_group.this[0]: Still creating... [4m0s elapsed]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Still creating... [4m0s elapsed]
module.eks.module.eks_managed_node_group["generic2"].aws_eks_node_group.this[0]: Still creating... [4m10s elapsed]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Still creating... [4m10s elapsed]
module.eks.module.eks_managed_node_group["generic2"].aws_eks_node_group.this[0]: Still creating... [4m20s elapsed]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Still creating... [4m20s elapsed]
module.eks.module.eks_managed_node_group["generic2"].aws_eks_node_group.this[0]: Creation complete after 4m21s [id=mia-eks:generic2-2025010510233532770000002b]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Still creating... [4m30s elapsed]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Still creating... [4m40s elapsed]
module.eks.module.eks_managed_node_group["default"].aws_eks_node_group.this[0]: Creation complete after 4m50s [id=mia-eks:default-2025010510233533140000002d]
╷
│ Error: creating EKS Access Entry (mia-eks:arn:aws:sts::855334947981:assumed-role/AWSReservedSSO_AdministratorAccess_88b75af5706b77a1/eyal): operation error EKS: CreateAccessEntry, https response error StatusCode: 400, RequestID: a78efd6c-9499-4b5e-9eff-087b4eaf96b9, InvalidParameterException: The principalArn parameter format is not valid
│
│   with module.eks.aws_eks_access_entry.this["cluster_creator"],
│   on .terraform/modules/eks/main.tf line 267, in resource "aws_eks_access_entry" "this":
│  267: resource "aws_eks_access_entry" "this" {

Additional Context

If I authenticate AWS CLI without SSO meaning that I create an IAM user with access key and secret and use aws configure to setup the CLI to use these access key + secret then it runs to completion without an error. It seems like the problem is new when using an IAM Identity Center user. Again, this did not happen in previous versions of this project. This is a regression.

References

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@miaeyg miaeyg added bug Something isn't working new Added to an issue when it's new ;) labels Jan 5, 2025
@miaeyg miaeyg changed the title Version 8.6.0 fails when authenticating to AWS with an IAM Identity Center user Regression: version 8.6.0 fails when AWS CLI is authenticated with SSO Jan 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working new Added to an issue when it's new ;)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miaeyg